Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS handshaking: SSL_accept() failed: #1346

Closed
kdaye opened this issue Feb 22, 2017 · 7 comments
Closed

TLS handshaking: SSL_accept() failed: #1346

kdaye opened this issue Feb 22, 2017 · 7 comments

Comments

@kdaye
Copy link

kdaye commented Feb 22, 2017
edited

Can not login!!!

RainLoop version, browser, OS:
Rainloop Community edition
v1.10.5.192 (06.11.2016)
Chrome browser
Windows 10
Server
Nginx
PHP7.0
Expected behavior and actual behavior:
login my mailserver
Steps to reproduce the problem:
login
Logs or screenshots:
login with Rainloop
mailserver log

mail    | Feb 22 10:59:41 mx dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=192.168.32.2, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<WOy5ZBxJpACvfiWQ>

login with thunderbird
mailserver log

mail    | Feb 22 08:14:49 mx dovecot: imap-login: Login: user=<xxx@xxx.com>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=192.168.32.2, mpid=1503, TLS, session=<JEoaFxpJnwC3lSNy>

Mailserver config

version: '2'

services:
  mail:
    restart: always
    image: tvial/docker-mailserver:latest
    # build: .
    hostname: mx
    domainname: xxx.com
    container_name: mail
    environment:
      - SSL_TYPE=letsencrypt
      - POSTMASTER_ADDRESS=postmaster@xxx.com
      - ENABLE_SPAMASSASSIN=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1
      - ONE_DIR=1
      - DMS_DEBUG=0
    cap_add:
    - NET_ADMIN
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - ./config/:/tmp/docker-mailserver/
      - /etc/letsencrypt:/etc/letsencrypt
volumes:
  maildata:
    driver: local
  mailstate:
    driver: local
@ervee
Copy link
Contributor

ervee commented Feb 22, 2017

Are you using the php mail function in RainLoop? Looks like the client (RainLoop) and the Server can't agree on an SSL/TLS cipher to use. What are your mailserver's SSL/TLS/cipher settings?

@kdaye
Copy link
Author

kdaye commented Feb 22, 2017
edited

Thanks you help
I didnt use php mail function in RainLoop.

root@xxxx:/# docker exec mail cat /etc/dovecot/conf.d/10-ssl.conf


##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/mx.xxx.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mx.xxxx.com/privkey.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca = 

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# DH parameters length to use.
#ssl_dh_parameters_length = 1024

