TLS imap-login failed - Githubissues

liuch / dmarc-srg

A php parser, viewer and summary report generator for incoming DMARC reports.

GNU General Public License v3.0

218 stars 32 forks source link

TLS imap-login failed #51

Closed roburb closed 1 year ago

roburb commented 1 year ago

I would like to use starttls connection to maildir the error message: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<GqC79zvvFpp/AAAB> Where I should start to correct the issue? Thank you

liuch commented 1 year ago

Hello roburb, First I would check the conf.php. It should look something like this:

$mailboxes = [
    'name'            => 'Dmarc-Rua',
    'host'            => '127.0.0.1',
    'encryption'      => 'starttls',
    'username'        => 'dmarc-rua@example.net',
    'password'        => 'your_password',
    'mailbox'         => 'INBOX',
    'novalidate-cert' => true, // because you are using 127.0.0.1 as host name.
];

Second I would check your mail server settings. Have you tried connecting your mailbox from a regular client using starttls? Successfully?

roburb commented 1 year ago

Thank you for you quick support. I have used you values for config options, It is still the same. If I change encryption back to none, it works.

liuch commented 1 year ago

It looks like your mail server doesn't support starttls. Try using ssl instead.

roburb commented 1 year ago

I am quite sure, the server support tls, see other logs from imap.log imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2207000, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits), session=<hPUMTj7v4NJ/AAAB>

liuch commented 1 year ago

I didn't say that your server doesn't support tls, I said that your server might not support starttls. There are at least two popular methods to encrypt imap traffic: starttls and ssl/tls. They differ in the way the TLS session is initialized, and have different port to connect to. I think the log you provided is related to connecting to port 993 and not 143 (default port for starttls).

liuch commented 1 year ago

I myself have not used starttls for a long time but I will check again a little later. Thank you.

roburb commented 1 year ago

Thank you for tip. I have changed the config value: encryption to SSL host to full server name novalidate-cert to false

and in the log is now: Dec 7 16:47:47 ... dovecot[2252]: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2207579, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits), session=<BESU1z7vANp/AAAB> Dec 7 16:47:47 ... dovecot[2252]: imap(dma...)<2207579><BESU1z7vANp/AAAB>: Disconnected: Logged out in=115 out=1056 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

So it looks like everything is working. the correct value for encryption is SSL

Thank you :-) 👍

liuch commented 1 year ago

I'm glad you made it. Good luck.