I recently setup a mail server with postfix and dovecot, with Roundcube for the front-end. I'm unable to log into roundcube no matter what, it seems. I have my email address setup in Thunderbird too, and it works flawlessly, which means I'm using the right password. I have been over this repeatedly and I can't seem to figure it out. Here's the roundcube access log entry:
$ tail -f /var/log/apache2/roundcube_access.log:
216.218.131.118 - - [25/Jun/2023:10:16:21 -0700] "GET / HTTP/1.1" 200 7226 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0"
216.218.131.118 - - [25/Jun/2023:10:16:21 -0700] "GET /skins/elastic/images/favicon.ico?s=1674504194 HTTP/1.1" 200 2068 "https://webmail.domain.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0"
216.218.131.118 - - [25/Jun/2023:10:16:30 -0700] "POST /?_task=login HTTP/1.1" 401 3435 "https://webmail.domain.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0"
Dovecot config:
$ dovecot -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# OS: Linux 5.19.0-45-generic x86_64 Ubuntu 22.04.2 LTS
# Hostname: domain.com
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = domain.com
auth_mechanisms = plain login
auth_username_format = %u
auth_verbose = yes
mail_home = /var/vmail/%d/%n/
mail_location = maildir:~/Maildir
mail_max_userip_connections = 50
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = create
special_use = \Drafts
}
mailbox Junk {
auto = create
special_use = \Junk
}
mailbox Sent {
auto = create
special_use = \Sent
}
mailbox "Sent Messages" {
auto = create
special_use = \Sent
}
mailbox Trash {
auto = create
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocols = imap pop3 lmtp imap lmtp pop3
service auth-worker {
vsz_limit = 0
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service stats {
unix_listener stats-reader {
group = www-data
mode = 0660
user = www-data
}
unix_listener stats-writer {
group = www-data
mode = 0660
user = www-data
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/postfixadmin.lennyshort.com/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
remote 127.0.0.1 {
mail_max_userip_connections = 50
}
Here's the roundcube config:
<?php
/* Local configuration for Roundcube Webmail */
// ----------------------------------
// SQL DATABASE
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// Note: for SQLite use absolute path (Linux): 'sqlite:////full/path/to /sqlite.db?mode=0646'
// or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
// Note: Various drivers support various additional arguments for connection,
// for Mysql: key, cipher, cert, capath, ca, verify_server_cert,
// for Postgres: application_name, sslmode, sslcert, sslkey, sslrootcert, sslcrl, sslcompression, service.
// e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
$config['db_dsnw'] = 'mysql://roundcubeuser:password@localhost/roundcubedb';
// Log sent messages to <log_dir>/sendmail.log or to syslog
$config['smtp_log'] = false;
// ----------------------------------
// IMAP
// ----------------------------------
// The IMAP host (and optionally port number) chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// If port number is omitted it will be set to 993 (for ssl://) or 143 otherwise.
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
// required to match old user data records with the new host.
$config['imap_host'] = 'ssl://webmail.domain.com';
// ----------------------------------
// SMTP
// ----------------------------------
// SMTP server host (and optional port number) for sending mails.
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// If port number is omitted it will be set to 465 (for ssl://) or 587 otherwise.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
// To specify different SMTP servers for different IMAP hosts provide an array
// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net']
$config['smtp_host'] = 'tls://webmail.domain.com';
// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = 'mailto:[email protected]';
// check client IP in session authorization
$config['ip_check'] = true;
// This key is used for encrypting purposes, like storing of imap password
// in the session. For historical reasons it's called DES_key, but it's used
// with any configured cipher_method (see below).
// For the default cipher_method a required key length is 24 characters.
$config['des_key'] = 'xxxxxxxxxxxxxxxxxxxxxxxx';
// Automatically add this domain to user names for login
// Only for IMAP servers that require full e-mail addresses for login
// Specify an array with 'host' => 'domain' values to support multiple hosts
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['username_domain'] = 'domain.com';
// ----------------------------------
// PLUGINS
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = ['acl', 'additional_message_headers', 'archive', 'attachment_reminder', 'autologon', 'autologout', 'database_attachments', 'emoticons', 'example_addressbook', 'filesystem_attachments', 'help', 'hide_blockquote', 'http_authentication', 'identicon', 'identity_select', 'jqueryui', 'managesieve', 'markasjunk', 'new_user_dialog', 'new_user_identity', 'newmail_notifier', 'password', 'reconnect', 'redundant_attachments', 'show_additional_headers', 'subscriptions_option', 'userinfo', 'vcard_attachments', 'virtuser_file', 'virtuser_query'];
// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'en_US';
// Make use of the built-in spell checker.
$config['enable_spellcheck'] = true;
// prefer displaying HTML messages
$config['prefer_html'] = false;
// Encoding of long/non-ascii attachment names:
// 0 - Full RFC 2231 compatible
// 1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
// 2 - Full 2047 compatible
$config['mime_param_folding'] = 0;
And finally, here's the mail log:
Jun 25 10:57:55 lennyshort dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Jun 25 10:57:55 lennyshort dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Jun 25 10:57:55 lennyshort dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so
Jun 25 10:57:55 lennyshort dovecot: auth: Debug: sqlpool(mysql): Creating new connection
Jun 25 10:57:55 lennyshort dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat
Jun 25 10:57:55 lennyshort dovecot: auth: Debug: mysql(localhost): Connecting
Jun 25 10:57:55 lennyshort dovecot: imap-login: Disconnected: Connection closed (disconnected before auth was ready, waited 0 secs): user=<>, rip=216.218.131.118, lip=216.218.131.118, TLS, session=<011A+ff+6r7Y2oN2>
I figured it out, with some help from ServerFault. In the Roundcube config.inc.php file I changed the
$config['imap_host']from'ssl://webmail.domain.com';to just'webmail.domain.com';, and changed$config['smtp_host']from'tls://webmail.domain.com';to just'webmail.domain.com';. after saving the file I was able to log into Roundcube webmail successfully. Not sure about the security implications of this, can anyone comment on that?