roundcube：尝试发送邮件时“身份验证失败：STARTTLS 失败”

Question

我正在尝试在运行亚马逊的 debian 盒子上获取 roundcube/dovecot/postfix。我可以登录并接收电子邮件，但无法发送。我在 roundcube 中遇到错误，smtp authentication error (220) Authentication failed.

\n

Roundcube错误日志：

\n

[24-Sep-2020 08:47:24 +0000]: <a83d4mll> PHP Error: STARTTLS failed (POST /?_task=mail&_unlock=loading1600937244456&_framed=1&_lang=en_US&_action=send)\n[24-Sep-2020 08:47:24 +0000]: <a83d4mll> PHP Error: Invalid response code received from server (POST /?_task=mail&_unlock=loading1600937244456&_framed=1&_lang=en_US&_action=send)\n[24-Sep-2020 08:47:24 +0000]: <a83d4mll> SMTP Error: Authentication failure: STARTTLS failed (Code: ) in /opt/bitnami/apps/roundcube/htdocs/program/lib/Roundcube/rcube.php on line 1702 (POST /?_task=mail&_unlock=loading1600937244456&_framed=1&_lang=en_US&_action=send)\n

\n

roundcube SMTP 日志：

\n

[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Connecting to tls://webmail.theomnihealthgroup.com:587...\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 220 mail.theomnihealthgroup.com ESMTP Postfix (Debian/GNU)\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Send: EHLO webmail.theomnihealthgroup.com\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-mail.theomnihealthgroup.com\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-PIPELINING\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-SIZE 10240000\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-VRFY\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-ETRN\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-STARTTLS\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-ENHANCEDSTATUSCODES\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-8BITMIME\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-DSN\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-SMTPUTF8\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250 CHUNKING\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Send: STARTTLS\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 220 2.0.0 Ready to start TLS\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Send: QUIT\n[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: ^V^C^C^A,^L^@^A(^C^@^] <80>\xc3\x84S<96>\xc3\xb1rgY(v^P\xc2\xbf<97>\xc3\x85j\xc3\xb2<\xc2\xac<9e>\xc3\xb2^U\xc2\xad\')g\xc3\x94<86>hG|\xc2\xa6^P^H^D^A^@Dv(RV<92>T\xc3\xad\xc3\xac\xc3\xa3\xc3\xb4^H\xc3\x82\xc3\xa8<9c>\xc3\xa8<98>\xc3\xbb\xc3\x90U\xc2\xa7\xc2\xad\xc3\x90^Bf\xc3\xa3<87><9a>4BNP\xc3\x99<82>G\xc3\x8fs\xc2\xac\n

\n

我很确定这与证书有关，但我不确定如何修复它。

\n

\n
• Roundcube 运行在 apache 上：https://webmail.theomnihealthgroup.com
\n
• 我有一个与 webmail 域关联的 ssl 证书
\n
• 服务器位于 theomnihealthgroup.org
\n

\n

后缀main.cf：

\n

# Debian specific:  Specifying a file name will cause the first\n# line of that file to be used as the name.  The Debian default\n# is /etc/mailname.\n#myorigin = /etc/mailname\n\nsmtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)\nbiff = no\n\n# appending .domain is the MUA\'s job.\nappend_dot_mydomain = no\n\n# Uncomment the next line to generate "delayed mail" warnings\n#delay_warning_time = 4h\n\nreadme_directory = no\n\n# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on\n# fresh installs.\ncompatibility_level = 2\n\n\n\n# TLS parameters\nstmpd_tls_security_level = may\nsmtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem\nsmtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key\n#smtpd_tls_cert_file=/opt/bitnami/letsencrypt/certificates/webmail.theomnihealthgroup.com.crt\n#smtpd_tls_key_file=/opt/bitnami/letsencrypt/certificates/webmail.theomnihealthgroup.com.key\nsmtpd_use_tls=yes\nsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache\nsmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache\n\n# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for\n# information on enabling SSL in the smtp client.\n\nsmtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination\nmyhostname = mail.theomnihealthgroup.com\n#myhostname = theomnihealthgroup.com\nalias_maps = hash:/etc/aliases\nalias_database = hash:/etc/aliases\nmyorigin = theomnihealthgroup.com\nmydomain = theomnihealthgroup.com\nmydestination = $myhostname, ip-172-30-0-246.ec2.internal, localhost.ec2.internal, localhost, $mydomain, localhost.$mydomain\nrelayhost =\nmynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128\nmailbox_size_limit = 0\nrecipient_delimiter = +\ninet_interfaces = all\ninet_protocols = all\nhome_mailbox = Maildir/\nlocal_recipient_maps = proxy:unix:passwd.byname $alias_maps\npolicyd-spf_time_limit = 3600\nsmtpd_recipient_restrictions =\n   permit_mynetworks,\n   permit_sasl_authenticated,\n   reject_unauth_destination,\n   check_policy_service unix:private/policyd-spf\n# Milter configuration\nmilter_default_action = accept\nmilter_protocol = 6\nsmtpd_milters = local:opendkim/opendkim.sock\nnon_smtpd_milters = $smtpd_milters\n

