managesieve-plugin closes connection before negotiation

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

managesieve-plugin closes connection before negotiation

Florian Ruhnke (OiledAmoeba)
Hi,

I do have an running dovecot-sieve installation. There is no problem to
use it with rainloop or Thunderbird. But I can't get roundcube to work
with sieve.
Dovecot forces to initiate TLS before auth. SSL is disabled, only TLS
1.2+ is enabled.

sieve-log of roundcube:
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "IMPLEMENTATION" "Dovecot
Pigeonhole"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SIEVE" "fileinto reject
envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "NOTIFY" "mailto"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SASL" ""
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "STARTTLS"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "VERSION" "1.0"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Doctor, your Tardis is
ready."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: STARTTLS
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: NO "Error in MANAGESIEVE
command received by server."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: LOGOUT
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Begin TLS negotiation
now."

maillog (dovecot errors):
Jul 31 16:24:29 mail dovecot: managesieve-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=10.23.102.80, lip=10.23.102.251, TLS
handshaking: SSL_accept() failed: error:1408F10B:SSL
routines:ssl3_get_record:wrong version number,
session=<rbUW4vqOC+MKF2ZQ>

managesieve config.inc.php:
$config['managesieve_port'] = 4190;
$config['managesieve_host'] = 'mail.domain.tld';
$config['managesieve_auth_type'] = 'PLAIN';
$config['managesieve_auth_cid'] = null;
$config['managesieve_auth_pw'] = null;
$config['managesieve_usetls'] = true;
//$config['managesieve_conn_options'] = null;
$config['managesieve_conn_options'] = array(
  'ssl' => array(
  'verify_peer' => true,
  'verify_peer_name' => true,
  'allow_self_signed' => false,
  ),
);
$config['managesieve_default'] = '/etc/dovecot/sieve/global';
$config['managesieve_script_name'] = 'managesieve';
$config['managesieve_mbox_encoding'] = 'UTF-8';
$config['managesieve_replace_delimiter'] = '';
$config['managesieve_disabled_extensions'] = array();
$config['managesieve_debug'] = true;
$config['managesieve_kolab_master'] = false;
$config['managesieve_filename_extension'] = '.sieve';
$config['managesieve_filename_exceptions'] = array();
$config['managesieve_domains'] = array();
$config['managesieve_vacation'] = 1;
$config['managesieve_vacation_interval'] = 0;
$config['managesieve_vacation_addresses_init'] = false;
$config['managesieve_vacation_from_init'] = false;
$config['managesieve_notify_methods'] = array('mailto');
$config['managesieve_raw_editor'] = true;

The dovecot-log looks like roundcube is trying to initiate SSL3 but this
is disabled. I think "Error in MANAGESIEVE command received by server."
has to do with the deactivated SSL.

Connecting to dovecot manually with gnutls-cli --starttls -p 4190
mail.domain.tld:
Processed 306 CA certificate(s).
Resolving 'mail.domain.tld:4190'...
Connecting to '<IP>:4190'...

- Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate m
ime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Doctor, your Tardis is ready."
NO "Error in MANAGESIEVE command received by server."
STARTTLS
OK "Begin TLS negotiation now."
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
  - subject `CN=mail.domain.tld', issuer `CN=Let's Encrypt Authority
X3,O=Let's Encrypt,C=US', serial 0x03c0d3d322307e5a997f654b435b56480773,
RSA key 4096 bits, signed using RSA-SHA256, activated `2019-06-06
09:18:10 UTC', expires `2019-09-04 09:18:10 UTC',
pin-sha256="8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4="
         Public Key ID:
                 sha1:62b08cf75ae6c45915db8d8c7bff6947788ac3b2
                 
sha256:f12975ee55b1598489713729a501b80cb4818443ffb91919e4d4d07dd924a12e
         Public Key PIN:
                 pin-sha256:8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4=

- Certificate[1] info:
  - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer
`CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using
RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17
16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description:
(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" "PLAIN LOGIN"
"VERSION" "1.0"
OK "TLS negotiation successful."
LOGOUT
OK "Logout completed."
- Peer has closed the GnuTLS connection

So, what do I have to do to get roundcube to talk to sieve?
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: managesieve-plugin closes connection before negotiation

Vincent Van Houtte

Hi FLorian,

Interested in this as well.

