roundcube – Getting Roundcube to Work with Dovecot, Postfix, and LetsEncrypt

dovecotroundcube

I am trying to get roundcube, dovecot, postfix, and certificates from letsencrypt to all work together on Debian 9.

I installed roundcube using the apt-get command.

When trying to log into roundcube it takes a long time where it says "Loading…" but then does not log me in. The onscreen error says Connection to storage server failed. Lookingin the roundcube error logs I get the following error:

IMAP Error: Login failed for user@example.com from 192.0.2.10. Empty startup greeting (localhost:143) in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)

Running /etc/init.d/dovecot status I get the following:

dovecot[29431]: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() syscall failed: Success, session=<azgn6uptGtgAAAAAAAAAAAAAAAAAAAAB>

I have the following in my config.inc.php:

$config['default_host'] = 'tls://localhost';

and

$config['imap_conn_options'] = array(
   'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name' => false,
    ),
);

$config['username_domain'] = '%d';

and the following specified in my dovecot 10-ssl.conf file:

ssl = required

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem

I also have the following in my 10-master.conf file:

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 143
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

If I do telnet localhost 143 I get:

Trying ::1...
Connected to localhost.
Escape character is '^]'.

I am not sure if I should be getting any more than that.

Frankly, I am not sure where my problem lies or what else to look into. Why am I not able to log into roundcube and where else should I be checking to pinpoint my problem?

Best Answer

TL;DR: You cannot do a customized port configuration and expected standard client settings to work

Explainations

By setting the folowing configuration you have configured dovecot to listen using IMAPS protocol on the IMAP port:

I also have the following in my 10-master.conf file:

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 143
    ssl = yes
  }
}

=> this block disable the clear-text (and TLS upgradable) "imap" protocol (port = 0) and enable an "imaps" port with forced initial SSL/TLS handshake on port 143.

Port 143 is however the IANA-assigned port for IMAP protocol, IMAPS should be on 993 (see /etc/services for ports references).

It should be possible to keep this configuration and make dovecot happy, but you will need to tweak all your clients configurations as nobody expect this, default settings for IMAP port (143) is to allow clear-text communication and optional TLS upgrade when advertised.

For roundcube to work with this you will need something like this:

$config['default_host'] = 'ssl://fqdn.of.server:143'

or 

$config['default_host'] = 'tls://fqdn.of.server:143'

This will instruct roundcube that your imap service expect pre-crypted connection over the standard plain-text (143) port.

As for telnet localhost 143 well you can't use this to test an SSL connection, you will need something like openssl s_client -servername fqdn.of.server -connect localhost:143

Please note that SSL/TLS work with certificates and thoses certificates works with hostnames, so you can't do an SSL connection over localhost without having some certificates issues.

Recommendations:

While it is possible to tweak port for every application, many systems (firewalls, defaults settings, ..) rely on the fact that each application was allocated a specific port.

Working with an imap server using IMAPS on port 143 is possible, but you will encounter various issues dependings on clients / networks.

Personnally i would recommend against modifying the default operating mode of dovecot and removing any tweak on the default inet listener configuration in 10-master.conf.

To enable secure communications for imap/pop the only needed changes in the default dovecot configuration is the one you made over 10-ssl.conf (ssl = required + cert/key).

Reference: https://wiki.dovecot.org/SSL/DovecotConfiguration

Additionnally SSL communication on loopback channels (localhost) isn't really usefull, this is why by default, even with "ssl=required" or "disable_plaintext_auth" active, dovecot consider any connection on the loopback network (ip 127.0.0.1 or client ip identical to server ip) to be secure even without ssl/tls.

So if your roundcube service is on the same host than your dovecot server the configuration only need to be :

$config['default_host'] = 'localhost'
Related Topic