1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Resolved Horde: could not open secure TLS to the server

Discussion in 'Plesk Onyx for Linux' started by Erwan, Dec 6, 2017.

Tags:
  1. Erwan

    Erwan Basic Pleskian

    11
    85%
    Joined:
    Dec 10, 2015
    Messages:
    88
    Likes Received:
    0
    Config: Linux Plesk Onyx 17.5.3
    =======
    Hello,

    We have problem to send emails from Horde. We have this message:

    Error to send message. Could not open secure TLS to the server.

    We have found this link:
    Unable to send email: Could not open secure TLS connection to the server

    But Horde config is correct:

    // send email with authorization on SMTP server
    $conf['mailer']['params']['host'] = 'localhost';
    $conf['mailer']['params']['port'] = 25;
    $conf['mailer']['params']['auth'] = true;
    $conf['mailer']['type'] = 'smtp';

    What's the problem? How can resolve it?
    Thanks
     
  2. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,446
    Likes Received:
    206
    @Erwan

    I am not sure where you are sending mail from and I do need some output from the log files, in order to have some idea what is happening.

    Please try again and provide the output of the relevant logs.

    Regards...
     
  3. Erwan

    Erwan Basic Pleskian

    11
    85%
    Joined:
    Dec 10, 2015
    Messages:
    88
    Likes Received:
    0
    Hello trialotto,

    Logs in/var/log/psa-horde/psa-horde.log:
    ERR: HORDE [imp] Could not open secure TLS connection to the server. [pid 4477 on line 1160 of "/usr/share/psa-horde/imp/lib/Compose.php"]

    And in Horde conf: /etc/psa-webmail/horde/horde/conf.php

    I've already:
    // send email with authorization on SMTP server
    $conf['mailer']['params']['host'] = 'localhost';
    $conf['mailer']['params']['port'] = 25;
    $conf['mailer']['params']['auth'] = true;
    $conf['mailer']['type'] = 'smtp';
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    In file /usr/share/psa-horde/imp/config/backends.php try to change lines

    'secure' => 'tls'
    'port' => 143

    to

    'secure' => 'ssl'
    'port' => 993
     
  5. Erwan

    Erwan Basic Pleskian

    11
    85%
    Joined:
    Dec 10, 2015
    Messages:
    88
    Likes Received:
    0
    Hello Igor,

    It's already the case:

    // IMAP server
    $servers['imap'] = array(
    // ENABLED by default; will connect to IMAP port on local server
    'disabled' => false,
    'name' => 'IMAP Server',
    'hostspec' => 'localhost',
    'hordeauth' => false,
    'protocol' => 'imap',
    // Plaintext logins are disabled by default on IMAP servers (see RFC 3501
    // [6.2.3]), so TLS is the only guaranteed authentication available by
    // default.
    //'secure' => 'tls',
    //'port' => 143,
    'secure' => 'ssl',
    'port' => 993,
    );
    ....
    // Advanced example - mainly here to demonstrate the syntax of all available
    // options.
    $servers['advanced'] = array(
    // Disabled by default
    'disabled' => true,
    'name' => 'Advanced IMAP Server',
    'hostspec' => 'localhost',
    'hordeauth' => false,
    'protocol' => 'imap',
    //'port' => 143,
    //'secure' => 'tls',
    'port' => 993,
    'secure' => 'ssl',
    'maildomain' => '',
    'smtp' => array(
    ...
     
  6. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,446
    Likes Received:
    206
    @Erwan

    I was referring to the output of the /var/log/mail.log file (and potentially the syslog log file).

    Can you do another attempt and put some output on the forum?

    Sorry for the inconvenience, I could have been more specific.

    Regards......
     
  7. Erwan

    Erwan Basic Pleskian

    11
    85%
    Joined:
    Dec 10, 2015
    Messages:
    88
    Likes Received:
    0
    Trialotto,

    In /var/log/maillog file:

    ec 6 22:03:09 w351 postfix/smtpd[28099]: connect from localhost.localdomain[127.0.0.1]
    Dec 6 22:03:09 w351 postfix/smtpd[28099]: SSL_accept error from localhost.localdomain[127.0.0.1]: -1
    Dec 6 22:03:09 w351 postfix/smtpd[28099]: warning: TLS library problem: 28099:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
    Dec 6 22:03:09 w351 postfix/smtpd[28099]: lost connection after STARTTLS from localhost.localdomain[127.0.0.1]
    Dec 6 22:03:09 w351 postfix/smtpd[28099]: disconnect from localhost.localdomain[127.0.0.1]

    I don't understand why we have a TLS problem also we have change to SSL.

    Nothing in /var/log/messages.

    No problem when we send message from Outlook for example.
     
  8. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,446
    Likes Received:
    206
    @Erwan,

    Did you modify the file /etc/postfix/main.cf?

    There is too little information for me to distill the unique root cause of the problem.

