Author Topic: TLS connection problems with SMTP and IMAP  (Read 1719 times)

Offline xk4l23

  • Newbie
  • *
  • Posts: 1
TLS connection problems with SMTP and IMAP
« on: January 07, 2017, 01:10:02 PM »
Hello,

I have installed postfix and dovcot which is configured using the TLS configuration examples from https://cipherli.st/ Receiving and sending mails with Thunderbird and K-9 Mail for Android is working. I am using Roundcube 1.2.3

Unfortunately I am not able to get Roundcube connected to postfix and dovecot. The configurations looks like the following

Dovecot config (https://cipherli.st/)
Code: [Select]
ssl = yes
ssl_cert = </etc/dovecot.cert
ssl_key = </etc/dovecot.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 4096

Postfix config (https://cipherli.st/)
Code: [Select]
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/ssl/postfix.cert
smtpd_tls_key_file=/etc/ssl/postfix.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH

Roundcube config
Code: [Select]
// For STARTTLS IMAP
$config['imap_conn_options'] = array(
    'ssl' => array(
      'verify_peer'       => true,
      // certificate is not self-signed if cafile provided
      'allow_self_signed' => false,
      'cafile'  => '/etc/letsencrypt/live/mydomain.com/fullchain.pem',
      // probably optional parameters
      'ciphers' => 'AES128+EECDH:AES128+EDH:!aNull:@STRENGTH',
      'peer_name'         => 'mydomain.com',
    ),
);

// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
    'ssl' => array(
      'verify_peer'       => true,
      // certificate is not self-signed if cafile provided
      'allow_self_signed' => false,
      'cafile'  => '/etc/letsencrypt/live/mydomain.com/fullchain.pem',
      // probably optional parameters
      'ciphers' => 'AES128+EECDH:AES128+EDH:!aNull:@STRENGTH',
      'peer_name'         => 'mydomain.com',
    ),
);

When testing the connection with the Roundcube installer, I get the following errors at the Installer and in the log files:

Roundcube Installer Test IMAP config:
IMAP connect:  NOT OK(Login failed for me@the.net from 178.255.154.43. Unable to negotiate TLS)

dovecot.log:
Code: [Select]
Jan 07 17:28:10 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: Disconnected, session=<Y2RcdYRFwtUAAAAAAAAAAAAAAAAAAAAB>

Roundcube Installer Test SMTP config:
(timeout)

Systemlog
Code: [Select]
Jan 07 17:33:23 mail postfix/smtpd[2750]: connect from localhost.localdomain[127.0.0.1]
Jan 07 17:34:23 mail postfix/smtpd[2750]: SSL_accept error from localhost.localdomain[127.0.0.1]: -1
Jan 07 17:34:23 mail postfix/smtpd[2750]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Jan 07 17:34:23 mail postfix/smtpd[2750]: lost connection after STARTTLS from localhost.localdomain[127.0.0.1]
Jan 07 17:34:23 mail postfix/smtpd[2750]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2

Any ideas, how I have to configure the ciphers of imap_conn_options and smtp_conn_options? I would like to avoid lowering the TLS settings of dovecot and postfix, as they are accessible via Internet also.