LetEncrypt How to set rainloop webmail by SSL/TLS?

edwardlau · January 21, 2016, 10:14am

I register LetEncrypt ca from https://gethttpsforfree.com/ , create the email server ( postfix + dovecot + rainloop webmail ) but i use ssl imap
rainloop show error :

stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

mailog error is:

Disconnected (no auth attempts in 0 secs): user=<>, rip=xx.xx, lip=xx.xx, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48

but i use unibox app or Mac os email client not error

and I help rainloopissues#932
Rainloop say :

RainLoop uses standard php functionality to work with ssl connections. So, you should setup ssl (let's encrypt ssl ca) somewhere in php.ini, I think.

the postfix setting is :

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8,163.44.149.110
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name unkown
smtpd_client_restrictions = reject_rbl_client, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_rhsbl_sender, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender, permit
smtpd_tls_cert_file = /etc/ssl/certs/chained.pem
smtpd_tls_key_file = /etc/ssl/private/domain.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = lxh.tech
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
virtual_minimum_uid = 1001
virtual_uid_maps = static:5000

dovecot setting is :

auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/virtual_passwd
driver = passwd-file
}
passdb {
driver = pam
}
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
ssl = required
ssl_cert = </etc/ssl/certs/chained.pem
ssl_key = </etc/ssl/private/domain.key
userdb {
driver = passwd
}
userdb {
args = uid=vmail gid=vmail home=/home/vmail/%d/%n
driver = static
}
userdb {
driver = passwd
}

is setting php openssl support LetEncrypt ca?

serverco · January 21, 2016, 10:35am

I’d suspect that you haven’t got the correct chain files in your SSL setup.

are you happy to provide the domain name ?

Osiris · January 21, 2016, 10:39am

The certificate chain for Postfix is correct:

Certificate chain
 0 s:/CN=isth.xyz
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Assuming the IP address from $mynetworks is the correct one.

The same for Dovecot on port 993 (IMAPS) and 143 (IMAP + STARTTLS).

serverco · January 21, 2016, 11:25am

from [MiTM] Certificates are not validated? · Issue #332 · RainLoop/rainloop-webmail · GitHub you probably need to set up the locations of the CA file to be trusted by specifying them in application.ini

[ssl]
; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt)
cafile = ""
; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/)
capath = ""

I don't use rainloop, so can't test for certain for you.

Osiris · January 21, 2016, 12:13pm

Here too. Tried to install it, but for some reason, using the same password for the admin as set in the application.ini didn't work So I concluded Rainloop s*cks *ss and I deleted it..

edwardlau · January 21, 2016, 5:27pm

I register domain is isth.xyz, www.isth.xyz ,mail.isth.xyz and imap & smtp use\ mail.isth.xyz , I disabled rainloop application.ini verify_certificate = Off not error and success use tls
maillog is :

imap-login: Login: user=< edward >, method=PLAIN, rip=163.44.149.110, lip=163.44.149.110, mpid=18063, TLS, session=<8ApxVNspLQCjLJVu>

and set verify_certificate = on
maillog is:

imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=163.44.149.110, lip=163.44.149.110, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=< Wr0jX9spQwCjLJVu>

I don't know is rainloop not support this ca or i register ca error

Osiris · January 21, 2016, 9:17pm

According to php.ini, PHP should be able to auto-detect the capath:

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.

But I checked my own PHP 5.6 with phpinfo() and search for capath: it said “no value”. You could check your phpinfo() and if it also says “no value”, you could try to set it, just like @serverco said above. It probably depends on your Linux distribution what the value should be… On my Gentoo it’s /etc/ssl/certs/.

edwardlau · January 22, 2016, 6:10am

Thx To Help , verify ca is ok,Before I use php5.4 and I change to 5.6 version update openssl extension is running success