\n

鸽舍配置：

\n

mail_location = maildir:~/Maildir\nmail_privileged_group = mail\nnamespace inbox {\n  inbox = yes\n  location =\n  mailbox Drafts {\n    special_use = \\Drafts\n  }\n  mailbox Junk {\n    special_use = \\Junk\n  }\n  mailbox Sent {\n    special_use = \\Sent\n  }\n  mailbox "Sent Messages" {\n    special_use = \\Sent\n  }\n  mailbox Trash {\n    special_use = \\Trash\n  }\n  prefix =\n}\npassdb {\n  driver = pam\n}\nprotocols = " imap"\nservice auth {\n  unix_listener /var/spool/postfix/private/auth {\n    mode = 0666\n  }\n  unix_listener auth-userdb {\n    mode = 0666\n  }\n}\nservice imap-login {\n  inet_listener imap {\n    port = 143\n  }\n}\nssl_cert = </etc/dovecot/private/dovecot.pem\nssl_client_ca_dir = /etc/ssl/certs\nssl_dh = # hidden, use -P to show it\nssl_key = # hidden, use -P to show it\nuserdb {\n  driver = passwd\n}\n

\n

roundcube config.inc.php

\n

$config = array();\n$config[\'debug_level\'] = 1;\n$config[\'smtp_debug\'] = true;\n\n// Database connection string (DSN) for read+write operations\n// Format (compatible with PEAR MDB2): db_provider://user:password@host/database\n// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle\n// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php\n// NOTE: for SQLite use absolute path (Linux): \'sqlite:////full/path/to/sqlite.db?mode=0646\'\n//       or (Windows): \'sqlite:///C:/full/path/to/sqlite.db\'\n$config[\'db_dsnw\'] = \'mysql://bn_roundcube:22223abcde@localhost:3306/bitnami_roundcube\';\n\n// The IMAP host chosen to perform the log-in.\n// Leave blank to show a textbox at login, give a list of hosts\n// to display a pulldown menu or set one host as string.\n// Enter hostname with prefix ssl:// to use Implicit TLS, or use\n// prefix tls:// to use STARTTLS.\n// Supported replacement variables:\n// %n - hostname ($_SERVER[\'SERVER_NAME\'])\n// %t - hostname without the first part\n// %d - domain (http hostname $_SERVER[\'HTTP_HOST\'] without the first part)\n// %s - domain name after the \'@\' from e-mail address provided at login screen\n// For example %n = mail.domain.tld, %t = domain.tld\n$config[\'default_host\'] = \'mail.theomnihealthgroup.com\';\n\n// SMTP server host (for sending mails).\n// Enter hostname with prefix ssl:// to use Implicit TLS, or use\n// prefix tls:// to use STARTTLS.\n// Supported replacement variables:\n// %h - user\'s IMAP hostname\n// %n - hostname ($_SERVER[\'SERVER_NAME\'])\n// %t - hostname without the first part\n// %d - domain (http hostname $_SERVER[\'HTTP_HOST\'] without the first part)\n// %z - IMAP domain (IMAP hostname without the first part)\n// For example %n = mail.domain.tld, %t = domain.tld\n\n# Also tried: $config[\'smtp_server\'] = \'tls://theomnihealthgroup.com\';\n$config[\'smtp_server\'] = \'tls://webmail.theomnihealthgroup.com\';\n\n// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)\n$config[\'smtp_port\'] = 587;\n\n// SMTP username (if required) if you use %u as the username Roundcube\n// will use the current username for login\n$config[\'smtp_user\'] = \'%u\';\n\n// SMTP password (if required) if you use %p as the password Roundcube\n// will use the current user\'s password for login\n$config[\'smtp_pass\'] = \'%p\';\n$config[\'smtp_auth_type\'] = \'\';\n\n// provide an URL where a user can get support for this Roundcube installation\n// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!\n$config[\'support_url\'] = \'https://community.bitnami.com/\';\n\n// Name your service. This is displayed on the login screen and in the window title\n$config[\'product_name\'] = \'Omni Mail\';\n\n// This key is used to encrypt the users imap password which is stored\n// in the session record. For the default cipher method it must be\n// exactly 24 characters long.\n// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS\n$config[\'des_key\'] = \'KJDKJIJEIKDJ\';\n\n// List of active plugins (in plugins/ directory)\n$config[\'plugins\'] = array(\n    \'archive\',\n    \'zipdownload\',\n);\n\n// skin name: folder from skins/\n$config[\'skin\'] = \'elastic\';\n$config[\'default_port\'] = 143;\n$config[\'mime_param_folding\'] = 0;\n

\n

Answer 1

当您设置$config['smtp_server']以 开头的 URL时tls://，您正在设置 PHP SSL 上下文。正如默认的 roundcube 配置所建议的，您可能需要在上下文中设置选项。

就我而言，我必须提供：

• peer_name，邮件服务器的域名。
• cafile，CA 文件路径。

您可以将以下内容放入 Roundcubeconfig.inc.php文件中：

$config['smtp_conn_options'] = [
  'ssl' => [
    'peer_name' => 'replace.with.my.mail.com',
    'cafile' => '/path/to/ca-certificates.crt'
  ],
];