Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SMTP connection fails #237

Open
Has-X opened this issue Dec 17, 2023 · 1 comment
Open

SMTP connection fails #237

Has-X opened this issue Dec 17, 2023 · 1 comment

Comments

@Has-X
Copy link

Has-X commented Dec 17, 2023

I cannot send an email trough smtp no matter what I do, I tested with other mail clients and it works, expect for Roundcube docker,

My docker log:

errors: <9ea8998e> PHP Error: STARTTLS failed (POST /?_task=mail&_unlock=loading1702834244555&_framed=1&_lang=en&_action=send)
errors: <9ea8998e> PHP Error: Invalid response code received from server (POST /?_task=mail&_unlock=loading1702834244555&_framed=1&_lang=en&_action=send)
errors: <9ea8998e> SMTP Error: STARTTLS failed: 2.0.0 Ready to start TLS (Code: 220) in /var/www/html/program/lib/Roundcube/rcube.php on line 1794 (POST /?_task=mail&_unlock=loading1702834244555&_framed=1&_lang=en&_action=send)

My postfix log:

Dec 17 17:30:49 mail.rokal.es postfix/smtpd[9891]: connect from ip51.ip-87-98-146.eu[87.98.146.51]
Dec 17 17:30:50 mail.rokal.es postfix/smtpd[9891]: lost connection after STARTTLS from ip51.ip-87-98-146.eu[87.98.146.51]
Dec 17 17:30:50 mail.rokal.es postfix/smtpd[9891]: disconnect from ip51.ip-87-98-146.eu[87.98.146.51]

@fager
Copy link

fager commented Jan 17, 2024

I have the same problem with my installation.

Connections (imap and smtp) without tls work but as soon as I activate tls I get these error messages.

My Postfix and Dovecot have certificates from Let's Encrypt. Both certificate chains don't seem to be present in the Docker image.

Test:

docker exec -it <container-name> bash
curl -v https://<FQDN-of-some-Lets-Encrypt-Website>/
...
curl: (60) SSL certificate problem: unable to get local issuer certificate
...

I created my own container image in which I added the Let's Encrypt certificate chain to /usr/local/share/ca-certificates/ and updated the CA files with "RUN update-ca-certificates".

Afterwards I can successfully validate the server certificate using curl.

PHP can now apparently validate the certificate with the PHP default config.

Test:

php -r "print(file_get_contents('https://<FQDN-of-some-Lets-Encrypt-Website>'));"

But Roundcube still cannot validate the Let's Encrypt certificate during imap or smtp connections with tls.

I then converted my configuration to the advanced configuration and set the options "smtp_conn_options" and "imap_conn_options" to point to /etc/ssl/certs/ca-certificates.crt.

$config['imap_conn_options'] = [
    'ssl' => [
        'verify_peer'  => true,
        'verify_depth' => 3,
        'cafile'       => '/etc/ssl/certs/ca-certificates.crt',
    ],
];
$config['smtp_conn_options'] = [
    'ssl' => [
        'verify_peer'  => true,
        'verify_depth' => 3,
        'cafile'       => '/etc/ssl/certs/ca-certificates.crt',
    ],
];

With this configuration, SMTP and IMAP are both TLS protected and working.

It would be nice to extend the Entrypoint script so that it updates the CA chain if, for example, a directory with additional CA certificates is mounted under /certs/. And an adapted *_conn_options configuration could be included in the container image, which points to the correct ca_file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants