Dear Paul,
sorry to bring this [Solved] topic to surface again. After installing Fedora
25 (from scratch) I have the same problem ("unknown ca"). I have been using
squirrelmail for many years with "localhost" as imap server name. This does
not work anymore. Looking in the internet, I found this thread which is the
most informative among all I found before. However, in my case the David's
recipe - to replace "localhost" by a fully qualified host name does not
work...
The package versions are:
postfix-3.1.3-2.fc25.x86_64
dovecot-2.2.26.0-1.fc25.x86_64
php-7.0.14-1.fc25.x86_64
squirrelmail-1.4.22-17.fc24.noarch
The squirrelmail imap-related config page is:
IMAP Settings
--------------
4. IMAP Server : uranus.sai.msu.ru
5. IMAP Port : 993
6. Authentication type : login
7. Secure IMAP (TLS) : true
8. Server software : dovecot
9. Delimiter : detect
B. Update SMTP Settings : localhost:25
the configtest page of squirrelmail returns
Checking IMAP service....
ERROR: Error connecting to IMAP server "uranus.sai.msu.ru:993".Server
error: (0)
The relevant maillog lines are:
Dec 16 17:23:01 uranus postfix/smtpd[7867]: connect from localhost[::1]
Dec 16 17:23:01 uranus postfix/smtpd[7867]: lost connection after CONNECT
from localhost[::1]
Dec 16 17:23:01 uranus postfix/smtpd[7867]: disconnect from localhost[::1]
commands=0/0
Dec 16 17:23:01 uranus dovecot: imap-login: Disconnected (no auth attempts
in 0 secs):
user=<>, rip=93.180.26.5, lip=93.180.26.5, TLS handshaking: SSL_accept()
failed:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL
alert number 48,
session=<8mavTsdDQtldtBoF>
The relevant config lines:
postfix main.cf
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_CAfile = /etc/postfix/smtpd.cert
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
dovecot 10-ssl.conf:
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_ca = </etc/postfix/smtpd.cert
Printing out the contents of smtpd.cert confirms that CN=uranus.sai.msu.ru
To be able to check php ssl connection from command line, I added the line
to php.ini:
openssl.cafile= /etc/postfix/smtpd.cert
After that, issuing the command (which is run from squirrelmail)
echo
'fsockopen("tls://uranus.sai.msu.ru",993,$errno,$errmsg,15);'|php
-a
returns "Interactive shell" which is ok and means that PHP
correctly identifies CA. Thunderbird also works flawlessy. It is only
squirrelmail which is having the problem.
Adding these lines to squirrelmail's config_local.php
$imap_stream_options = array(
'ssl' => array(
'cafile' => '/etc/postfix/smtpd.cert',
'verify_peer' => false,
'verify_depth' => 1,
),
);
does not change anything.
I understand that if squirrelmail and imap server are on the same host, I
can safely use plain authentification. Still, I am wondering why the
apparently correct setup with TLS does not work. Any advice?
Thank you,
Igor
--
View this message in context:
http://squirrelmail.5843.n7.nabble.com/svn-14501-TLS-handshaking-SSL-accept-failed-error-alert-unknown-ca-SSL-alert-number-48-tp26087p26477.html
Sent from the squirrelmail-users mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [email protected]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options):
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
