Roundcube "Connection to storage server failed"

[Sergio Manzi]

Hello everybody!

I'm getting this error when trying to access all (old and newly created) my webmail accounts:

Roundcube "Connection to storage server failed"​

I'm really scratching my head on this and any input will be greatly appreciated!

Environment:

Plesk 17.8.10 (upgraded from 17.5.3#40)
CentOS 7.4.1708, Kernel 3.10.0-693
Mail subsystem: Postfix/Dovecot
Webmail: Roundcube​

Notes:

• I don't know exactly when the problem started, but it must have been sometimes after I upgraded to 17.8.10 and installed Let's Encrypt certificates for all my domains.
• No other issue on the system AFAIK. Everything else is working perfectly.
• No issue at all accessing IMAP from external clients (Thunderbird)

Logs (after a failed webmail login):

# tail /var/log/maillog
...
Feb 26 12:59:01 ams301 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<PtfzEh1mALUAAAAAAAAAAAAAAAAAAAAB> <-- Note here "user=<>" Is that normal?? What are those TLS errors??

# systemctl restart dovecot
# systemctl -l status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-02-26 13:51:54 GMT; 1s ago
Docs: man:dovecot(1)
FrontPage - Dovecot Wiki
Process: 15817 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Main PID: 15821 (dovecot)
CGroup: /system.slice/dovecot.service
├─15821 /usr/sbin/dovecot -F
├─15824 dovecot/anvil
├─15825 dovecot/log
└─15826 dovecot/config

Feb 26 13:51:54 ams301.smz.it dovecot[15821]: Warning: service auth { client_limit=1000 } is lower than required under max. load (2248)
Feb 26 13:51:54 ams301.smz.it dovecot[15821]: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2251)
Feb 26 13:51:54 ams301.smz.it dovecot[15821]: master: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2251)
Feb 26 13:51:54 ams301.smz.it dovecot[15821]: master: Dovecot v2.3.0 (c8b89eb) starting up for imap, pop3, sieve (core dumps disabled)
Feb 26 13:51:55 ams301.smz.it dovecot[15825]: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
Feb 26 13:51:55 ams301.smz.it dovecot[15825]: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/11-plesk-security-ssl.conf:2: ssl_protocols has been replaced by ssl_min_protocol
Feb 26 13:51:55 ams301.smz.it dovecot[15825]: config: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
Feb 26 13:51:55 ams301.smz.it dovecot[15825]: config: Warning: Obsolete setting in /etc/dovecot/conf.d/11-plesk-security-ssl.conf:2: ssl_protocols has been replaced by ssl_min_protocol
Feb 26 13:51:55 ams301.smz.it dovecot[15825]: config: Warning: service auth { client_limit=1000 } is lower than required under max. load (2248)
Feb 26 13:51:55 ams301.smz.it dovecot[15825]: config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2251)

# plesk repair mail -n
Repairing the mail server configuration ............................. [OK]
Error messages: 0; Warnings: 0; Errors resolved: 0
​

Configs:

# grep mydestination /etc/postfix/main.cf | grep -v "#"
mydestination = localhost.$mydomain, localhost, localhost.localdomain

​

# cat /etc/hosts
# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.redhat.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
# /etc/cloud/cloud.cfg or cloud-config from user-data

# The following lines are desirable for IPv4 capable hosts
127.0.0.1 ams301.smz.it ams301
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4

# The following lines are desirable for IPv6 capable hosts
::1 ams301.smz.it ams301
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6​

What I have already looked at:

• Roundcube login fails after upgrade: Connection to storage server failed (It may be that the dovecot index files are for an older version of dovecot, and don't work with the new version.)
  NO: it happens with new mail accounts as well
  
• Can not login webmail: "Connection to storage server failed" (Roundcube) "Error connecting to mail server" (Horde) (Plesk specific SELinux policies package was not installed)
  NO: Solution is specific for Plesk 17.5.3
  
• Unable to start Dovecot after Plesk installation: Can't open file /etc/dovecot/private/ssl-cert-and-key.pem: No such file or directory
  NO: Different symptoms, doesn't seems to apply and I'm afraid of uninstalling Dovecot (and loosing mailboxes configurations, such as filters, etc..)

Many thanks in advance to whomever might help!

 

[MarkM]

Have you tried just swapping to Courier to see if the issue clears up? (just to troubleshoot the issue further...)

 

[Sergio Manzi]

Have you tried just swapping to Courier to see if the issue clears up? (just to troubleshoot the issue further...)

No, I didn't and to be honest I'm very reluctant doing that: in the past I had problems because of old Courier remnants on my system... see: Plesk Onyx 17.8.10 (testing) wrong updated offered

P.S.: and doing that it would have an impact on all my users accessing their mail accounts through IMAP (something I can't do...)

 

[MarkM]

Fair enough. I did find this;

Resolved - Plesk 17.8 Preview Roundcube login not possible

 

[Sergio Manzi]

Resolved - Plesk 17.8 Preview Roundcube login not possible

That sounds really interesting... let me check all of it, then I'll let you know! Thanks!

 

[Sergio Manzi]

Oh joy, it works now!! (but I'm still unsure if it is correct...)

So, I looked at the above article, which inspired me:

• tried to change the smtp_server to tls://localhost and smtp_port to 587 <--- no joy, but expected (IMAP issue, not SMTP...)
• tried to change default_host from ssl://localhost to tsl://localhost <-- no joy either: different error, timeout logging in
• tried to change default_host from ssl://localhost to localhost and default_port from 993 to 143 <-- THIS DID THE TRICK!!!
• I had to revert the smtp_server and smtp_port to their defaults as I was unable to send mail with "smtp_server = tls://localhost"

So, now it is like this:

# diff defaults.inc.php.bak defaults.inc.php
142c142
< $config['default_host'] = 'ssl://localhost';
---
> $config['default_host'] = 'localhost';
146c146
< $config['default_port'] = 993;
---
> $config['default_port'] = 143;

... and it works. This, anyway, means that internal connections from Roundcube to dovecot are not encrypted, but this shouldn't be a problem, right?

Thanks for your help!

 

[Sergio Manzi]

P.S.: have you noticed the warnings when dovecot starts, those about "Obsolete setting in /etc/dovecot/conf.d/11-plesk-security-ssl.conf:2: ssl_protocols has been replaced by ssl_min_protocol"?
Can this explain the fact that Roundcube can't comunicate with dovecot via SSL?

 

[MarkM]

What's the content of 11-plesk-security-ssl.conf?

Here's what mine is on a fresh 17.8 install;

ssl_min_protocol=TLSv1
ssl_cipher_list=HIGH:!aNULL:!MD5
ssl_dh=</etc/dovecot/private/dh.pem

 

[Sergio Manzi]

What's the content of 11-plesk-security-ssl.conf?

Pardon my ignorance... where do I find it?

 

[MarkM]

/etc/dovecot/conf.d/11-plesk-security-ssl.conf

 

[Sergio Manzi]

Here it is:

# cat /etc/dovecot/conf.d/11-plesk-security-ssl.conf
ssl_cipher_list=HIGH:!aNULL:!MD5
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
ssl_min_protocol=TLSv1
ssl_dh=</etc/dovecot/private/dh.pem
ssl=yes
ssl_cert=</etc/dovecot/private/dovecot.pem
ssl_key=</etc/dovecot/private/dovecot.pem

 

[Sergio Manzi]

I'm using an LE issued cert for my IMAP: can this be the root cause?

 

[Sergio Manzi]

[unmarking the "solved" flag: I'd really like to see this working with SSL... Will re-mark as solved if no solution available...]

 

[MarkM]

Umm well it's saying ssl_protocols is obsolete, but you also have the new ssl_min_protocol so I say that warning is safe to ignore and not part of the issue. You could probably even remove/comment out the ssl_protocols line. You do have extra lines for the cert - my config was off a dev box.

Found this;

tlsv1 alert unknown ca: SSL alert number 48

Talks about adding a peer_name to /usr/share/psa-roundcube/config/defaults.inc.php

 

[Sergio Manzi]

Talks about adding a peer_name to /usr/share/psa-roundcube/config/defaults.inc.php

That can make sense: the cert issued by LE and used for IMAP is issued for the FQDN of my host, ams301.smz.it. Trying a connection to "localhost" might fail, maybe...
I'll look into this , but right now I must leave... I'll let you know ASAP...

Many thanks again for your help!

 

[MarkM]

Let me know! Makes sense to have the issue be with Roundcube since you can connect using Thunderbird.

 

[Sergio Manzi]

Yeap... thunderbird and Outllok perfectly works, but I must configure the FQDN of the host in them, so another hint about this being some discrepancy between Roundcube and dovecot and the way one connects to the other via SSL...

 

[Sergio Manzi]

Hello @Mark Muyskens !

I think I made a small step forward:

After having restored my "ssl://localhost" and reset the port to 993, I tried fiddling with the "peer_name" (setting my FQDN), but without success.

I then modified the the 'verify_peer' option from 'true' to 'false' and... success!

so my config (compared to the default) is now:

# diff defaults.inc.php.bak defaults.inc.php
165c165
<      'verify_peer'  => true,
---
>      'verify_peer'  => false,

I could probably consider myself happy and call it a day, but...

• It is now enough clear that it is TSL negotiation error between Roundcube and dovecot (consider the "TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48" diagnostic)
  
  
• I'm strongly inclined to suspect that all started when I changed my "Certificate for securing mail" from "default certificate" to "Lets Encrypt certificate"
  
  
• This together with the 'verify_peer' option set to 'true' and the lack of any reference to the new cert, is creating the issue
  
  
• On the robust basis of the "Principle of minimum astonishment", I think Plesk should have handled my action of changing the SSL cert in all aspects, also fixing the Roundcube configuration accordingly.
  
  
• Is this a bug or just a local SNAFU?

From a practical point of view:

• Now Roundcube talks to dovecot on an encrypted socket: probably redundant, but it gives me peace of mind
  
  
• Roundcube doesn't verify that "localhost" is indeed "localhost": no big deal, I think... what's your opinion?

So... what do we do? we call it a day? we dig deeper?

Cheers and thanks again!

 

[MarkM]

Just wondering if this is some sort of upgrade issue from 10.5; reason being it works perfectly on a fresh 10.8 install. Not sure if it's a local snafu or something with the upgrade - like Dovecot may have updated as well during 10.5 -> 10.8 and there's just some sort of other Plesk config we're missing to make this work like it should.

What happens if you change the settings for default_host from localhost to the actual hostname?

 

[Sergio Manzi]

with:

142c142
< $config['default_host'] = 'ssl://localhost';
---
> $config['default_host'] = 'ssl://ams301.smz.it';

I get:

Feb 27 03:32:33 ams301 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<fEr2RilmatkAAAAAAAAAAAAAAAAAAAAB>

same as before...