Hello
We currently have a setup of a mailserver using Dovecot and self-signed certificates, and a webserver with Roundcube (1.3.6) using RapidSSL certificates, both servers running OpenSUSE. We would like to switch Dovecot to the RapidSSL certs as well so clients wont get warnings, but then Roundcube as the only client stops working. The log-in page just says "Loading" endlessly, and the Roundcube error log says:
IMAP Error: Login failed for langley from <IP address>. Unable to negotiate TLS in /usr/share/php7/Roundcube/rcube_imap.php on line 196 (GET /?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1528381168129)
Depending on what port etc. is set, the line number changes sometimes.
Dovecot's IMAP log shows something similar:
dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=<IP address>, lip=<different IP address>, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<UO8L+gxuQMKC4mgi>
So from what I can understand, our certificate can not be verified, but we have the intermediate certificate configured so I don't get it.
Our Dovecot SLL config is:
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ca-certificates/company.com.crt
ssl_key = </etc/ca-certificates/company.com.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/ca-certificates/intermediate.crt
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
ssl_dh_parameters_length = 2048
# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
# SSL ciphers to use
ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# no_compression - Disable compression.
ssl_options = no_compression
Roundcube's IMAP config:
$config['default_host'] = 'tls://imap.company.com';
// TCP port used for IMAP connections
//$config['default_port'] = 993;
$config['default_port'] = 993;
// IMAP connection timeout, in seconds. Default: 0 (no limit)
$config['imap_timeout'] = 300;
//$config['default_port'] = 143;
// For STARTTLS IMAP
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => true,
'cafile' => '/etc/ca-certificates/intermediate.crt',
// For Letsencrypt use the following two lines and remove the 'cafile' option above.
'ssl_cert' => '/etc/ca-certificates/company.com.crt',
'ssl_key' => '/etc/ca-certificates/company.com.key',
// probably optional parameters
'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
'peer_name' => 'imap.company.com'
),
);
I have tried adding 'verify_depth => 10' with no difference.
As mentioned, other clients (Evolution, Thunderbird, Tine20) works fine.... And using gnutls I get the correct certificate from the Dovecot server.
I'm really scratching my head over this certificate stuff, so any help is appreciated.