Resolved Horde: could not open secure TLS to the server

[Erwan]

Config: Linux Plesk Onyx 17.5.3
=======
Hello,

We have problem to send emails from Horde. We have this message:

Error to send message. Could not open secure TLS to the server.

We have found this link:
Unable to send email: Could not open secure TLS connection to the server

But Horde config is correct:

// send email with authorization on SMTP server
$conf['mailer']['params']['host'] = 'localhost';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['auth'] = true;
$conf['mailer']['type'] = 'smtp';

What's the problem? How can resolve it?
Thanks

 

[trialotto]

@Erwan

I am not sure where you are sending mail from and I do need some output from the log files, in order to have some idea what is happening.

Please try again and provide the output of the relevant logs.

Regards...

 

[Erwan]

Hello trialotto,

Logs in/var/log/psa-horde/psa-horde.log:
ERR: HORDE [imp] Could not open secure TLS connection to the server. [pid 4477 on line 1160 of "/usr/share/psa-horde/imp/lib/Compose.php"]

And in Horde conf: /etc/psa-webmail/horde/horde/conf.php

I've already:
// send email with authorization on SMTP server
$conf['mailer']['params']['host'] = 'localhost';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['auth'] = true;
$conf['mailer']['type'] = 'smtp';

 

[IgorG]

Logs in/var/log/psa-horde/psa-horde.log:
ERR: HORDE [imp] Could not open secure TLS connection to the server. [pid 4477 on line 1160 of "/usr/share/psa-horde/imp/lib/Compose.php"]

In file /usr/share/psa-horde/imp/config/backends.php try to change lines

'secure' => 'tls'
'port' => 143

to

'secure' => 'ssl'
'port' => 993

 

[Erwan]

Hello Igor,

It's already the case:

// IMAP server
$servers['imap'] = array(
// ENABLED by default; will connect to IMAP port on local server
'disabled' => false,
'name' => 'IMAP Server',
'hostspec' => 'localhost',
'hordeauth' => false,
'protocol' => 'imap',
// Plaintext logins are disabled by default on IMAP servers (see RFC 3501
// [6.2.3]), so TLS is the only guaranteed authentication available by
// default.
//'secure' => 'tls',
//'port' => 143,
'secure' => 'ssl',
'port' => 993,
);
....
// Advanced example - mainly here to demonstrate the syntax of all available
// options.
$servers['advanced'] = array(
// Disabled by default
'disabled' => true,
'name' => 'Advanced IMAP Server',
'hostspec' => 'localhost',
'hordeauth' => false,
'protocol' => 'imap',
//'port' => 143,
//'secure' => 'tls',
'port' => 993,
'secure' => 'ssl',
'maildomain' => '',
'smtp' => array(
...

 

[trialotto]

@Erwan

I was referring to the output of the /var/log/mail.log file (and potentially the syslog log file).

Can you do another attempt and put some output on the forum?

Sorry for the inconvenience, I could have been more specific.

Regards......

 

[Erwan]

Trialotto,

In /var/log/maillog file:

ec 6 22:03:09 w351 postfix/smtpd[28099]: connect from localhost.localdomain[127.0.0.1]
Dec 6 22:03:09 w351 postfix/smtpd[28099]: SSL_accept error from localhost.localdomain[127.0.0.1]: -1
Dec 6 22:03:09 w351 postfix/smtpd[28099]: warning: TLS library problem: 28099:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Dec 6 22:03:09 w351 postfix/smtpd[28099]: lost connection after STARTTLS from localhost.localdomain[127.0.0.1]
Dec 6 22:03:09 w351 postfix/smtpd[28099]: disconnect from localhost.localdomain[127.0.0.1]

I don't understand why we have a TLS problem also we have change to SSL.

Nothing in /var/log/messages.

No problem when we send message from Outlook for example.

 

[trialotto]

@Erwan,

Did you modify the file /etc/postfix/main.cf?

There is too little information for me to distill the unique root cause of the problem.

So, I am giving you some steps to exclude some potential culprits: do the following (in chronological order)

1 - run the commands

- service dovecot stop (and, afterwards)
- service dovecot start

and redo the check by sending a mail from horde, this in order to exclude Dovecot as a potential root cause,

2 - check the file /etc/postfix/main.cf and make sure that there are no typo's, mainly check the line: smtpd_use_tls = yes

3 - determine whether you have the "Horde mail sending problem" on all domains with Horde, or just one specific domain: please specify or give some information

4 - on a domain with Horde, switch to Roundcube and establish whether you have the same problem: if yes, then there is a certificate issue (nothing related to Horde)

5 - if none of the above helps and/or gives some clear indication about the root cause of the problem, open a SSH terminal and

- run the command: plesk sbin autoinstaller
- follow the menu and install (read: switch) to Qmail + dovecot
- recheck the issue and try sending a mail from Horde
- again, run the command: plesk sbin autoinstaller
- re-install (read: switch) to Postfix + Dovecot
- check whether your issue with Horde is solved


In general, I am pretty sure that you have some custom conf and/or typos in the Postfix configuration files.

If you are sure that you did not alter Postfix config files, then you can also skip some steps and go ahead with steps 4 and 5.

Hope the above helps........and keep me posted!

Regards........

 

[Erwan]

Ok. I will see for reinstall Qmail & Dovecot.

My postfix configuration for smtp is:
Do you see anything wrong?

smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client xbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_milters = , inet:127.0.0.1:12768
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_client_connection_count_limit = 3

Thanks
Erwan

 

[trialotto]

@Erwan,

The following remarks:

smtpd_tls_cert_file = /etc/postfix/postfix.pem

should actually be: smtpd_tls_cert_file = /etc/postfix/postfix_default.pem

So, check the existence of the .pem file in the indicated directory.

Furthermore, change

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client xbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org

to

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org

and note that this more or less the same, but it will actually work a tiny bit different: the zen.spamhaus.org URI is the general URI, combining almost all blacklists maintained.

Finally, comment (add a #) or remove the lines:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_client_connection_count_limit = 3

since the lines above are custom and not standard in a default Plesk Postfix installation.

Note the above mentioned lines are (in essence)

- unnecessary, Plesk's default config takes care of this type of security, (and)
- dangerous: a line like smtpd_tls_exclude_ciphers = aNULL does not provide any added security whatsoever, since many mediocre ciphers are still allowed,
- a bit odd or non-optimal: for instance, a line like smtpd_client_connection_count_limit = 3 will cause many problems and not serve it's intended purpose, since the purpose should not be the limitation of simultaneous connections, but it should be the limitation of the number of connections in a specific interval (read: a better indication of malicious attempts to connect) and that limitation is to be set with smtpd_client_connection_rate_limit

and it would be recommended to remove all of the before mentioned lines.

Afterwards, you can always do some fine-tuning of Postfix, but first get it back to default settings, in order to have a proper working Postfix.

Hope the above helps.

Regards.......

 

[Erwan]

Thanks trialotto.

Finally, comment (add a #) or remove the lines:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1.1 TLSv1.2
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_client_connection_count_limit = 3

It works after that.