On 6/13/15, David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: > On 06/13/2015 12:11 AM, David C. Rankin wrote: >> On 06/12/2015 07:02 PM, David C. Rankin wrote: >>> Paul, >>> >>> After 1.5.2 update to svn 14501, I can no longer log in to >>> squirrelmail. I >>> have used the same squirrelmail setup for at least the last 6-8 years. >>> The >> >> <snip> >> >>> All operation through Thunderbird (sending/receiving) works fine >>> with the new >>> certificates, so the server isn't the issue -- it's squirrelmail. >>> Attempted >>> login via squirrelmail still fails: >>> >>> Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth >>> attempts >>> in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() >>> failed: >>> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL >>> alert >>> number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB> >>> >>> Strange? The error has changed from: >>> >>> TLS handshaking: SSL_accept() failed: error:14094415:SSL >>> routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert >>> number 45 >>> >>> to >>> >>> TLS handshaking: SSL_accept() failed: error:14094418:SSL >>> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 Sorry, I'm short on time, but I think you may need to look at $imap_stream_options in config/config_local.php. Get a fresh copy of that file if you have an old one. You can use $imap_stream_options to point it to your CA if you are using self signed certs and you can also turn off verify_peer if you must. Note that logging in to SquirrelMail has nothing to do with Postfix. SquirrelMail only talks to Postfix when sending messages, although it's entirely possible you'd run into the same problem with that since a similar change was made for the SMTP side. For that, again, please see config/config_local.php and look for $smtp_stream_options Cheers, Paul >>> So something in squirrelmail isn't handling the TLS handshaking: >>> SSL_accept() >>> quite like it used to. >>> >> >> Paul, >> >> I have a second site that is still at 1.5.2 svn rev 14405 that >> continues to >> work (same Archlinux setup - not quite as current). Looking at the log >> entries >> for a successful login with rev 14405, I see: >> >> Jun 12 23:41:07 nirvana dovecot: imap-login: Login: user=<david>, >> method=PLAIN, >> rip=::1, lip=::1, mpid=1359, TLS, >> session=<yo9G1V4YvQAAAAAAAAAAAAAAAAAAAAAB> >> Jun 12 23:41:07 nirvana dovecot: imap(david): Disconnected: Logged out >> in=60 out=783 >> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, >> method=PLAIN, >> rip=::1, lip=::1, mpid=1361, TLS, >> session=<NtpO1V4YvgAAAAAAAAAAAAAAAAAAAAAB> >> Jun 12 23:41:08 nirvana dovecot: imap(david): Disconnected: Logged out >> in=126 >> out=3025 >> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, >> method=PLAIN, >> rip=::1, lip=::1, mpid=1363, TLS, >> session=<qn9U1V4YvwAAAAAAAAAAAAAAAAAAAAAB> >> Jun 12 23:41:09 nirvana dovecot: imap(david): Disconnected: Logged out >> in=340 >> out=24924 >> >> Comparing the failing login with rev 14501 and the working login with >> rev >> 14405, the immediate difference is the use of >> >> 'user=<david>, method=PLAIN' >> >> instead of the >> >> 'user=<>, rip=::1, lip=::1, TLS handshaking' >> >> I'm not sure what in squirrelmail controls what method the server >> uses, but >> this seems to be the immediate cause behind the failed login with rev >> 14501. >> >> On the updated site, a successful dovecot login from thunderbird looks >> like >> the following: >> >> Jun 12 20:05:01 phoinix dovecot[469]: imap-login: Login: user=<david>, >> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2609, TLS, >> session=<wLVq0FsYMwDAqAcQ> >> Jun 12 20:05:01 phoinix dovecot[469]: imap(david): Disconnected: Logged >> out >> in=39 out=751 >> Jun 12 20:05:03 phoinix dovecot[469]: imap-login: Login: user=<david>, >> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2615, TLS, >> session=<ewaM0FsYNADAqAcQ> >> Jun 12 20:05:03 phoinix dovecot[469]: imap(david): Disconnected: Logged >> out >> in=41 out=719 >> >> In both instances (successful login on old rev 14405) and login >> through >> thunderbird on the updated server, since all services (postfix, dovecot, >> etc.) >> are all running on the local machine, the login with method=PLAIN, works >> fine, >> but whatever/however rev 14501 is attempting the login -- it is failing. >> >> Let me know how else I can help, what additional tests you need to >> see, >> etc... and I'll be happy to run them for you and submit the results. >> >> Thanks. >> > > Paul, > > This is now looking more like a