# SSL protocols to use
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2

# SSL ciphers to use
ssl_cipher_list = ECDHE+AESGCM ECDHE+AES DHE+AESGCM DHE+AES DES-CBC3-SHA

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

Set SSL/TLS and test
RainLoop log


[12:48:37.662][40b0f2f4] INFO[DATA]: [DATE:22.02.17][OFFSET:-00][RL:1.10.5.192][PHP:7.0.13-0ubuntu0.16.04.1][IP:60.191.164.78][PID:27256][nginx/1.10.0][fpm-fcgi]
[12:48:37.662][40b0f2f4] INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:mysql][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
[12:48:37.663][40b0f2f4] REQUEST[NOTE]: [POST] https://mail.domain.com/?/Ajax/&q[]=/0/
[12:48:37.663][40b0f2f4] AJAX[NOTE]: Action: DoAdminDomainTest
[12:48:37.663][40b0f2f4] POST[DATA]: {"Name":"domain.com","IncHost":"mx.domain.com","IncPort":"993","IncSecure":"1","UseSieve":"0","SieveHost":"","SievePort":"4190","SieveSecure":"0","OutHost":"mx.domain.com","OutPort":"587","OutSecure":"2","OutAuth":"1","OutUsePhpMail":"0","Action":"AdminDomainTest","XToken":"76189d76034823393070bdfa6ea2e3ff"}
[12:48:37.663][40b0f2f4] IMAP[NOTE]: Start connection to "ssl://mx.domain.com:993"
[12:48:38.036][40b0f2f4] IMAP[NOTE]: Connected (unsuccess)
[12:48:38.037][40b0f2f4] IMAP[NOTICE]: Socket: [2] stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
[12:48:38.037][40b0f2f4] IMAP[NOTICE]: MailSo\Net\Exceptions\SocketCanNotConnectToHostException: Can't connect to host "ssl://mx.domain.com:993" in /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Net/NetClient.php:292
Stack trace:
#0 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Imap/ImapClient.php(153): MailSo\Net\NetClient->Connect('mx.domain.co...', 993, 1, true, false)
#1 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Actions.php(4140): MailSo\Imap\ImapClient->Connect('mx.domain.co...', 993, 1, true, false)
#2 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoAdminDomainTest()
#3 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('')
#4 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle()
#5 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct()
#6 /var/www/rainloop/rainloop/v/1.10.5.192/app/handle.php(94): RainLoop\Service::Handle()
#7 /var/www/rainloop/rainloop/v/1.10.5.192/include.php(225): include('/var/www/rainlo...')
#8 /var/www/rainloop/index.php(13): include('/var/www/rainlo...')
#9 {main}
[12:48:38.038][40b0f2f4] SMTP[NOTE]: Start connection to "tcp://mx.domain.com:587"
[12:48:38.129][40b0f2f4] SMTP[NOTE]: Connected (success)
[12:48:38.305][40b0f2f4] SMTP[DATA]: < 220 mx.domain.com ESMTP Postfix (Ubuntu)\r\n
[12:48:38.305][40b0f2f4] SMTP[DATA]: > EHLO mail.domain.com\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-mx.domain.com\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-PIPELINING\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-SIZE 10240000\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-VRFY\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-ETRN\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-STARTTLS\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-ENHANCEDSTATUSCODES\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250-8BITMIME\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: < 250 DSN\r\n
[12:48:38.417][40b0f2f4] SMTP[DATA]: > STARTTLS\r\n
[12:48:38.796][40b0f2f4] SMTP[DATA]: < 220 2.0.0 Ready to start TLS\r\n
[12:48:38.995][40b0f2f4] SMTP[DATA]: > EHLO mail.domain.com\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-mx.domain.com\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-PIPELINING\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-SIZE 10240000\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-VRFY\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-ETRN\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-AUTH PLAIN LOGIN\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-AUTH=PLAIN LOGIN\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-ENHANCEDSTATUSCODES\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250-8BITMIME\r\n
[12:48:39.123][40b0f2f4] SMTP[DATA]: < 250 DSN\r\n
[12:48:39.123][40b0f2f4] SMTP[NOTE]: Disconnected from "tcp://mx.domain.com:587" (success)
[12:48:39.123][40b0f2f4] AJAX[DATA]: {"Action":"AdminDomainTest","Result":{"Imap":"stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure","Smtp":true,"Sieve":true},"Time":1487}
[12:48:39.129][40b0f2f4] INFO[MEMORY]: Memory peak usage: 2MB
[12:48:39.129][40b0f2f4] INFO[TIME]: Time delta: 1.4927940368652

