I have issues with getting starttls to work using an letsencrypt certificate, on debian with roundcube version 1.2.3 and php 7.
I found this,
http://www.roundcubeforum.net/index.php?topic=22035.0 , but its not working unless I specify verify_peer = false.
"mail.mydomain.com" is replacing my real fqdn.
caBundle.crt contains the letsencrypt private key and public certificate. I've copied the cafile to /etc/ssl/certs/
$config['imap_conn_options'] = array(
'ssl' => array(
'peer_name' => 'mail.mydomain.com',
'verify_peer_name' => true,
'capath' => '/etc/ssl/certs/',
'local_cert' => '/etc/roundcube/caBundle.crt',
'verify_peer' => true,
),
);
On the mailserver itself, I (still) get this error.
dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.25, lip=192.168.10.21, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<70O/7LNahp/AqAoZ>
SSL for dovecot imap is configured like so
grep -P '^ssl' conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/dovecot/mail_mydomain.crt
ssl_key = </etc/dovecot/private/insecure_ca.key
ssl_ca = </etc/dovecot/ca.crt
ssl_dh_parameters_length = 4096
ssl_protocols = TLSv1.1 TLSv1.2
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
For smtp, I get this error, with same config as above, but ofcourse changed to "$config['smtp_conn_options'] " from $config['imap_conn_options'] = array(
postfix/submission/smtpd[25198]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:
In the error log from roundcube I get this..
PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1017
[04-Oct-2017 11:04:51 +0200]: <kefunb8f> IMAP Error: Login failed for xxxx from 192.168.10.24(X-Real-IP: x.x.x.x,X-Forwarded-For: x.x.x.x). Unable to negotiate TLS in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)