On 06/14/2015 05:27 AM, Paul Lesniewski wrote: >>>> TLS handshaking: SSL_accept() failed: error:14094418:SSL >>>> >>>routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 > Sorry, I'm short on time, but I think you may need to look at > $imap_stream_options in config/config_local.php. Get a fresh copy of > that file if you have an old one. You can use $imap_stream_options to > point it to your CA if you are using self signed certs and you can > also turn off verify_peer if you must. > > Note that logging in to SquirrelMail has nothing to do with Postfix. > SquirrelMail only talks to Postfix when sending messages, although > it's entirely possible you'd run into the same problem with that since > a similar change was made for the SMTP side. For that, again, please > see config/config_local.php and look for $smtp_stream_options > > Cheers, > Paul > Paul, I went through https://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php and http://php.net/manual/en/context.ssl.php. I created a fresh config_local.php. I updated my ca-trust-bundle by including my mail certificate in /etc/ca-certificates/trust-source/anchors/ and ran 'update-ca-trust extract'. I tested with various logical 'cafile' settings and turning 'verify_peer' off. None made any difference. Same error no matter what the configuration was: Jun 14 18:01:10 phoinix postfix/smtpd[19156]: connect from phoinix.rlfpllc.com[127.0.0.1] Jun 14 18:01:10 phoinix postfix/smtpd[19156]: lost connection after CONNECT from phoinix.rlfpllc.com[127.0.0.1] Jun 14 18:01:10 phoinix postfix/smtpd[19156]: disconnect from phoinix.rlfpllc.com[127.0.0.1] commands=0/0 Jun 14 18:01:10 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB> As you can see from 'session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB>' the session is started every time, but something goes south. The other question is why does dovecot report "no auth attempts in 0 secs", huh? I'm trying... but 'user=<>' must not qualify. The frustrating point is that I cannot tell where the problem is, except for the fact that even though configured identically, the working versions use a login like: 'user=<david>, method=PLAIN' The non-working attempts to use: 'user=<>, rip=::1, lip=::1, TLS handshaking' In both instances squirrelmail is on the same box as the mail server with identical postfix/dovecot configs, so theoretically both should be using PLAIN even though the actual we connection is over https. Complicating the issue are changes to the ca-certificates package over the past 6 months. However, that being so, somehow mozilla has no problem at all using the mail server from any remote location (using my same self-signed certificates), but squirrelmail can no longer connect to IMAP on the local machine. I'm usually pretty good at sorting out squirrelmail issues, but this one has me chasing my tail in circles. When you get a break in your schedule, I could really use your help sorting this one out. Since Archlinux is the most current distro (packages are generally release the exact same day as the upstream release), everyone else will generally experience this same issue whenever their distro moves to the version causing the issue. I agree with you that postfix is likely not the culprit, since squirrelmail configtest.php reports no problem connecting to smtp: Checking outgoing mail service.... SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix) I think you have nailed the issue as a 'ca' problem which makes sense with the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when you have a chance to look into this. I'm happy to do the digging. -- David C. Rankin, J.D.,P.E. ------------------------------------------------------------------------------ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
