After upgrading to php-5.6 and openssl-1.0.1p I realized that I couldn't connect to the IMAP server via Roundcube anymore. The solution wasn't easy to find. Searching the logs wasn't really helpful too. First I immediately restarted apache with php-5.5 and downgraded openssl afterwards too. None of this was working.
The only error message was in the Roundcube logfile ( logs/errors ):
[date]: <16bq96e7> IMAP Error: Login failed for XX from <IPv4>. Unable to negotiate TLS in /var/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=mail&_action=refresh?_task=&_action=)
Following this thread with variations of parameters of $config['imap_conn_options'] doesn't solve the problem neither. Seems that the ssl changes in php-5.6 are not the root cause. Instead smtp over TLS was still working well, but imap over TLS does not. I have to come back to this Roundcube issue later on,
As the error was “Unable to negotiate TLS …” I did
$ openssl s_client -starttls imap -connect imap.example.com:143 CONNECTED(00000003) depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU = Automatically-generated IMAP SSL key, CN = imap.example.com, emailAddress = postmaster@example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU = Automatically-generated IMAP SSL key, CN = imap.example.com, emailAddress = postmaster@example.com verify return:1 140049233454736:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3366: --- Certificate chain ... <snip>
And what to see - it couldn't connect! See the error on line 8. I really hate this kind of openssl error messages, because I was never able to find an exact solution for such errors in the past. I figured out that the DH parameters is inside the imapd.pem file:
$ openssl dhparam -text -in /etc/courier/imapd.pem -noout PKCS#3 DH Parameters: (512 bit) prime: 00:eb:cf:23:c6:09:1b:dd:d8:c6:ed:c5:c9:49:ff: ... generator: 2 (0x2)
Ok, 512 bit seems to be to small. Remembering some thoughts about 1024 bit DH parameters during the last weeks.
This is a roadmap what I did with my system. Change it to your needs!
We need a stronger DH prime. This blogpost points me in the right direction. Create a file dhparams if not exists:
DH_BITS=2048 mkdhparams
Usually (in my case) it was created in /usr/share/ . Copy/move it into your courier config directory or create a symlink. Alternative you can replace the DH parameters in imapd.pem with the new value. Then the next step is not necessary, but be aware that it will be overwritten by a mkimapdcert .
I couldn't find any official documentation about it, but the parameter TLS_DHCERTFILE was replaced by TLS_DHPARAMS . Still in the config file (Courier IMAP 4.15) is the old one present only. Edit the config file imapd-ssl . Disable the TLS_DHCERTFILE parameter. Add
TLS_DHPARAMS="/etc/courier/dhparams.pem"
Restart the Courier IMAP server. And voila - the connection with openssl s_client … was successful. First issue solved, nevertheless
still doesn't work. So back to the Roundcube config file config/config.inc.php . After some try and error at least this was working for me:
$config['default_host'] = 'tls://imap.example.com'; $config['default_port'] = 143; $config['smtp_server'] = 'tls://smtp.example.com'; ... $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer_name' => true, 'verify_peer' => true, 'allow_self_signed' => true, 'peer_name' => 'imap.example.com', // 'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH', // 'capath' => '/etc/ssl/certs', // 'local_cert' => '/etc/courier/imapd.pem', // 'verify_depth' => '3'; ), );
The commented params above are still here as a reference. Please note that the webserver maybe does require a restart before the changes takes effect. Otherwise as I read, for smtp are no changes necessary.