Author Topic: Add support for IMAPS on Dovecot  (Read 1417 times)

Offline chris01

  • Jr. Member
  • **
  • Posts: 11
Add support for IMAPS on Dovecot
« on: November 11, 2018, 10:01:18 PM »
Any plans to provide IMAPS support with Dovecot?
I've just spent the last couple days attempting to get RC running on our mailserver
that runs Dovecot. Only IMAPS is supported on our server(s) ( port 993 ).
But regardless of *how* I configure RC to talk to DC. RC fails to provide USER/PASS
to DC.
I enabled DEBUG on both DC, and RC.
Following is the output of only one, of about 100 DC sessions where RC was asked to login:
Code: [Select]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [::1]
Nov 11 18:17:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Nov 11 18:17:22 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Nov 11 18:17:22 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Nov 11 18:17:22 auth: Debug: auth client connected (pid=38196)
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [::1]
Nov 11 18:17:22 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [::1]
Nov 11 18:17:22 imap-login: Debug: SSL alert: close notify [::1]
Nov 11 18:17:22 imap-login: Debug: SSL alert: close notify [::1]
Nov 11 18:17:22 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, TLS, session=<NbQiTW56kmIAAAAAAAAAAAAAAAAAAAAB>

And here's from my last attempt:
Code: [Select]
Nov 11 18:21:02 auth: Debug: auth client connected (pid=38338)
Nov 11 18:21:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [::1]
Nov 11 18:21:02 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [::1]
Nov 11 18:21:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [::1]
Nov 11 18:22:12 imap-login: Debug: SSL error: Disconnected
Nov 11 18:22:12 imap-login: Info: Disconnected (no auth attempts in 70 secs): user=<>, rip=::1, lip=::1, TLS handshaking: Disconnected, session=<t2JsXm56waEAAAAAAAAAAAAAAAAAAAAB>

Relevant RC config bits for the above session:
Code: [Select]
$config['default_host'] = 'localhost';
$rcmail_config['default_port'] = 993;

I know this to be an RC, not DC issue. Because we've already run some 16 other webmail
clients with DC on port 993 with no trouble(s) at all.

OH! forgot to mention:
RC 1.38
DC: 2.2

Thanks for all your time, and consideration.

--Chris
« Last Edit: November 11, 2018, 10:12:51 PM by chris01 »

Offline chris01

  • Jr. Member
  • **
  • Posts: 11
Re: Add support for IMAPS on Dovecot
« Reply #1 on: November 11, 2018, 10:47:14 PM »
OK, appears I've already had to deal with this before. The suggested solution was to use:
Code: [Select]
$config['default_host'] = 'ssl://<FQDN>:993';
But this doesn't seem to work. As it (RC) sends <USERNAME>@<FQDN>
which fails. Because our system (and Dovecot) expect <USERNAME> only.
Yet RC insists on having a valid cert.
Any possibilities for RC under these circumstances?

Thanks!

--Chris

Offline chris01

  • Jr. Member
  • **
  • Posts: 11
Re: Add support for IMAPS on Dovecot
« Reply #2 on: November 11, 2018, 11:52:33 PM »
Looks like I'll need to get a valid cert for localhost
Does anyone know of a Certificate Authority that will grant a CSR for localhost?

Thanks! :)

--Chris

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,226
Re: Add support for IMAPS on Dovecot
« Reply #3 on: November 12, 2018, 02:45:32 AM »
PHP has had certificate validation enabled by default since version 5.6. You can use the `imap_conn_options` in Roundcube to disable this. Something like:
Code: [Select]
$config['imap_conn_options'] = array(
  'ssl' => array(
    'verify_peer' => false,
  ),
);
You could also use this option to tell PHP how to correctly validate the cert. Using encrypted connections when connecting to localhost is overkill though so you should also consider allowing plain IMAP connections this way.

As for the username, IIRC Roundcube only adds a domain automatically if the config option `username_domain`is set.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦

Offline chris01

  • Jr. Member
  • **
  • Posts: 11
Re: Add support for IMAPS on Dovecot
« Reply #4 on: November 12, 2018, 02:08:33 PM »
Flipping brilliant, JohnDoh!
Thanks for the reply. These were just the clues I think I needed to make this work!

BUT, using:

RC (relevant) settings:
Code: [Select]
$config['default_host'] = 'ssl://myvalid.domain';
$config['default_port'] = 993;
$config['username_domain'] = null;
// automatically create a new Roundcube user when log-in the first time.
// a new user will be created once the IMAP login succeeds.
// set to false if only registered users can use this service
$config['auto_create_user'] = false;

