On 6/14/15, David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: > On 06/14/2015 05:27 AM, Paul Lesniewski wrote: >>>>> TLS handshaking: SSL_accept() failed: error:14094418:SSL >>>>> >>>routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number >>>>> >>> 48 >> Sorry, I'm short on time, but I think you may need to look at >> $imap_stream_options in config/config_local.php. Get a fresh copy of >> that file if you have an old one. You can use $imap_stream_options to >> point it to your CA if you are using self signed certs and you can >> also turn off verify_peer if you must. >> >> Note that logging in to SquirrelMail has nothing to do with Postfix. >> SquirrelMail only talks to Postfix when sending messages, although >> it's entirely possible you'd run into the same problem with that since >> a similar change was made for the SMTP side. For that, again, please >> see config/config_local.php and look for $smtp_stream_options >> >> Cheers, >> Paul >> > > Paul, > > I went through > https://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php > > and http://php.net/manual/en/context.ssl.php. I created a fresh > config_local.php. I updated my ca-trust-bundle by including my mail > certificate > in /etc/ca-certificates/trust-source/anchors/ and ran 'update-ca-trust > extract'. > I tested with various logical 'cafile' settings and turning 'verify_peer' > off. > None made any difference. Same error no matter what the configuration was: > > Jun 14 18:01:10 phoinix postfix/smtpd[19156]: connect from > phoinix.rlfpllc.com[127.0.0.1] > Jun 14 18:01:10 phoinix postfix/smtpd[19156]: lost connection after CONNECT > from > phoinix.rlfpllc.com[127.0.0.1] > Jun 14 18:01:10 phoinix postfix/smtpd[19156]: disconnect from > phoinix.rlfpllc.com[127.0.0.1] commands=0/0 > Jun 14 18:01:10 phoinix dovecot[469]: imap-login: Disconnected (no auth > attempts > in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed: > > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL > alert > number 48, session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB> Note that this is a dovecot log event. *Dovecot* is complaining about the CA. Not SquirrelMail. > As you can see from 'session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB>' the > session > is started every time, but something goes south. The other question is why > does > dovecot report "no auth attempts in 0 secs", huh? I'm trying... but > 'user=<>' > must not qualify. No process is going to be able to authenticate if the SSL handshake failed. > The frustrating point is that I cannot tell where the problem is, except > for > the fact that even though configured identically, the working versions use a > > login like: > > 'user=<david>, method=PLAIN' > > The non-working attempts to use: > > 'user=<>, rip=::1, lip=::1, TLS handshaking' > > In both instances squirrelmail is on the same box as the mail server with So why are you using TLS if the traffic never leaves the machine? > identical postfix/dovecot configs, so theoretically both should be using > PLAIN > even though the actual we connection is over https. > > Complicating the issue are changes to the ca-certificates package over > the > past 6 months. However, that being so, somehow mozilla has no problem at all > > using the mail server from any remote location (using my same self-signed > certificates), but squirrelmail can no longer connect to IMAP on the local > machine. > > I'm usually pretty good at sorting out squirrelmail issues, but this one It's not SquirrelMail per se. It's PHP and Dovecot and your SSL/TLS settings for both. > has > me chasing my tail in circles. When you get a break in your schedule, I > could > really use your help sorting this one out. Since Archlinux is the most > current > distro (packages are generally release the exact same day as the upstream > release), everyone else will generally experience this same issue whenever > their > distro moves to the version causing the issue. > > I agree with you that postfix is likely not the culprit, since > squirrelmail > configtest.php reports no problem connecting to smtp: For testing with configtest.php, please update your snapshot or use this patch: http://sourceforge.net/p/squirrelmail/code/14502/ > Checking outgoing mail service.... > SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix) > > I think you have nailed the issue as a 'ca' problem which makes sense > with > the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when > you > have a chance to look into this. I'm happy to do the digging. > > -- > David C. Rankin, J.D.,P.E. > -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
