Resolved Roundcube Sieve Plugin not working, 17.8.11 MU 1

[hansitheking]

If I access Roundcube Webmail 1.3.4 since Plesk 17.8.11 MU 1 I get an error Message while trying to edit the filter rules (Settings > Filters). Error Message: Sorry no connection to Sieve-Server. If you have a look to the logfiles you can see it is an error with the TLS-Cert while the plugin trys to connect to localhost.

[11-Mar-2018 10:11:54 UTC] PHP Warning:  stream_socket_enable_crypto(): Peer certificate CN=`*.example.de' did not match expected CN=`localhost' in /usr/share/psa-roundcube/vendor/pear/net_sieve/Sieve.php on line 1239
[11-Mar-2018 10:11:54 UTC] ERROR: Failed to establish TLS connection (2)
[11-Mar-2018 10:11:54 UTC] ERROR: Failed to read from socket ()

 

[MarkM]

You are using Dovecot right?

 

[hansitheking]

You are using Dovecot right?

Yes

 

[Sergio Manzi]

This too seems to be solved by modifying /usr/share/psa-roundcube/config/defaults.inc.php with 'verify_peer' => false

See: Forwarded to devs - Roundcube "Connection to storage server failed" when securing mail with Let's Encrypt certificate

 

[Sergio Manzi]

... or at least I can say that I'm not experiencing this issue while having that setting.

This issue seems to be related: give it a try and report, please...

 

[hansitheking]

This too seems to be solved by modifying /usr/share/psa-roundcube/config/defaults.inc.php with 'verify_peer' => false

See: Forwarded to devs - Roundcube "Connection to storage server failed" when securing mail with Let's Encrypt certificate

I have tested with

$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name' => false,
     'allow_self_signed' => true,
   ),
 );

but the error message and log is still the same. Even if I change the config to a more secure setting
:

$config['default_host'] = 'tls://mail.example.de';
@include "/etc/psa-webmail/roundcube/mailhosts.php";

// TCP port used for IMAP connections
$config['default_port'] = 143;

$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => true,
     'verify_peer_name' => true,
     'allow_self_signed' => false,
   ),
 );

Only the Sieve Plugin is not working (Login to Roundcube and sending mails is working) and in the error log you still see "localhost" and not "mail.example.de". The Cert used for mail.example.de is not from LE in my case it as a wildcard bought one. There this seems not place for setting the verify rule for the sieve connection.

[11-Mar-2018 13:14:37 UTC] PHP Warning:  stream_socket_enable_crypto(): Peer certificate CN=`*.example.de' did not match expected CN=`localhost' in /usr/share/psa-roundcube/vendor/pear/net_sieve/Sieve.php on line 1239
[11-Mar-2018 13:14:37 UTC] ERROR: Failed to establish TLS connection (2)
[11-Mar-2018 13:14:37 UTC] ERROR: Failed to read from socket ()

 

[Sergio Manzi]

Good, I bricked my server while trying this...
Give me some time...

Using TLS (like you did, but obviously with my server name) Roundcube gave me an "Internal server error"

@Mark Muyskens Mark, your opinion?

 

[Sergio Manzi]

Well, after all I haven't bricked my server: it is just my Internet connection acting weird (again)... pfuii...

@hansitheking have you tried with:

$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'PLAIN';
$config['imap_conn_options'] = array(
     'ssl' => array(
     'verify_peer' => false,
     'verify_peer_name' => false,
     'allow_self_signed' => true,
   ),
 );

this is working for me (both accessing Roundcube and editing sieves), but the the cert used by my mail subsystem is an LE certificate issued on my server name...

 

[MarkM]

Whatcha do? I'm lost lol

 

[MarkM]

Wait did you just solve the RoundCube LE Cert issue....!?

 

[Sergio Manzi]

Wait did you just solve the RoundCube LE Cert issue....!?

... well... not "just": I solved it already when I submitted the report, but IMHO it is only a workaround, not a solution...

 

[hansitheking]

Well, after all I haven't bricked my server: it is just my Internet connection acting weird (again)... pfuii...

@hansitheking have you tried with:

$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'PLAIN';
$config['imap_conn_options'] = array(
     'ssl' => array(
     'verify_peer' => false,
     'verify_peer_name' => false,
     'allow_self_signed' => true,
   ),
 );

this is working for me (both accessing Roundcube and editing sieves), but the the cert used by my mail subsystem is an LE certificate issued on my server name...

Also with these settings editing sieves is not possible.

 

[Sergio Manzi]

Also with these settings editing sieves is not possible.

... then I'm afraid I've exhausted my ideas...

 

[hansitheking]

... then I'm afraid I've exhausted my ideas...

Thank you very much for all your ideas and help @Sergio Manzi and @Mark Muyskens

 

[Sergio Manzi]

@hansitheking no problem!
Now I have something else to deal with, but then I'll see if I can come with something else...

On a general note, aren't sieves implemented at the IMAP (Dovecot) level and what Roundcube is doing is just configuring them?

 

[MarkM]

OK I got an idea, this is something we tried on the other issue and it didn't do anything but maybe we will have luck here;

Modify /usr/share/psa-roundcube/config/defaults.inc.php - We're adding peer_name

$config['imap_conn_options'] = array(
  'ssl'         => array(
     'peer_name' => 'FQDN for cert goes here',
     'verify_peer'  => true,
     'verify_peer_name' => false,
     'allow_self_signed' => true,
   ),
 );

 

[hansitheking]

Sorry I can not reply forum has a problem

 

[Sergio Manzi]

Problem with forum

 

[MarkM]

Sorry I can not reply forum has a problem

Uh... you just replied.

 

[hansitheking]

The hack is to change the config['sieverules_usetls'] = FALSE in line 35 of

/usr/share/psa-roundcube/plugins/sieverules/config.inc.php

If I Post without spaces my forum account gets looked, please remove the spaces in the path.