    So, I am giving you some steps to exclude some potential culprits: do the following (in chronological order)

    1 - run the commands

    - service dovecot stop
    (and, afterwards)
    - service dovecot start

    and redo the check by sending a mail from horde, this in order to exclude Dovecot as a potential root cause,

    2 - check the file /etc/postfix/main.cf and make sure that there are no typo's, mainly check the line: smtpd_use_tls = yes

    3 - determine whether you have the "Horde mail sending problem" on all domains with Horde, or just one specific domain: please specify or give some information

    4 - on a domain with Horde, switch to Roundcube and establish whether you have the same problem: if yes, then there is a certificate issue (nothing related to Horde)

    5 - if none of the above helps and/or gives some clear indication about the root cause of the problem, open a SSH terminal and

    - run the command: plesk sbin autoinstaller
    -
    follow the menu and install (read: switch) to Qmail + dovecot
    - recheck the issue and try sending a mail from Horde
    - again, run the command: plesk sbin autoinstaller
    - re-install (read: switch) to Postfix + Dovecot
    - check whether your issue with Horde is solved


    In general, I am pretty sure that you have some custom conf and/or typos in the Postfix configuration files.

    If you are sure that you did not alter Postfix config files, then you can also skip some steps and go ahead with steps 4 and 5.

    Hope the above helps........and keep me posted!

    Regards........
     
  9. Erwan

    Erwan Basic Pleskian

    11
    85%
    Joined:
    Dec 10, 2015
    Messages:
    88
    Likes Received:
    0
    Ok. I will see for reinstall Qmail & Dovecot.

    My postfix configuration for smtp is:
    Do you see anything wrong?

    smtpd_tls_cert_file = /etc/postfix/postfix.pem
    smtpd_tls_key_file = $smtpd_tls_cert_file
    smtpd_tls_security_level = may
    smtpd_use_tls = yes
    smtp_tls_security_level = may
    smtp_use_tls = no
    smtpd_timeout = 3600s
    smtpd_proxy_timeout = 3600s
    disable_vrfy_command = yes
    smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client xbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org
    smtp_send_xforward_command = yes
    smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
    smtpd_sasl_auth_enable = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_milters = , inet:127.0.0.1:12768
    smtpd_tls_ciphers = medium
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
    smtpd_tls_protocols = TLSv1.1 TLSv1.2
    smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
    smtpd_tls_exclude_ciphers = aNULL
    smtpd_sasl_security_options = noplaintext
    smtpd_tls_auth_only = yes
    tls_ssl_options = NO_COMPRESSION
    smtpd_client_connection_count_limit = 3

    Thanks
    Erwan
     
  10. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,446
    Likes Received:
    206
    @Erwan,

    The following remarks:

    should actually be: smtpd_tls_cert_file = /etc/postfix/postfix_default.pem

    So, check the existence of the .pem file in the indicated directory.

    Furthermore, change

    to

    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org

    and note that this more or less the same, but it will actually work a tiny bit different: the zen.spamhaus.org URI is the general URI, combining almost all blacklists maintained.

    Finally, comment (add a #) or remove the lines:

    smtpd_tls_ciphers = medium
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
    smtpd_tls_protocols = TLSv1.1 TLSv1.2
    smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
    smtpd_tls_exclude_ciphers = aNULL
    smtpd_sasl_security_options = noplaintext
    smtpd_tls_auth_only = yes
    tls_ssl_options = NO_COMPRESSION
    smtpd_client_connection_count_limit = 3

    since the lines above are custom and not standard in a default Plesk Postfix installation.

    Note the above mentioned lines are (in essence)

    - unnecessary, Plesk's default config takes care of this type of security, (and)
    - dangerous: a line like smtpd_tls_exclude_ciphers = aNULL does not provide any added security whatsoever, since many mediocre ciphers are still allowed,
    - a bit odd or non-optimal: for instance, a line like smtpd_client_connection_count_limit = 3 will cause many problems and not serve it's intended purpose, since the purpose should not be the limitation of simultaneous connections, but it should be the limitation of the number of connections in a specific interval (read: a better indication of malicious attempts to connect) and that limitation is to be set with smtpd_client_connection_rate_limit

    and it would be recommended to remove all of the before mentioned lines.

    Afterwards, you can always do some fine-tuning of Postfix, but first get it back to default settings, in order to have a proper working Postfix.

    Hope the above helps.

    Regards.......
     
  11. Erwan

    Erwan Basic Pleskian

    11
    85%
    Joined:
    Dec 10, 2015
    Messages:
    88
    Likes Received:
    0
    Thanks trialotto.

    Finally, comment (add a #) or remove the lines:

    smtpd_tls_ciphers = medium
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
    smtpd_tls_protocols = TLSv1.1 TLSv1.2
    smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
    smtpd_tls_exclude_ciphers = aNULL
    smtpd_sasl_security_options = noplaintext
    smtpd_tls_auth_only = yes
    tls_ssl_options = NO_COMPRESSION
    smtpd_client_connection_count_limit = 3


    It works after that.
     
Loading...