Closed kouinkouin closed 2 years ago
Because the instance is on 127.0.0.1, can't you just disable TLS for local connections?
Because the instance is on 127.0.0.1, can't you just disable TLS for local connections?
The webmail (SnappyMail) is on a different server than the mailserver :thinking: . Or you mean on the Postfix settings of the mailserver?
Ah, so Postfix is not on the same server as SnappyMail. That makes it harder then.
I could enable < TLS1.2 through application.ini setting.
I could enable < TLS1.2 through application.ini setting.
Did not find it (grep -i tls .../application.ini
return nothing, even on a fresh application.ini
).
But indeed, I think that could be solve my problem :-D .
logs of dovecot (mailserver side):
May 11 14:36:08 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL alert: where=0x4004, ret=552: fatal handshake failure [1.2.3.4]
May 11 14:36:08 imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [1.2.3.4]
(where 1.2.3.4 is the IP of SnappyMail.)
The fatal handshake failure
seems confirm the cypher/tls version error.
Could you try the above change?
Building (release.php)... I tell you when I tried!
When it doesn't, you could fiddle with this line 239: https://github.com/the-djmaze/snappymail/blob/5f788dfda70069f4c0971ccbb79d68eaa02a6dcd/snappymail/v/0.0.0/app/libraries/MailSo/Net/NetClient.php#L239
Like:
$crypto_method |= STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
or
$crypto_method |= STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
I tried with the 3 $crypto_method
possibilities (and with and die(...)
to verify the code was executed) and the result of stream_socket_enable_crypto()
is false.
I will check which TLSvX my server talk...
By the way, with SSL/TLS on port 993, for the 3 possibilities of $crypto_method
, full JSON result is:
{
"Action":"AdminDomainTest",
"Result":{
"Imap":"stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:141A318A:SSL routines:tls_process_ske_dhe:dh key too small",
"Smtp":"Cannot enable STARTTLS.",
"Sieve":true
},
"Time":52
}
edit: the "By the way" section is tested with SSL/TLS on port 993
From webmail server:
$ openssl s_client -starttls imap -connect mail.mailserver.be:143
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
verify return:1
depth=0 CN = *.mailserver.be
verify return:1
---
Certificate chain
0 s:CN = *.mailserver.be
i:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
1 s:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = *.mailserver.be
issuer=C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 5175 bytes and written 534 bytes
Verification: OK
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: BD0995C596725268BC81932C838B86BA5A3643BE74D363E04B1343A70BA2F7E5
Session-ID-ctx:
Master-Key: 4F8C9232E82D30E1BEDC5BB642AD82A79A88BBF623871A0A1289E265E6B80A7487DD1F33EB3E072F454197CDC9713E6C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 42 66 9f ab 3a 01 d6 fd-b5 d0 48 8c ce c8 fb 15 Bf..:.....H.....
0010 - 69 13 0f f4 4d 3b b8 a1-dd 0c 8d 96 ae 6a 4a ef i...M;.......jJ.
0020 - 6b ae b3 31 70 36 3d d7-1f 0a 8b fb f7 fb cc 45 k..1p6=........E
0030 - 42 97 84 6e 7d 16 44 18-26 f4 f9 43 10 9d 13 a4 B..n}.D.&..C....
0040 - c7 ef 01 8c 23 1f f0 ae-56 87 71 21 56 c8 cc ec ....#...V.q!V...
0050 - 99 75 ff d6 c9 9a ff 00-26 4b 04 0f 28 39 88 ce .u......&K..(9..
0060 - ba 9f 3f ad e8 21 9d 79-aa f1 99 2e a3 fd 6b aa ..?..!.y......k.
0070 - 0d 46 11 58 e4 fb 41 a6-c8 7b 9e 8f b0 65 29 b7 .F.X..A..{...e).
0080 - 3f e9 ba f4 27 88 a2 8b-0f 8d a1 5c 5a b7 98 b2 ?...'......\Z...
0090 - fc 0e c1 45 0c 62 80 7e-92 fb b2 c5 d0 7c ce b4 ...E.b.~.....|..
00a0 - 8b b6 87 88 d8 56 31 28-23 c2 15 20 2e 9a dc a1 .....V1(#.. ....
Start Time: 1652300235
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
. OK Pre-login capabilities listed, post-login capabilities have more.
^C
So, the mailserver seems can talk with TLSv1.2 on port 143 (or I have a wrong interpretation of the result, which it's possible!)
It does talk TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
.
The problem is dh key too small
and that is security_level.
Find in NetClient.php line:
// 'disable_compression' => true
replace with
// 'disable_compression' => true,
'security_level' => 1
Nice! The SSL/TLS connection on port 993 works yet! Idem for SMTP, using SSL/TLS on port 465 instead of STARTTLS on port 587 works.
The STARTTLS is always failing. Is it pertinent to solve it for (others) people who will have the issue, or we close the issue by saying "Issue with STARTTLS? -> Use SSL/TLS!" ?
My bad... I rollback your commit 5f788df, and add only the 'security_level' => 1
(7e30cb9) and STARTTLS and TLS/SSL are working!
I've rearranged the connect code for future improvements.
Does v2.15.2 solve it?
Works!!!
A big "thank you! :heart: " for the great project "resurrect rainloop", but also for your reactivity!!!
It does talk
TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
.The problem is
dh key too small
and that is security_level.Find in NetClient.php line:
// 'disable_compression' => true
replace with
// 'disable_compression' => true, 'security_level' => 1
Where this file location ? i used ubuntu virtual server
@qubadoff this has changed.
Global setting in /data/_data_/_default_/configs/application.ini
[ssl]
; https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
security_level = 1
And domain settings in /data/_data_/_default_/domains/DOMAIN.TLD.json
"security_level": 1
i am still getting error after modified security_level to 1. Is there anyone facing same issue?
Thank you
after changing to use hostname instead of ip, then it works.
SnappyMail version, browser, browser version
Expected behavior and actual behavior
Similarly at #347 , the IMAP (and not the SMTP) tab shows a "Cannot enable STARTTLS" error. The SnappyMail instance is on the same server (OVH dedicated server) than Rainloop instance. For the same domain (on a old mailserver, the Rainloop (and Thunderbird, Mail, ...) works but not SnappyMail. For another domain (and more recent mailserver), Rainloop and SnappyMail work.
Context
I think the important point is the mail server. Not because an IP is blocked, but because the stack Postfix/* is old (Postfix 2.9.6-2 on a debian 7.8/wheezy) and the ciphers/algo used for openssl are deprecated (and so, the support removed from SnappyMail and not Rainloop). (I precise the migration of this old mailserver is pending ;-) ).
-> The question is : How to find the security parameter(s) to update, mailserver side and/or SnappyMail side, to have a SnappyMail working?
Steps to reproduce the problem
Create a domain (/?admin#/domains) based on a (very) old mail server and setup IMAP with STARTTLS on port 143.
Logs or screenshots
:warning: Because the mailserver is a old dinosaur with probably many security issues, the real email/login has been replaced with "kouinkouin@domain.be" and the mailserver domain has been replaced with "mail.mailserver.be". Do not try to execute connection/DNS tests on these domains.