Author Topic: Issues with dovecot imaps over tls  (Read 4683 times)

Offline Tecktron

  • Newbie
  • *
  • Posts: 1
Issues with dovecot imaps over tls
« on: November 22, 2015, 01:51:56 PM »
I need some help, I've basically tried everything I have found, but with no luck.
It seems that I cannot connect to Dovecot with Roundcube using a tls connection.
I can connect/send/receive mail just fine with Thunderbird.
I can also connect to Dovecot and authenticate using this command:
openssl s_client -connect localhost:993
Which the last line reads:
Code: [Select]
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
I can then proceed to send a AUTH command etc.

What happens? When I try and log in (or use the test page in the installer) I end up at a 504 Gateway Time-out page.
It seems that something is just giving up or timing out somewhere along the line.

The Googles have not helped. Most suggest errors in the default host, however, I've tried many combinations as listed below.
Others have suggested there may be a PHP5.6 SSL thing going on, but I have set the openssl.capath to "/etc/ssl/certs/" in my php.ini file (and I've confirmed my certs are in that dir, but I'm not sure the full extent of how to test that, the basic example script in the PHP docs worked).
So I'm kind of at a loss.

The system:
Ubuntu 15.04,
apt installed Dovecot,
apt installed Postfix,
apt installed PHP5 (PHP 5.6.4-4ubuntu6.3),
apt installed NGINX (1.6.2 (Ubuntu)),
apt installed mariadb (Ver 15.1 Distrib 10.0.20-MariaDB),
ViMbAdmin V3.0.12 downloaded from github.
Roundcube install is latest (v1.1.3) full package downloaded from Roundcube site.

Settings from Thunderbird are IMAP domain.com port 993 SSL/TLS connection (not STARTTLS) with Normal authentication.

(Please note that I'll be using "domain.com" to replace my real domain name)

I have tried to following for default host:
Code: [Select]
tls://localhost
tls://domain.com
tls://localhost:993
tls://domain.com:993
// The rest of these fail fast since they are rejected by dovecot
ssl://localhost
ssl://domain.com
localhost
domain.com

Here is my roundcube config:
Code: [Select]
<?php
$config
['db_dsnw'] = 'mysql://roundcube:(removed)@localhost/roundcube';
$config['debug_level'] = 13;
$config['smtp_log'] = true;
$config['log_logins'] = true;
$config['log_session'] = true;
$config['sql_debug'] = true;
$config['imap_debug'] = true;
$config['ldap_debug'] = true;
$config['smtp_debug'] = true;
$config['default_host'] = 'tls://localhost';
$config['default_port'] = 993;
$config['smtp_server'] = 'tls://localhost';
$config['smtp_port'] = 465;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['des_key'] = 'somerandomstring';
// this seems to be the cake of lies, seems I must always use full email address or username doesn't show up in the sql log
//$config['username_domain'] = 'domain.com';
$config['identities_level'] = 3;
$config['language'] = 'en_US';
$config['spellcheck_engine'] = 'pspell';
$config['mime_param_folding'] = 1;
$config['plugins'] = array('debug_logger');
// for current debugging
$config['enable_installer'] = true;

Here is the error I get form the roundcube error log:
Code: [Select]
[22-Nov-2015 13:10:25 -0500]: <h38qp510> IMAP Error: Login failed for testuser@domain.com from {Edit: IP Removed}. Empty startup greeting (localhost:993) in /opt/roundcube/program/lib/Roundcube/rcube_imap.php on line 198 (POST /mail/?_task=login?_task=login&_action=login)

roundcude sql log:
Code: [Select]
[22-Nov-2015 13:05:39 -0500]: <h38qp510> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'h38qp5104bdohajftut97qokp2';
[22-Nov-2015 13:05:39 -0500]: <h38qp510> [2] UPDATE `session` SET `changed` = now(), `vars` = '{Edited}==' WHERE `sess_id` = 'h38qp5104bdohajftut97qokp2';
[22-Nov-2015 13:09:25 -0500]: <h38qp510> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'h38qp5104bdohajftut97qokp2';
[22-Nov-2015 13:09:25 -0500]: <h38qp510> [2] DELETE FROM `session` WHERE `sess_id` = 'h38qp5104bdohajftut97qokp2';
[22-Nov-2015 13:09:25 -0500]: <h38qp510> [3] SELECT * FROM `users` WHERE `mail_host` = 'localhost' AND `username` = 'testuser@domain.com';
[22-Nov-2015 13:10:25 -0500]: <h38qp510> [4] INSERT INTO `session` (`sess_id`, `vars`, `ip`, `created`, `changed`) VALUES ('h38qp5104bdohajftut97qokp2', '{Edited}=', '{Edited, IP Removed}', now(), now());

userlogin log is empty

Here is the dovecot debug log:
Code: [Select]
Nov 22 13:09:25 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Nov 22 13:09:25 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Nov 22 13:09:25 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1]
Nov 22 13:09:25 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1]
Nov 22 13:09:25 imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [127.0.0.1]
Nov 22 13:09:25 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Nov 22 13:09:25 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so
Nov 22 13:09:25 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Nov 22 13:09:25 auth: Debug: auth client connected (pid=24450)

Dovecot info log:
Code: [Select]
Nov 22 13:10:25 imap-login: Info: Disconnected (no auth attempts in 60 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: Disconnected, session=<TYbRBSUlzgB/AAAB>

nginx error log:
Code: [Select]
2015/11/22 13:10:25 [error] 2731#0: *4505 upstream timed out (110: Connection timed out) while reading response header from upstream, client:{Edited IP Address}, server: domain.com, request: "POST /mail/?_task=login HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock", host: "domain.com", referrer: "https://domain.com/mail/"

If there is anything else I can provide, please let me know.
Thank you in advance for your time and help.
« Last Edit: December 03, 2015, 10:15:45 PM by Tecktron »