New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect to Dovecot IMAP server with SSL #3709
Comments
@sergio91pt I was wondering if this could be in any way related to #2807 ? I don't know if this |
@pgorod I don't think so. When This loop that failed due to
Appears in the mail server as:
|
Ok, thanks. To be frank I don't really understand these configurations and protocols so I was just hoping there might be a connection, so we could make some progress on that other issue, which is creating problems for a lot of people and still doesn't have a full diagnosis. Thanks! |
|
@chris001 This should answer your questions.
$ssl = array(
'ssl-both-on-secure' => '/ssl/tls/validate-cert/secure',
'ssl-both-on' => '/ssl/tls/validate-cert',
'ssl-cert-secure' => '/ssl/validate-cert/secure',
'ssl-cert' => '/ssl/validate-cert',
'ssl-tls-secure' => '/ssl/tls/secure',
'ssl-tls' => '/ssl/tls',
'ssl-both-off-secure' => '/ssl/notls/novalidate-cert/secure',
'ssl-both-off' => '/ssl/notls/novalidate-cert',
'ssl-nocert-secure' => '/ssl/novalidate-cert/secure',
'ssl-nocert' => '/ssl/novalidate-cert',
'ssl-notls-secure' => '/ssl/notls/secure',
'ssl-notls' => '/ssl/notls',
'ssl-secure' => '/ssl/secure',
'ssl-none' => '/ssl',
); While I don't know the difference between |
@chris001 Sorry, only realized I sent you the SMTP connection test instead of IMAP. I don't think dovecot has a server name configured (thats why I without thinking did a SMTP test).
|
@salesagility Another perfect example of poor/nonexistent/obscured error reporting by this app!
to add this one line after it, as shown:
and run your test again. |
@chris001 I should have mentioned that I used a debugger to inspect the $errors variable, so that's how I knew which error was the culprit. I reverted my fix (PR #3710) and added that log (still on hotfix - so not the same line):
On the mail server: (lip is actually the interface internal ip - no point in redacting that)
|
@sergio91pt |
@chris001 I can see various issues now:
Maybe we should split some of them into seperate issues? Tests for reference$nonSsl = array(
'both-secure' => '/notls/novalidate-cert/secure',
'both' => '/notls/novalidate-cert',
'nocert-secure' => '/novalidate-cert/secure',
'nocert' => '/novalidate-cert',
'notls-secure' => '/notls/secure',
'secure' => '/secure', // for POP3 servers that force CRAM-MD5
'notls' => '/notls',
'none' => '', // try default nothing
);
$ssl = array(
'ssl-both-on-secure' => '/ssl/tls/validate-cert/secure',
'ssl-both-on' => '/ssl/tls/validate-cert',
'ssl-cert-secure' => '/ssl/validate-cert/secure',
'ssl-cert' => '/ssl/validate-cert',
'ssl-tls-secure' => '/ssl/tls/secure',
'ssl-tls' => '/ssl/tls',
'ssl-both-off-secure' => '/ssl/notls/novalidate-cert/secure',
'ssl-both-off' => '/ssl/notls/novalidate-cert',
'ssl-nocert-secure' => '/ssl/novalidate-cert/secure',
'ssl-nocert' => '/ssl/novalidate-cert',
'ssl-notls-secure' => '/ssl/notls/secure',
'ssl-notls' => '/ssl/notls',
'ssl-secure' => '/ssl/secure',
'ssl-none' => '/ssl',
); Port 143 (STARTTLS only), SSL not selected
Port 143 (STARTTLS only), SSL selected on UI
Port 143 connection testsTelnet connection
STARTTLS connection upgrade
|
I created a small script to test imap_open "specs". The big difference is that I'm using Tested it with my PC's php-cli (v5.5.9 - Ubuntu 14.04). Both Ubuntu 14.04 (php 5.5) and 16.04 (php 7.0) use the same IMAP c-Client Version (2007f). When I intentionally provide the wrong password I get:
Since the server only provides PLAIN and LOGIN authentication, when I use
If I do something stupid like use The changelog of the imap c-client library answers some questions:
IMAP connection test script<?php
if (PHP_SAPI !== 'cli') {
die('cli only');
}
if ($argc < 5 || $argc > 6) {
die("USAGE: php $argv[0] HOST PORT USERNAME PASSWORD [SPEC]\n");
}
$host = $argv[1];
$port = intval($argv[2]);
$username = $argv[3];
$password = $argv[4];
$spec = isset($argv[5]) ? $argv[5] : (($port === 993) ? '/ssl' : '/tls');
$params = array('DISABLE_AUTHENTICATOR' => '');
$mailbox = "{{$host}:{$port}{$spec}}INBOX";
$options = 0;
function printArray($array, $prefix)
{
if (is_array($array)) {
foreach ($array as $entry) {
print "$prefix: $entry\n";
}
}
else {
print "$prefix: None\n";
}
}
$connection = imap_open($mailbox, $username, $password, $options, 0, $params);
printArray(imap_errors(), "ERR");
printArray(imap_alerts(), "Alert");
if ($connection !== FALSE) {
imap_close($connection);
} |
@sergio91pt - Sorry just to confirm where did you guys get to with debugging this? |
|
@samus-aran We've identified 5 issues related to the Issue 1 (this issue)Unable to connect to IMAP servers that only allow PLAIN and/or LOGIN authentication (and/or unsupported authentication methods like XOAUTH - probably). Proposed solution:
Issue 2Security issue: For Non SSL servers, plaintext connections are preferred over opportunistic STARTTLS Proposed solution:
Issue 3
Proposed solution:
Issue 4Each failed test attempts 3 connections in Proposed solution:
Issue 5