Looking through my config, I remember I did not find a working config to set up authentication, so I just set it to 'none' and blocked the 4190 port in my firewall (Dovecot and Apache/Roundcube are on the same box). This of course blocks other MUA's as well.

My roundcube configuration is at version 1.4b - yours?

Kr,

Vincent


On 2019-07-31 17:14, Florian Ruhnke (OiledAmoeba) wrote:

Hi,

I do have an running dovecot-sieve installation. There is no problem to use it with rainloop or Thunderbird. But I can't get roundcube to work with sieve.
Dovecot forces to initiate TLS before auth. SSL is disabled, only TLS 1.2+ is enabled.

sieve-log of roundcube:
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "IMPLEMENTATION" "Dovecot Pigeonhole"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "NOTIFY" "mailto"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SASL" ""
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "STARTTLS"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "VERSION" "1.0"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Doctor, your Tardis is ready."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: STARTTLS
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: NO "Error in MANAGESIEVE command received by server."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: LOGOUT
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Begin TLS negotiation now."

maillog (dovecot errors):
Jul 31 16:24:29 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.23.102.80, lip=10.23.102.251, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<rbUW4vqOC+MKF2ZQ>

managesieve config.inc.php:
$config['managesieve_port'] = 4190;
$config['managesieve_host'] = 'mail.domain.tld';
$config['managesieve_auth_type'] = 'PLAIN';
$config['managesieve_auth_cid'] = null;
$config['managesieve_auth_pw'] = null;
$config['managesieve_usetls'] = true;
//$config['managesieve_conn_options'] = null;
$config['managesieve_conn_options'] = array(
 'ssl' => array(
 'verify_peer' => true,
 'verify_peer_name' => true,
 'allow_self_signed' => false,
 ),
);
$config['managesieve_default'] = '/etc/dovecot/sieve/global';
$config['managesieve_script_name'] = 'managesieve';
$config['managesieve_mbox_encoding'] = 'UTF-8';
$config['managesieve_replace_delimiter'] = '';
$config['managesieve_disabled_extensions'] = array();
$config['managesieve_debug'] = true;
$config['managesieve_kolab_master'] = false;
$config['managesieve_filename_extension'] = '.sieve';
$config['managesieve_filename_exceptions'] = array();
$config['managesieve_domains'] = array();
$config['managesieve_vacation'] = 1;
$config['managesieve_vacation_interval'] = 0;
$config['managesieve_vacation_addresses_init'] = false;
$config['managesieve_vacation_from_init'] = false;
$config['managesieve_notify_methods'] = array('mailto');
$config['managesieve_raw_editor'] = true;

The dovecot-log looks like roundcube is trying to initiate SSL3 but this is disabled. I think "Error in MANAGESIEVE command received by server." has to do with the deactivated SSL.

Connecting to dovecot manually with gnutls-cli --starttls -p 4190 mail.domain.tld:
Processed 306 CA certificate(s).
Resolving 'mail.domain.tld:4190'...
Connecting to '<IP>:4190'...

- Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate m
ime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Doctor, your Tardis is ready."
NO "Error in MANAGESIEVE command received by server."
STARTTLS
OK "Begin TLS negotiation now."
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=mail.domain.tld', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03c0d3d322307e5a997f654b435b56480773, RSA key 4096 bits, signed using RSA-SHA256, activated `2019-06-06 09:18:10 UTC', expires `2019-09-04 09:18:10 UTC', pin-sha256="8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4="
        Public Key ID:
                sha1:62b08cf75ae6c45915db8d8c7bff6947788ac3b2
                sha256:f12975ee55b1598489713729a501b80cb4818443ffb91919e4d4d07dd924a12e
        Public Key PIN:
                pin-sha256:8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4=

- Certificate[1] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" "PLAIN LOGIN"
"VERSION" "1.0"
OK "TLS negotiation successful."
LOGOUT
OK "Logout completed."
- Peer has closed the GnuTLS connection

So, what do I have to do to get roundcube to talk to sieve?
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


--
Vincent Van Houtte

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: managesieve-plugin closes connection before negotiation

Florian Ruhnke (OiledAmoeba)

Hi,


I've got it to work.

The sieve-setup in roundcube was correct but I missed some little thing in the dovecot-config. I missed to tell dovecot-sieve that the mailserver resides behind a proxy. dovecot itself knows about that but the sieve-plugin not. So I added "haproxy = yes" to 20-managesieve.conf, reload and roundcube is working well with sieve (including authentication)

inet_listener sieve {
port = 4190
haproxy = yes
}

I'm on FreeBSD-12.0 and using roundcube from binary packages, so my roundcube is on 1.3.9,1

Greets
Florian

Am 2019-08-04 09:49, schrieb Vincent Van Houtte:

Hi FLorian,

Interested in this as well.

Looking through my config, I remember I did not find a working config to set up authentication, so I just set it to 'none' and blocked the 4190 port in my firewall (Dovecot and Apache/Roundcube are on the same box). This of course blocks other MUA's as well.

My roundcube configuration is at version 1.4b - yours?

Kr,

Vincent


On 2019-07-31 17:14, Florian Ruhnke (OiledAmoeba) wrote:

Hi,

I do have an running dovecot-sieve installation. There is no problem to use it with rainloop or Thunderbird. But I can't get roundcube to work with sieve.
Dovecot forces to initiate TLS before auth. SSL is disabled, only TLS 1.2+ is enabled.

sieve-log of roundcube:
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "IMPLEMENTATION" "Dovecot Pigeonhole"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "NOTIFY" "mailto"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SASL" ""
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "STARTTLS"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "VERSION" "1.0"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Doctor, your Tardis is ready."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: STARTTLS
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: NO "Error in MANAGESIEVE command received by server."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: LOGOUT
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Begin TLS negotiation now."

maillog (dovecot errors):
Jul 31 16:24:29 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.23.102.80, lip=10.23.102.251, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<rbUW4vqOC+MKF2ZQ>

managesieve config.inc.php:
$config['managesieve_port'] = 4190;
$config['managesieve_host'] = 'mail.domain.tld';
$config['managesieve_auth_type'] = 'PLAIN';
$config['managesieve_auth_cid'] = null;
$config['managesieve_auth_pw'] = null;
$config['managesieve_usetls'] = true;
//$config['managesieve_conn_options'] = null;
$config['managesieve_conn_options'] = array(
 'ssl' => array(
 'verify_peer' => true,
 'verify_peer_name' => true,
 'allow_self_signed' => false,
 ),
);
$config['managesieve_default'] = '/etc/dovecot/sieve/global';
$config['managesieve_script_name'] = 'managesieve';
$config['managesieve_mbox_encoding'] = 'UTF-8';
$config['managesieve_replace_delimiter'] = '';
$config['managesieve_disabled_extensions'] = array();
$config['managesieve_debug'] = true;
$config['managesieve_kolab_master'] = false;
$config['managesieve_filename_extension'] = '.sieve';
$config['managesieve_filename_exceptions'] = array();
$config['managesieve_domains'] = array();
$config['managesieve_vacation'] = 1;
$config['managesieve_vacation_interval'] = 0;
$config['managesieve_vacation_addresses_init'] = false;
$config['managesieve_vacation_from_init'] = false;
$config['managesieve_notify_methods'] = array('mailto');
$config['managesieve_raw_editor'] = true;

The dovecot-log looks like roundcube is trying to initiate SSL3 but this is disabled. I think "Error in MANAGESIEVE command received by server." has to do with the deactivated SSL.

Connecting to dovecot manually with gnutls-cli --starttls -p 4190 mail.domain.tld:
Processed 306 CA certificate(s).
Resolving 'mail.domain.tld:4190'...
Connecting to '<IP>:4190'...

- Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate m
ime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Doctor, your Tardis is ready."
NO "Error in MANAGESIEVE command received by server."
STARTTLS
OK "Begin TLS negotiation now."
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=mail.domain.tld', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03c0d3d322307e5a997f654b435b56480773, RSA key 4096 bits, signed using RSA-SHA256, activated `2019-06-06 09:18:10 UTC', expires `2019-09-04 09:18:10 UTC', pin-sha256="8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4="
        Public Key ID:
                sha1:62b08cf75ae6c45915db8d8c7bff6947788ac3b2
                sha256:f12975ee55b1598489713729a501b80cb4818443ffb91919e4d4d07dd924a12e
        Public Key PIN:
                pin-sha256:8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4=

- Certificate[1] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" "PLAIN LOGIN"
"VERSION" "1.0"
OK "TLS negotiation successful."
LOGOUT
OK "Logout completed."
- Peer has closed the GnuTLS connection

So, what do I have to do to get roundcube to talk to sieve?
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


--
Vincent Van Houtte



_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users