DC log:
Code: [Select]
Nov 12 10:28:15 imap-login: Debug: SSL alert: close notify [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [000.111.222.333]
Nov 12 10:29:34 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Nov 12 10:29:34 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Nov 12 10:29:34 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Nov 12 10:29:34 auth: Debug: auth client connected (pid=63360)
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [000.111.222.333]
Nov 12 10:29:34 auth: Debug: client in: AUTH 1 PLAIN service=imap secured no-penalty session=NhT/4Xt6QvgYcSlR lip=000.111.222.333 rip=000.111.222.333 lport=993 rport=63554 local_name=myvalid.domain resp=AGNocmlzLmgAMDkwNDU3YXNY (previous base64 data may contain sensitive data)
Nov 12 10:29:34 auth-worker(63363): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Nov 12 10:29:34 auth-worker(63363): Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Nov 12 10:29:34 auth-worker(63363): Debug: pam(MYUSERNAME,000.111.222.333,<NhT/4Xt6QvgYcSlR>): lookup service=dovecot
Nov 12 10:29:34 auth-worker(63363): Debug: pam(MYUSERNAME,000.111.222.333,<NhT/4Xt6QvgYcSlR>): #1/1 style=1 msg=Password for MYUSERNAME@host.myvalid.domain:
Nov 12 10:29:34 auth: Debug: client passdb out: OK 1 user=MYUSERNAME
Nov 12 10:29:34 auth: Debug: master in: REQUEST 3761897473 63360 1 b3d176ad969d7c342e65320d9730ca24 session_pid=63364 request_auth_token
Nov 12 10:29:34 auth-worker(63363): Debug: passwd(MYUSERNAME,000.111.222.333,<NhT/4Xt6QvgYcSlR>): lookup
Nov 12 10:29:34 auth: Debug: master userdb out: USER 3761897473 MYUSERNAME system_groups_user=MYUSERNAME uid=1001 gid=0 home=/home/MYUSERNAME auth_token=27bdba3943c0939976aba5045ebb1d3a32c294cf
Nov 12 10:29:34 imap-login: Info: Login: user=<MYUSERNAME>, method=PLAIN, rip=000.111.222.333, lip=000.111.222.333, mpid=63364, TLS, session=<NhT/4Xt6QvgYcSlR>
Nov 12 10:29:34 imap(MYUSERNAME): Info: Logged out in=29 out=522
Nov 12 10:29:34 imap-login: Debug: SSL alert: close notify [000.111.222.333]
Nov 12 10:29:34 imap-login: Debug: SSL alert: close notify [000.111.222.333]

RC imap log:
Code: [Select]
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] IMAPS ready.
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] C: A0001 ID ("name" "Roundcube" "version" "1.3.8" "php" "7.2.3" "os" "FreeBSD" "command" "/?_task=login")
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: * ID ("name" "Dovecot")
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: A0001 OK ID completed.
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] C: A0002 AUTHENTICATE PLAIN ****** [25]
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: A0002 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY SPECIAL-USE] Logged in
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] C: A0003 NAMESPACE
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: * NAMESPACE (("" "/")) NIL NIL
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: A0003 OK Namespace completed (0.001 + 0.000 secs).
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] C: A0004 LOGOUT
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: * BYE Logging out
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> [6A5C] S: A0004 OK Logout completed (0.001 + 0.000 secs).

RC error log:
Code: [Select]
[12-Nov-2018 10:29:34 -0800]: <h5mljn9a> PHP Error: Access denied for new user MYUSERNAME. 'auto_create_user' is disabled in /usr/local/www/rc138/program/include/rcmail.php on line 662 (POST /?_task=login&_action=login)
Based on $config['auto_create_user'] = false; (above). I would have guessed this to mean
NOT to tell the SYSTEM to create a user. But to only permit LOGIN if the USER already existed in
the SYSTEM. Am I wrong?

OH, and yes using a CERT against localhost / an IMAP(s) server authenticating against
a local system, is overkill. But it has proven to (better) thwart / confound the
repeated attempts to undermine, or otherwise abuse the IMAPS/MX, and it hasn't resulted in
any troubles using other webmail applications. ;)

Thanks again!

--Chris

Offline chris01

  • Jr. Member
  • **
  • Posts: 11
Re: Add support for IMAPS on Dovecot
« Reply #5 on: November 12, 2018, 03:40:52 PM »
Well. I can finally login against a setting of:
Code: [Select]
$config['default_host'] = 'ssl://<FQDN>';
$config['default_port'] = 993;
$config['username_domain'] = null;
$config['auto_create_user'] = true;
But, while all my folders show up. NONE of them have anything in them.
My guess is that RC is confused about logging into a FQDN, but everything is coming from localhost.
Which also probably accounts for the fact that I had to switch auto_create_user to TRUE.

I'm not sure RC is going to work for us. Well, I suppose it could. But it's clearly going to need many
configuration changes.  :-\

Thank you again, JohnDoh, for taking the time to give me the necessary "clues". :)

--Chris

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,501
    • http://SKaero.com/
Re: Add support for IMAPS on Dovecot
« Reply #6 on: November 12, 2018, 04:39:53 PM »
The "auto_create_user" setting only creates the user record in the Roundcube database which is used to store user preferences and and contacts. If you don't see any email that likely means your mail server isn't returning any email. Enable imap_debug to see what your mail server is telling Roundcube.