Roundcube 1.5.2 won't go into TLS mode even when STARTTLS offered

[ekgermann]

I have an installation (1.5.2) running on Cyrus IMAPD v2.4.22-Fedora-RPM-2.4.22-1.amzn2.0.1 on Centos 6 (yes, I know it's out of support and no more updates).  I'm using Let's Encrypt certificates, but OpenSSL tosses an error since the Root CA for current LE certs is not in the ca-certificates.

I fixed the error being thrown by turning verifiy_peer and verify_peer_name to false.  My Mac and iOS devices drop in to TLS mode just fine.  HOwever, Roundcube won't drop in to TLS mode, even though it is offered in the opening line of the response from the IMAP daemon.  tcpdump on port 143 shows it all in clear text.

My config looks like this:

$config['default_host'] = 'tls://imap.example.com';
$config['default_port'] = 143;

// For STARTTLS IMAP
$config['imap_conn_options'] = array(
        'ssl' => array(
        'verify_peer'       => false,
        'verify_peer_name'  => false,
        // certificate is not self-signed if cafile provided
        // 'allow_self_signed' => false,
        // 'cafile'  => '/webs/noc2.example.com/data/certs/isrg-root-x1-cross-signed.pem',
        // For Letsencrypt use the following two lines and remove the 'cafile' option above.
        'ssl_cert' => '/webs/noc2.example.com/data/certs/imap.example.com.crt',
        'ssl_key'  => '/webs/noc2.example.com/data/certs/imap.example.com.key',
        // probably optional parameters
        // 'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
        // 'peer_name'         => 'mail.my_domain.org',
     ),
 );

imapd.log shows STARTTLS for the Apple clients so I know that STARTTLS is working.

Any leads on what I'm doing wrong?

[JohnDoh]

are you sure you are using the correct port, that you don't want 993?

[ekgermann]

Answering my own question is bad form, I know but here it is.

For IMAP, leave the "default_host" without tls://. Adding tls:// seems to make it not honor TLS (??)

For SMTP, add tls:// to the "smtp_server".  This seems to make it honor the request

For Let's Encrypt certs on boxes that fail on their validation of them and can't be updated do the following.

For both in connection options set "verify_peer" and "verify_peer_name" to "false"

Add the CA cert as "cafile"..  It can be found here (https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem)

I left all other SSL options as their defaults.

-------------------------

For google,

// Seems to drop in to TLS when tls:// is left off and verify* set to false
$config['default_host'] = 'imap.example.com';
$config['default_port'] = 143;

// For STARTTLS IMAP
$config['imap_conn_options'] = array(
        'ssl' => array(
        'verify_peer'       => false,
        'verify_peer_name'  => false,
        // certificate is not self-signed if cafile provided
        // 'allow_self_signed' => false,
        'cafile'  => '/webs/noc2.example.com/data/certs/isrg-root-x1-cross-signed.pem',
        // For Letsencrypt use the following two lines and remove the 'cafile' option above.
        // 'ssl_cert' => '/webs/noc2.example.com/data/certs/imap.example.com.crt',
        // 'ssl_key'  => '/webs/noc2.example.com/data/certs/imap.example.com.key',
     ),
 );

-----------

// SMTP server host (for sending mails).
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
// To specify different SMTP servers for different IMAP hosts provide an array
// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net']

// $config['smtp_server'] = 'localhost';
$config['smtp_server'] = 'tls://smtp.example.com';

// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
        'ssl' => array(
        'verify_peer'       => false,
        'verify_peer_name'  => false,
        // certificate is not self-signed if cafile provided
        // 'allow_self_signed' => false,
        'cafile'  => '/webs/noc2.example.com/data/certs/isrg-root-x1-cross-signed.pem',
        // For Letsencrypt use the following two lines and remove the 'cafile' option above.
        // 'ssl_key'  => '/webs/noc2.example.com/data/certs/smtp.semperen.com.key',
        // ssl_cert => '/webs/noc.example.com/data/certs/fullchain.pem',
     ),
 );

[EndUser]

Not sure why it would be bad form to respond to your own question, especially when it could help someone with the same issue.

That is the case here... I'm not sure why "forcing" TLS on the SMTP config entry works, but it does!

Thanks for updating your thread with this information.

[guihin]

For me this configuration worked well on ubuntu 22.04 with postfix, dovecot, nginx and letsencrypt.
My Postfix ist only offering STARTTLS.

roundcube/config/config.inc.php:

Code: [Select]

# SMTP
$config['smtp_server'] = 'ssl://mail.server.tld';  # maybe localhost works too
$config['smtp_port'] = 465;
$config['smtp_timeout'] = 5;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';
$config['smtp_conn_options'] = [
  'ssl' => [
    'verify_peer' => true,
    'verify_depth' => 3,
    'peer_name' => 'mail.server.tld',
    'cafile' => '/etc/ssl/certs/ca-certificates.crt'
  ],
];