On 2016年12月16日 22:52, igor_123 wrote:
> Dear Paul,
>
> sorry to bring this [Solved] topic to surface again. After installing Fedora
> 25 (from scratch) I have the same problem ("unknown ca"). I have been using
> squirrelmail for many years with "localhost" as imap server name. This does
> not work anymore. Looking in the internet, I found this thread which is the
> most informative among all I found before. However, in my case the David's
> recipe - to replace "localhost" by a fully qualified host name does not
> work...
>
> The package versions are:
>
> postfix-3.1.3-2.fc25.x86_64
> dovecot-2.2.26.0-1.fc25.x86_64
> php-7.0.14-1.fc25.x86_64
> squirrelmail-1.4.22-17.fc24.noarch
>
> The squirrelmail imap-related config page is:
>
> IMAP Settings
> --------------
> 4. IMAP Server : uranus.sai.msu.ru
> 5. IMAP Port : 993
> 6. Authentication type : login
> 7. Secure IMAP (TLS) : true
> 8. Server software : dovecot
> 9. Delimiter : detect
>
> B. Update SMTP Settings : localhost:25
Port 25?
> the configtest page of squirrelmail returns
>
> Checking IMAP service....
>
> ERROR: Error connecting to IMAP server "uranus.sai.msu.ru:993".Server
> error: (0)
>
> The relevant maillog lines are:
>
> Dec 16 17:23:01 uranus postfix/smtpd[7867]: connect from localhost[::1]
> Dec 16 17:23:01 uranus postfix/smtpd[7867]: lost connection after CONNECT
> from localhost[::1]
> Dec 16 17:23:01 uranus postfix/smtpd[7867]: disconnect from localhost[::1]
> commands=0/0
> Dec 16 17:23:01 uranus dovecot: imap-login: Disconnected (no auth attempts
> in 0 secs):
> user=<>, rip=93.180.26.5, lip=93.180.26.5, TLS handshaking: SSL_accept()
> failed:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL
> alert number 48,
> session=<8mavTsdDQtldtBoF>
>
> The relevant config lines:
>
> postfix main.cf
>
> smtpd_tls_security_level = may
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_key_file = /etc/postfix/smtpd.key
> smtpd_tls_cert_file = /etc/postfix/smtpd.cert
> smtpd_tls_CAfile = /etc/postfix/smtpd.cert
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
If you're asking about TLS to IMAP, SMTP settings are not relevant.
> dovecot 10-ssl.conf:
>
> ssl_cert = </etc/postfix/smtpd.cert
> ssl_key = </etc/postfix/smtpd.key
> ssl_ca = </etc/postfix/smtpd.cert
>
> Printing out the contents of smtpd.cert confirms that CN=uranus.sai.msu.ru
But is the CA available (to SM) and known?
> To be able to check php ssl connection from command line, I added the line
> to php.ini:
>
> openssl.cafile= /etc/postfix/smtpd.cert
>
> After that, issuing the command (which is run from squirrelmail)
>
> echo
> 'fsockopen("tls://uranus.sai.msu.ru",993,$errno,$errmsg,15);'|php
> -a
>
> returns "Interactive shell" which is ok and means that PHP
> correctly identifies CA. Thunderbird also works flawlessy. It is only
> squirrelmail which is having the problem.
Thunderbird is presumably connecting from outside the host.
> Adding these lines to squirrelmail's config_local.php
>
> $imap_stream_options = array(
> 'ssl' => array(
> 'cafile' => '/etc/postfix/smtpd.cert',
That does not look like a CA cert path to me.
> 'verify_peer' => false,
> 'verify_depth' => 1,
> ),
> );
>
> does not change anything.
Did you verify if those are being used in the code? The solution might
be as simple as using a 1.4.23-SVN snapshot from our downloads page.
I'd try that before anything else.
> I understand that if squirrelmail and imap server are on the same host, I
> can safely use plain authentification. Still, I am wondering why the
> apparently correct setup with TLS does not work. Any advice?
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