For example, attempting a SSL connection test to a non-SSL server results in 30 TCP connections, it only needs 1 or 2 to return "invalid" (depending on the error message when connection to a server that presents a invalid certificate). This issue may trigger the dovecot filter of fail2ban prior to v0.9.0. |
@sergio91pt here's a first-place medal for your diagnostic work 🥇 And... you know we're gonna need your help fixing this, don't you? :-) |
|
I like the idea of getting real email accounts, even though it sounds like a lot of work... but getting even just one email account to be actionable during our tests would greatly decrease risks when touching email code. I'm thinking of all the bugs of the past two weeks here... And getting a nice array of accounts like @chris001 suggests would be perfect for this particular Issue, and add a lot of extra security to the rest of our email challenges. For Gmail, Outlook, etc. , it's just a matter of opening the accounts, I guess. But for the "top 10 Linux mail servers" I don't know where we could go. We'd have to know of free public services that use specific types of mail software... |
@pgorod Thanks. I do intend to help although time might be a problem. I still don't have my own instance in production and I should already be working on a different project @chris001 I haven't run the tests yet, only looked around. Does it already use a live account? |
@sergio91pt The test isn't using a live account right now, it never has! Someone should sign up for a free email account on gmail, yahoo, microsoft live. Once you have the mail account credentials, I'll show you how to safely add them to the tests. |
It's amazing to me that the inbound e-mail setup in SuiteCRM has a link to prefill the default setup information for a Gmail account but it's not working? I spent hours on this. I also lost time on setting up an inbound e-mail account with Koozali SME server (which uses Dovecot). And this while i don't even need inbound e-mail but i'm forced to configure one otherwise i can't send outbound e-mails (issue #3741). I finally got my setup working by configuring an IMAP account from a different provider. This should be high priority if you ask me. |
Is this isssue on a roadmap to fixed? I wanted to created an e-mail campaign but it seems i can't because the related domain email is on a server that SuiteCRM does not support. |
ALCON, Any updates on this issue; it is confounding me too. I'll settle for a workaround/one-off, and will commit to working the real fix in exchange. Thanks! Alan |
BTW, I can connect just fine with a gmail server, its only the Dovecot that's not working (which unfortunately is the one I need to talk to!!) |
so I have had a small amount of success, which may be worth something. For my needs I've removed all of the ssl connection options (/ssl/verify-cert, /ssl/noverify-cert, etc) save the one I want, and I've adjusted the imap_open retry count from 0 to 1 and it seems to work for me. What still doesn't work is the selection of folders (which is really not a bit deal to me, but definitely needs to be addressed in the "real" PR). Anyone, does this help at all? |
oh, and i updated to the 7.10.5 version; that fixed a different permissions problem I was having elsewhere. |
Good day to all! There is Postfix + Dovecot mail server. Authorization by IMAP for login and password. Email clients connect and work. Jun 26 15:42:29 server dovecot: imap-login: Aborted login (client did not finish SASL auth, waited 0 secs): user = <>, method = GSSAPI, rip = YYYY, lip = XXXX, session = < 7 / 7K1Ipv / ADAqAAz> Tell me, please, how to change the authentication method in SuiteCRM !!! |
It looks like the problem with Dovecot happens when SuiteCRM tries to login using an encrypted password ("/secure") to a server that supports only PLAIN passwords, maybe it would be easier to add a "encrypt password" checkbox and only try with "/secure" if requested by the user? |
Issue
Cannot save a inbound email account, when using a IMAPS Dovecot server, since folder selection is required but SuiteCRM does not properly connect to the server.
Upon further investigation, it was failling because
findOptimumSettings
(modules/InboundEmail/InboundEmail.php)was erroneously assuming the credentials were incorrect and stopping the
loop early.
The test failed on the
service=imap/ssl/validate-cert/secure
test, with error[CLOSED] IMAP connection broken (server response)
, but succeeded on theservice=imap/ssl/validate-cert
test.The dovecot server was running with:
Expected Behavior
Able to add dovecot imaps server. Clicking on select folder for Trash and Sent works. Test settings button works.
Actual Behavior
Unable to add inbound email account (personal/group/bounce). Test settings and select folder buttons do not work as expected.
In some cases it displayed a generic error, in others (tested in various panels and versions) it showed invalid credentials or similar (credentials were correct).
Possible Fix
Do not use
[CLOSED] IMAP connection broken (server response)
as invalid credentials, it may lead to false positives.Steps to Reproduce
Your Environment
Mail Server Environment
The text was updated successfully, but these errors were encountered: