Sieve: Can't connect from a webmail client but openssl connect succeeds #332

jayknyn · 2024-04-12T04:24:58Z

jayknyn
Apr 12, 2024

Mauro, congrats on the v0.7.0 release! Besides the awesome UI, having all the config in one file is highly appreciated 😄

I'm struggling to get Managesieve working with Roundcube.

I've set up Stalwart-mail v0.7.0 in Docker with Postgres as the default store, proxied behind Traefik with Proxy Protocol 2. TLS certs have been extracted from Traefik's ACME store and placed in the Stalwart container. Implicit TLS for port 465 and 993 works as expected from Roundcube and other mail clients.

For sieve, I can successfully connect via TLS with openssl from another server but in Roundcube, whenever I go to the Filters tab, it times out with an error stating unable to connect. This same Roundcube instance can successfully connect to another mailserver with sieve via TLS. So that tells me that Roundcube's config is fine and it's something to do with my Stalwart config.

Do you have any ideas or suggestions on how to resolve this? And with logging set to trace, I don't see any sieve-related logs.

Relevant config:

Stalwart-mail docker-compose.yml

version: '3.7'

networks:
ingress:
  external: true

default:
  internal: true
  name: stalwart

services:
stalwart:
  container_name: ${SERVICE_NAME}-mail
  image: stalwartlabs/mail-server:${SERVICE_VERSION} # arm and x86
  depends_on:
    db:
      condition: service_healthy
  env_file: .env
  networks:
    ingress:
      ipv4_address: '172.18.0.20'
    default:
  security_opt: [no-new-privileges:true]
  restart: unless-stopped
  # healthcheck:
  labels:
    - traefik.enable=true
    # admin ui
    - traefik.http.routers.stalwart.rule=Host(`${DOMAIN}`)
    - traefik.http.routers.stalwart.entrypoints=websecure
    - traefik.http.routers.stalwart.tls.certresolver=le
    - traefik.http.routers.stalwart.service=stalwart
    - traefik.http.services.stalwart.loadbalancer.server.port=8080
    # jmap
    - traefik.tcp.routers.jmap.rule=HostSNI(`*`)
    - traefik.tcp.routers.jmap.entrypoints=websecure
    - traefik.tcp.routers.jmap.tls.passthrough=true
    - traefik.tcp.routers.jmap.service=jmap
    - traefik.tcp.services.jmap.loadbalancer.server.port=443
    - traefik.tcp.services.jmap.loadbalancer.proxyProtocol.version=2
    # smtp
    - traefik.tcp.routers.smtp.rule=HostSNI(`*`)
    - traefik.tcp.routers.smtp.entrypoints=smtp
    - traefik.tcp.routers.smtp.service=smtp
    - traefik.tcp.services.smtp.loadbalancer.server.port=25
    - traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=2
    # esmtp
    - traefik.tcp.routers.esmtp.rule=HostSNI(`*`)
    - traefik.tcp.routers.esmtp.entrypoints=esmtp
    - traefik.tcp.routers.esmtp.tls.passthrough=true
    - traefik.tcp.routers.esmtp.service=esmtp
    - traefik.tcp.services.esmtp.loadbalancer.server.port=465
    - traefik.tcp.services.esmtp.loadbalancer.proxyProtocol.version=2
    # imap
    - traefik.tcp.routers.imap.rule=HostSNI(`*`)
    - traefik.tcp.routers.imap.entrypoints=imap
    - traefik.tcp.routers.imap.tls.passthrough=true
    - traefik.tcp.routers.imap.service=imap
    - traefik.tcp.services.imap.loadbalancer.server.port=993
    - traefik.tcp.services.imap.loadbalancer.proxyProtocol.version=2
    # sieve
    - traefik.tcp.routers.sieve.rule=HostSNI(`*`)
    - traefik.tcp.routers.sieve.entrypoints=sieve
    - traefik.tcp.routers.sieve.tls.passthrough=true
    - traefik.tcp.routers.sieve.service=sieve
    - traefik.tcp.services.sieve.loadbalancer.server.port=4190
    - traefik.tcp.services.sieve.loadbalancer.proxyProtocol.version=2
  volumes:
    - ./data:/opt/stalwart-mail
  logging:
    driver: 'json-file'
    options:
      max-size: '200k'
      max-file: '10'
  # ports:
  #   - '25:25'
  #   - '443:443'
  #   - '465:465'
  #   # - "587:587" # not using
  #   - '993:993'
  #   - '4190:4190'
  #   - '8080:8080' # admin ui

db:
  container_name: ${SERVICE_NAME}-db
  image: postgres:${DB_VERSION}
  environment:
    - POSTGRES_DB=${DB_NAME}
    - POSTGRES_USER=${DB_USER}
    - POSTGRES_PASSWORD=${DB_PASSWORD}
    - TZ
  networks: [default]
  restart: unless-stopped
  healthcheck:
    test: ['CMD', 'pg_isready', '-q', '-d', '${DB_NAME}', '-U', '${DB_USER}']
    timeout: 45s
    interval: 10s
    retries: 10
  volumes: [./db:/var/lib/postgresql/data]

Stalwart-mail etc/config.toml

authentication.fallback-admin.secret = "SECRET"
authentication.fallback-admin.user = "admin"
certificate.traefik.cert = "%{file:/opt/stalwart-mail/certs/mail.domain.tld.crt}%"
certificate.traefik.private-key = "%{file:/opt/stalwart-mail/certs/mail.domain.tld.key}%"
certificate.traefik.default = true
cluster.node-id = 1
directory.postgres.cache.entries = 500
directory.postgres.cache.ttl.negative = "10m"
directory.postgres.cache.ttl.positive = "1h"
directory.postgres.columns.class = "type"
directory.postgres.columns.email = "address"
directory.postgres.columns.description = "description"
directory.postgres.columns.name = "name"
directory.postgres.columns.quota = "quota"
directory.postgres.columns.secret = "secret"
directory.postgres.store = "postgres"
directory.postgres.type = "sql"
lookup.default.hostname = "mail.domain.tld"
server.http.permissive-cors = false
server.http.url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"
server.http.use-x-forwarded = false
server.listener.http.bind = "[::]:8080"
server.listener.http.protocol = "http"
server.listener.https.bind = "[::]:443"
server.listener.https.protocol = "http"
server.listener.https.tls.implicit = true
server.listener.imaptls.bind = "[::]:993"
server.listener.imaptls.protocol = "imap"
server.listener.imaptls.tls.implicit = true
server.listener.sieve.bind = "[::]:4190"
server.listener.sieve.protocol = "managesieve"
server.listener.sieve.tls.implicit = true
server.listener.smtp.bind = "[::]:25"
server.listener.smtp.protocol = "smtp"
server.listener.submission.bind = "[::]:587"
server.listener.submission.protocol = "smtp"
server.listener.submissions.bind = "[::]:465"
server.listener.submissions.protocol = "smtp"
server.listener.submissions.tls.implicit = true
server.max-connections = 8192
server.proxy.trusted-networks = "172.18.0.0/16"
server.socket.backlog = 1024
server.socket.nodelay = true
server.socket.reuse-addr = true
server.socket.reuse-port = true
server.tls.certificate = "traefik"
server.tls.enable = true
storage.blob = "r2"
storage.data = "postgres"
storage.directory = "postgres"
storage.encryption.enable = true
storage.encryption.append = false
storage.fts = "postgres"
storage.lookup = "postgres"
store.postgres.compression = "lz4"
store.postgres.database = "stalwart"
store.postgres.host = "db"
store.postgres.password = "SECRET"
store.postgres.pool.max-connections = 10
store.postgres.port = 5432
store.postgres.purge.frequency = "0 3 *"
store.postgres.query.domains = "SELECT 1 FROM emails WHERE address LIKE '%@' || $1 LIMIT 1"
store.postgres.query.emails = "SELECT address FROM emails WHERE name = $1 AND type != 'list' ORDER BY type DESC, address ASC"
store.postgres.query.expand = "SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = $1 AND l.type = 'list' ORDER BY p.address LIMIT 50"
store.postgres.query.members = "SELECT member_of FROM group_members WHERE name = $1"
store.postgres.query.name = "SELECT name, type, secret, description, quota FROM accounts WHERE name = $1 AND active = true"
store.postgres.query.recipients = "SELECT name FROM emails WHERE address = $1 ORDER BY name ASC"
store.postgres.query.verify = "SELECT address FROM emails WHERE address LIKE '%' || $1 || '%' AND type = 'primary' ORDER BY address LIMIT 5"
store.postgres.timeout = "15s"
store.postgres.tls.allow-invalid-certs = false
store.postgres.tls.enable = false
store.postgres.type = "postgresql"
store.postgres.user = "stalwart"
store.r2.access-key = "SECRET"
store.r2.bucket = "stalwart"
store.r2.endpoint = "https://SECRET.r2.cloudflarestorage.com"
store.r2.purge.frequency = "0 3 *"
store.r2.region = "auto"
store.r2.secret-key = "SECRET"
store.r2.timeout = "15s"
store.r2.type = "s3"
tracer.stdout.ansi = true
tracer.stdout.enable = true
tracer.stdout.level = "debug"
tracer.stdout.type = "stdout"

Traefik docker-compose.yml

version: '3.7'

networks:
# docker network create ingress --subnet "172.18.0.0/24" --gateway "172.18.0.1"
ingress:
  external: true
default:
  internal: true
  name: traefik

services:
traefik:
  container_name: traefik
  image: traefik:${TRAEFIK_VERSION}
  depends_on: [dockerproxy, watchtower]
  networks:
    ingress:
      ipv4_address: '172.18.0.10'
    default:
  security_opt: [no-new-privileges:true]
  ports:
    - '80:80'
    - '443:443'
    # Ports for MailServer
    - '25:25' # SMTP receiving, explicit TLS
    - '465:465' # ESMTP submission, implicit TLS
    - '993:993' # IMAP4 secure, implicit TLS
    - '4190:4190' # sieve
  restart: always
  command:
    - --log.level=DEBUG # DEBUG, PANIC, FATAL, ERROR, WARN, INFO
    - --global.checknewversion=false
    - --global.sendAnonymousUsage=false
    # Activate dashboard
    - --api=true
    # Activate /ping healthcheck endpoint
    - --ping=true
    - --ping.manualRouting=true
    - --ping.entrypoint=websecure
    # Activate docker provider, but do not expose every container to traefik
    - --providers.docker=true
    - --providers.docker.exposedbydefault=false
    - --providers.docker.endpoint=tcp://dockerproxy:2375
    - --providers.docker.network=ingress
    # HTTPS entrypoints and redirect
    - --entrypoints.webinsecure.address=:80
    - --entrypoints.webinsecure.http.redirections.entrypoint.to=websecure
    - --entrypoints.webinsecure.http.redirections.entrypoint.scheme=https
    - --entrypoints.websecure.address=:443
    # TCP entrypoints for MailServer
    - --entrypoints.smtp.address=:25
    - --entrypoints.esmtp.address=:465
    - --entrypoints.imap.address=:993
    - --entrypoints.sieve.address=:4190
    # DNS Challenge with Cloudflare 
    - --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
    - --certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,9.9.9.9:53
    - --certificatesresolvers.le.acme.email=${LETS_ENCRYPT_EMAIL}
    - --certificatesresolvers.le.acme.storage=/certs/acme.json
    # Let's Encrypt Staging Server, start with staging then switch to prod server
    #- --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
    # Let's Encrypt Production Server
    - --certificatesResolvers.le.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
  environment:
    - CLOUDFLARE_DNS_API_TOKEN
  labels:
    - com.centurylinklabs.watchtower.enable=true
    - traefik.enable=true
    # Traefik Dashboard available at $DASHBOARD_DOMAIN/dashboard/ (trailing slash required)
    - traefik.http.routers.dashboard.rule=Host(`${DASHBOARD_DOMAIN}`)
    - traefik.http.routers.dashboard.entrypoints=websecure
    - traefik.http.routers.dashboard.tls.certresolver=le
    - traefik.http.routers.dashboard.service=api@internal
    # - traefik.http.routers.dashboard.middlewares=secure-headers@file
    - traefik.http.routers.dashboard.middlewares=dashboard-auth
    - traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/.env.users
    # Routers for /ping healthcheck endpoint
    - traefik.http.routers.ping.rule=Host(`${DASHBOARD_DOMAIN}`) && Path(`/ping`)
    - traefik.http.routers.ping.entrypoints=websecure
    - traefik.http.routers.ping.tls.certresolver=le
    - traefik.http.routers.ping.service=ping@internal
  volumes:
    - ./certs:/certs
    - ./.env.users:/.env.users:ro # add user:hashed-password to .env.users

