Resolved connection webmail to mailserver fails

[TauTaude]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

18.0.56 Update #3

I'm trying to set up webmail in one of my domains, but neither horde nor roundcobe works. Both tell me connection to webserver fails.
some facts: webmail.my.domain is secured with LetsEncrypt, the config of i.e. roundcube looks like this:

$config['imap_host'] = 'ssl://localhost:993';

// IMAP authentication method (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null).
// Use 'IMAP' to authenticate with IMAP LOGIN command.
// By default the most secure method (from supported) will be selected.
$config['imap_auth_type'] = 'PLAIN';

// IMAP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation
//$config['imap_conn_options'] = [
//  'ssl'         => [
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ],
// ];
// Note: These can be also specified as an array of options indexed by hostname
$config['imap_conn_options'] = array(
    'ssl'         => array(
        'verify_peer'  => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true,
        'crypto_method'     => defined('STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT')
                                ? (STREAM_CRYPTO_METHOD_TLS_CLIENT
                                | @STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
                                | @STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT)
                                : STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
    ),
);

any hints what/where to check?

 

[TauTaude]

time to edit expired Here's a snippet from roundcube log:

[07-Nov-2023 17:51:15 UTC] PHP Warning:  stream_socket_client(): SSL: Connection reset by peer in /usr/share/psa-roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1060
[07-Nov-2023 17:51:15 UTC] PHP Warning:  stream_socket_client(): Failed to enable crypto in /usr/share/psa-roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1060
[07-Nov-2023 17:51:15 UTC] PHP Warning:  stream_socket_client(): Unable to connect to ssl://localhost:993 (Unknown error) in /usr/share/psa-roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1060
[07-Nov-2023 17:51:15 +0000]: <5qjacl24> IMAP Error: Login failed for [email protected] against localhost from "myBrowserIP". Could not connect to ssl://localhost:993: Unknown reason in /usr/share/psa-roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /roundcube/?_task=login&_action=login)

 

[TauTaude]

also:

root@hostname:/var/log/plesk-roundcube# openssl s_client -connect localhost:993 -starttls imap
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 14 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

 

[Strangelove]

/etc/dovecot/conf.d/11-plesk-security-ssl.conf exists? If so, paste it's contents.

also,
# cat /etc/dovecot/conf.d/10-plesk-security.conf |grep -v ^#

Is certificate for local mailserver set?


Do you use apparmor?

 

[TauTaude]

/etc/dovecot/conf.d/11-plesk-security-ssl.conf (interesting that there is no 1.3)

ssl=yes
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
ssl_cert=</etc/dovecot/private/dovecot.pem
ssl_key=</etc/dovecot/private/dovecot.pem
ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_dh=</opt/psa/etc/dhparams1024.pem
ssl_min_protocol=TLSv1.2
ssl_prefer_server_ciphers=yes

# cat /etc/dovecot/conf.d/10-plesk-security.conf |grep -v ^#

disable_plaintext_auth = no

there was indeed a wrong (site-specific) certificate set in SSL/TLS setting, I tried switching to LE default and Serverpool default, no difference (still no connect)

 

[Strangelove]

Try:
# plesk sbin sslmng --service dovecot --strong-dh --dhparams-size=2048
# systemctl restart dovecot

This will create new DH parameters set(/opt/psa/etc/dhparams2048.pem) and replace the "/opt/psa/etc/dhparams1024.pem" value at ssl_dh with it in /etc/dovecot/conf.d/11-plesk-security-ssl.conf

 

[TauTaude]

that also didn't help

 

[TauTaude]

dang... that was it... first when plesk tried to restart dovecot, there was a timeout error. I then restarted manually (as you said anyway), and it didn't work. The I checked /etc/dovecot/conf.d/11-plesk-security-ssl.conf and noticed that still the 1024 file was referenced, I checked in /opt/psa/etc/ for the 2048 file, and it was there (so that part had worked). I then manually edited /etc/dovecot/conf.d/11-plesk-security-ssl.conf to link to the 2048 file, and restarted dovecot, now it works
I fear however, that this will be overwritten with some future update?
But thanks a lot for helping!

 

[Strangelove]

>> there was a timeout error
That's why the utility failed I guess. On my server I had no timeouts.
Anyways, if timeout is reproducible under particular circumstances, you can file a bug report.