Set STARTTLS and test
RainLoop log

[12:44:48.865][061245f8] INFO[DATA]: [DATE:22.02.17][OFFSET:-00][RL:1.10.5.192][PHP:7.0.13-0ubuntu0.16.04.1][IP:60.191.164.78][PID:27257][nginx/1.10.0][fpm-fcgi]
[12:44:48.867][061245f8] INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:mysql][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
[12:44:48.867][061245f8] REQUEST[NOTE]: [POST] https://mail.domain.com/?/Ajax/&q[]=/0/
[12:44:48.867][061245f8] AJAX[NOTE]: Action: DoAdminDomainTest
[12:44:48.867][061245f8] POST[DATA]: {"Name":"domain.com","IncHost":"mx.domain.com","IncPort":"993","IncSecure":"2","UseSieve":"0","SieveHost":"","SievePort":"4190","SieveSecure":"0","OutHost":"mx.domain.com","OutPort":"587","OutSecure":"2","OutAuth":"1","OutUsePhpMail":"0","Action":"AdminDomainTest","XToken":"76189d76034823393070bdfa6ea2e3ff"}
[12:44:48.869][061245f8] IMAP[NOTE]: Start connection to "tcp://mx.domain.com:993"
[12:44:49.149][061245f8] IMAP[NOTE]: Connected (success)
[12:44:59.164][061245f8] IMAP[ERROR]: MailSo\Net\Exceptions\SocketReadTimeoutException: MailSo-Net-Exceptions-SocketReadTimeoutException (NetClient.php ~ 506) in /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Net/NetClient.php:506
Stack trace:
#0 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Imap/ImapClient.php(2033): MailSo\Net\NetClient->getNextBuffer()
#1 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Imap/ImapClient.php(1899): MailSo\Imap\ImapClient->partialParseResponseBranch(Object(MailSo\Imap\Response))
#2 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->parseResponse('*', true)
#3 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/MailSo/Imap/ImapClient.php(155): MailSo\Imap\ImapClient->parseResponseWithValidation('*', true)
#4 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Actions.php(4140): MailSo\Imap\ImapClient->Connect('mx.domain.co...', 993, 2, true, false)
#5 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoAdminDomainTest()
#6 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('')
#7 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle()
#8 /var/www/rainloop/rainloop/v/1.10.5.192/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct()
#9 /var/www/rainloop/rainloop/v/1.10.5.192/app/handle.php(94): RainLoop\Service::Handle()
#10 /var/www/rainloop/rainloop/v/1.10.5.192/include.php(225): include('/var/www/rainlo...')
#11 /var/www/rainloop/index.php(13): include('/var/www/rainlo...')
#12 {main}
[12:44:59.165][061245f8] SMTP[NOTE]: Start connection to "tcp://mx.domain.com:587"
[12:44:59.248][061245f8] SMTP[NOTE]: Connected (success)
[12:44:59.341][061245f8] SMTP[DATA]: < 220 mx.domain.com ESMTP Postfix (Ubuntu)\r\n
[12:44:59.344][061245f8] SMTP[DATA]: > EHLO mail.domain.com\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-mx.domain.com\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-PIPELINING\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-SIZE 10240000\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-VRFY\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-ETRN\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-STARTTLS\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-ENHANCEDSTATUSCODES\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250-8BITMIME\r\n
[12:44:59.424][061245f8] SMTP[DATA]: < 250 DSN\r\n
[12:44:59.424][061245f8] SMTP[DATA]: > STARTTLS\r\n
[12:44:59.503][061245f8] SMTP[DATA]: < 220 2.0.0 Ready to start TLS\r\n
[12:44:59.675][061245f8] SMTP[DATA]: > EHLO mail.domain.com\r\n
[12:44:59.752][061245f8] SMTP[DATA]: < 250-mx.domain.com\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-PIPELINING\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-SIZE 10240000\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-VRFY\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-ETRN\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-AUTH PLAIN LOGIN\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-AUTH=PLAIN LOGIN\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-ENHANCEDSTATUSCODES\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250-8BITMIME\r\n
[12:44:59.753][061245f8] SMTP[DATA]: < 250 DSN\r\n
[12:44:59.753][061245f8] SMTP[NOTE]: Disconnected from "tcp://mx.domain.com:587" (success)
[12:44:59.753][061245f8] IMAP[NOTE]: Disconnected from "tcp://mx.domain.com:993" (success)
[12:44:59.753][061245f8] AJAX[DATA]: {"Action":"AdminDomainTest","Result":{"Imap":"MailSo-Net-Exceptions-SocketReadTimeoutException (NetClient.php ~ 506)","Smtp":true,"Sieve":true},"Time":10949}
[12:44:59.753][061245f8] INFO[MEMORY]: Memory peak usage: 2MB
[12:44:59.754][061245f8] INFO[TIME]: Time delta: 10.949869155884

@ervee
Copy link
Contributor

ervee commented Feb 22, 2017
edited

I had some problems using ssl_cipher_list in Dovecot in the past.
What if you set:

ssl_protocols = !SSLv2 !SSLv3
#ssl_cipher_list = ECDHE+AESGCM ECDHE+AES DHE+AESGCM DHE+AES DES-CBC3-SHA

Reload Dovecot and test.

Also, set:

ssl_ca = </path/to/RootCertificate.crt
ssl_cert = </path/to/ServerCertificate-including-all-intermediates-but-not-root.crt

@kdaye
Copy link
Author

kdaye commented Feb 22, 2017

set it,reload and test. It's working.

ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
#ssl_cipher_list = ECDHE+AESGCM ECDHE+AES DHE+AESGCM DHE+AES DES-CBC3-SHA

But is this safe?

@ervee
Copy link
Contributor

ervee commented Feb 22, 2017

I care about security and think it's safe enough as long as you keep your openssl up to date as usual.

@kdaye
Copy link
Author

kdaye commented Feb 22, 2017

ok,Thank you!

@kdaye kdaye closed this as completed Feb 22, 2017
@kdaye kdaye mentioned this issue Feb 22, 2017
Closed
@mojili
Copy link

mojili commented Jul 29, 2017
edited

I solved my problem by disabling all the setting for IPv6 in NIC.

vim /etc/sysconfig/network-scripts/ifcfg-ethX ----> comment all IPv6 settings
systemctl restart network

This link was so helpful:
https://webinsider.pl/rainloop-webmail-gmail-timeout-ipv6/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ervee @kdaye @mojili