dockerproxy:
  container_name: traefik-dockerproxy
  image: ghcr.io/tecnativa/docker-socket-proxy:${DOCKER_SOCKET_PROXY_VERSION}
  depends_on: [watchtower]
  environment:
    CONTAINERS: 1
  networks: [default]
  ports: [2375]
  restart: always
  labels:
    - com.centurylinklabs.watchtower.enable=true
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro

watchtower:
  container_name: traefik-watchtower
  image: containrrr/watchtower:${WATCHTOWER_VERSION}
  command: --label-enable --cleanup --interval 86400
  network_mode: none
  restart: always
  labels:
    - com.centurylinklabs.watchtower.enable=true
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock

Roundcube's customconfig.php

<?php
$config['product_name'] = 'My Webmail';
$config['plugins'] = ['managesieve'];
// %h - user's IMAP hostname
$config['imap_host'] = ['ssl://mail.domain.tld'];
$config['managesieve_host'] = 'tls://%h'; # prefex tls:// in v1.6.6

Successful connection with openssl to sieve with TLS from another server:

$ openssl s_client -crlf -connect mail.domain.tld:4190
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.domain.tld
verify return:1

---
SSL handshake has read 3661 bytes and written 395 bytes
Verification: OK
---

read R BLOCK
"IMPLEMENTATION" "Stalwart ManageSieve"
"VERSION" "1.0"
"SASL" "PLAIN OAUTHBEARER"
"SIEVE" "body comparator-elbonia comparator-i;ascii-casemap comparator-i;ascii-numeric comparator-i;octet convert copy date duplicate editheader enclose encoded-character enotify envelope envelope-deliverby envelope-dsn environment ereject extlists extracttext fcc fileinto foreverypart ihave imap4flags imapsieve include index mailbox mailboxid mboxmetadata mime redirect-deliverby redirect-dsn regex reject relational replace servermetadata spamtest spamtestplus special-use subaddress vacation vacation-seconds variables virustest"
"NOTIFY" "mailto"
"MAXREDIRECTS" "1"
OK "Stalwart ManageSieve at your service."

Traefik's logs showing a successful connection to Stalwart's 4190 port:

level=debug msg="Handling connection from x.x.x.x:60954 to 172.18.0.20:4190"

Roundcube logs:

errors: <2c3c3449> PHP Error: Unable to connect to managesieve on mail.domain.tld:4190 in /var/www/html/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 227 (GET /?_task=settings&_action=plugin.managesieve)
errors: <2c3c3449> PHP Error: Not currently in AUTHORISATION state (GET /?_task=settings&_action=plugin.managesieve)
errors: <2c3c3449> PHP Error: Failed to read from socket (GET /?_task=settings&_action=plugin.managesieve)

Stalwart logs (no sieve logs):

stalwart-mail  | 2024-04-12T03:41:10.501170Z  INFO common::manager::boot: Starting Stalwart Mail Server v0.7.0...
stalwart-mail  | 2024-04-12T03:41:10.992212Z DEBUG common::manager::webadmin: WebAdmin successfully unpacked path="/tmp/STALWART_WEBADMIN"
stalwart-mail  | 2024-04-12T03:41:10.996418Z DEBUG jmap::services::housekeeper: Housekeeper task started.
stalwart-mail  | 2024-04-12T03:41:10.996937Z DEBUG jmap::services::housekeeper: Scheduling housekeeper event. due_in=2029 event=Session
stalwart-mail  | 2024-04-12T03:41:10.997259Z DEBUG jmap::services::housekeeper: Scheduling housekeeper event. due_in=11929 event=Store(0)
stalwart-mail  | 2024-04-12T03:41:10.997582Z DEBUG jmap::services::housekeeper: Scheduling housekeeper event. due_in=11929 event=Store(1)
stalwart-mail  | 2024-04-12T03:41:10.997884Z DEBUG jmap::services::housekeeper: Scheduling housekeeper event. due_in=11929 event=Store(2)
stalwart-mail  | 2024-04-12T03:41:10.999379Z  INFO common::listener::listen: Starting listener id="http" protocol=Http bind.ip="::" bind.port=8080 tls=false
stalwart-mail  | 2024-04-12T03:41:10.999970Z  INFO common::listener::listen: Starting listener id="https" protocol=Http bind.ip="::" bind.port=443 tls=true
stalwart-mail  | 2024-04-12T03:41:11.000375Z  INFO common::listener::listen: Starting listener id="imaptls" protocol=Imap bind.ip="::" bind.port=993 tls=true
stalwart-mail  | 2024-04-12T03:41:11.000744Z  INFO common::listener::listen: Starting listener id="sieve" protocol=ManageSieve bind.ip="::" bind.port=4190 tls=true
stalwart-mail  | 2024-04-12T03:41:11.001119Z  INFO common::listener::listen: Starting listener id="smtp" protocol=Smtp bind.ip="::" bind.port=25 tls=false
stalwart-mail  | 2024-04-12T03:41:11.001417Z  INFO common::listener::listen: Starting listener id="submission" protocol=Smtp bind.ip="::" bind.port=587 tls=false
stalwart-mail  | 2024-04-12T03:41:11.001668Z  INFO common::listener::listen: Starting listener id="submissions" protocol=Smtp bind.ip="::" bind.port=465 tls=true
stalwart-mail  | 2024-04-12T03:41:16.694531Z TRACE session{instance="imaptls" protocol=Imap remote.ip="x.x.x.x" remote.port=44358}: imap::core::client: event="read" data="A0001 AUTHENTICATE PLAIN afdfasdfasd=\r\n" size=87

Answered by mdecimus

Apr 12, 2024

It might be that Roundcube is expecting a plain-text ManageSieve connection. You can try disabling implicit TLS on Stalwart and then try again.
Make sure you enable STARTTLS on Rouncube otherwise you won't be able to authenticate. It is possible to allow plain-text auth in Stalwart but it is not recommended.

View full answer

mdecimus · 2024-04-12T07:30:16Z

mdecimus
Apr 12, 2024
Maintainer

It might be that Roundcube is expecting a plain-text ManageSieve connection. You can try disabling implicit TLS on Stalwart and then try again.
Make sure you enable STARTTLS on Rouncube otherwise you won't be able to authenticate. It is possible to allow plain-text auth in Stalwart but it is not recommended.

1 reply

jayknyn Apr 12, 2024
Author

Thank you, Mauro. That was it. I had Roundcube's ManageSieve plugin configured with tls:// and according to their docs, that is for STARTTLS. I switched the Roundcube ManageSieve config to ssl://, which is implicit TLS and it works with Stalwart's Sieve listener set to Implicit TLS.

However, setting Roundcube's ManageSieve config to STARTTLS and disabling Stalwart Sieve's implicit TLS did not work.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sieve: Can't connect from a webmail client but openssl connect succeeds #332

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Sieve: Can't connect from a webmail client but openssl connect succeeds #332

jayknyn Apr 12, 2024

Replies: 1 comment · 1 reply

mdecimus Apr 12, 2024 Maintainer

jayknyn Apr 12, 2024 Author

jayknyn
Apr 12, 2024

Replies: 1 comment 1 reply

mdecimus
Apr 12, 2024
Maintainer

jayknyn Apr 12, 2024
Author