How to connect dovecot on 993 port using squirrelmail

Question

I am trying to connect dovecot on 993 port but dovecot shows below error;

dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>

squirrelmail config;

$imap_auth_mech        = 'login';
$use_imap_tls          = 1;
$imapServerAddress      = 'dovecot.server';
$imapPort               = 993;

When I try to telnet and openssl on squirrelmail server;

[root@aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.

[root@aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Note: 143 port works fine by the way.

Answer 1

Check your PHP error log for things like this:

PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning:  fsockopen(): Failed to enable crypto ..
PHP Warning:  fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..

If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.

You can get your server's cert with this command:

openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem

Add it to the cert file, and you should be going.

One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.