problem squirrelmail is having with > Postfix > 3. All the installs I have, up to and including Postfix 2.9 work. However > this > latest Archlinux box has Postfix 3. > > Specifically, the server on which I have 14405 has: > > postfix 2.9.3-3 > > The server with 14501 that is failing has: > > postfix 3.0.1-1 > > This can be seen with configtest.php results. All check succeed until the > > 'Checkin IMAP server' test which fails at line 740 of configtest.php: > > /** Can we open a connection? */ > $stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress, > $imapPort, > $errorNumber, $errorString); > > Which I've compared with the test in rev 14405 and they are the same, so it > > isn't the test that is causing the failure, but rather something internal to > > squirrelmail handling Postfix 3.0/dovecot. Here is the full configtest > output: > > SquirrelMail configtest > > This script will try to check some aspects of your SquirrelMail > configuration > and point you to errors whereever it can find them. You need to go run > conf.pl > in the config/ directory first before you run this script. > > SquirrelMail version: 1.5.2 [SVN] > Config file version: 1.5.0 > Config file last modified: 13 June 2015 23:31:25 > > Checking PHP configuration... > PHP version 5.6.9 OK. (You have: 5.6.9. Minimum: 4.1.0) > Running as N/A(N/A) / N/A(N/A) > display_errors: (overridden with 1 for this page only) > error_reporting: 22527 (overridden with 32767 for this page only) > variables_order OK: GPCS. > PHP extensions OK. Dynamic loading is disabled. > > WARNING: You have configured PHP not to allow short tags > (short_open_tag=off). This shouldn't be a problem with SquirrelMail or any > plugin coded coded according to the SquirrelMail Coding Guidelines, but if > you > experience problems with PHP code being displayed in some of the pages and > changing setting to "on" solves the problem, please file a bug report > against > the failing plugin. The correct contact information is most likely to be > found > in the plugin documentation. > Checking paths... > Data dir OK. > Attachment dir OK. > Checking plugins... > Plugin versions... > squirrelspell 0.5 > calendar ?? > Plugins OK. > Themes OK. > Default language OK. > Base URL detected as: http://www.*******.com:443/squirrelmail/src > (location > base autodetected) > Checking outgoing mail service.... > SMTP server OK (220 myhost.*******.com ESMTP Postfix) > Checking IMAP service.... > Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error > messages: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify > failed in /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 > Warning: > fsockopen(): Failed to enable crypto in > /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning: > fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in > /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 > > FATAL ERROR: Error connecting to IMAP server "localhost:993".Server > error: (0) > > I tarred and moved the working rev 14405 to the new server, (checked diff > > between the config.php files and they were the same for all practical > purposes). > Updated the config for the site and ran configtest.php. Exact same error > (except > the line number is 739 on ref 14405): > > Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error > messages: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify > failed in /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 > Warning: fsockopen(): Failed to enable crypto in > /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 Warning: > fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in > /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 > > What does this tell us? It tells us the problem is a change to either the > > imap server, TLS or PHP that squirrelmail isn't handling properly. That's > the > only thing that makes sense. If it were a change in squirrelmail, the moving > > 14405 over to the new server would have produces a working install. Instead > > 14405 experiences the same failure that 14501 does. That points directly to > an > update most likely in postfix (2x -> 3x) causing the issue. > > In summary the working install has > > postfix 2.9.3-3 > dovecot 2.1.8-2 > > The failures are occurring with: > > postfix 3.0.1-1 > dovecot 2.2.18-1 > > Between the two, the most significant API changes that are likely at > issue > are those in the move from postfix 2.9.3-3 -> postfix 3.0.1-1. > > Let me know if I can send anything else. > -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
