SMTP connection fails

[Has-X]

I cannot send an email trough smtp no matter what I do, I tested with other mail clients and it works, expect for Roundcube docker,

My docker log:

errors: <9ea8998e> PHP Error: STARTTLS failed (POST /?_task=mail&_unlock=loading1702834244555&_framed=1&_lang=en&_action=send)
errors: <9ea8998e> PHP Error: Invalid response code received from server (POST /?_task=mail&_unlock=loading1702834244555&_framed=1&_lang=en&_action=send)
errors: <9ea8998e> SMTP Error: STARTTLS failed: 2.0.0 Ready to start TLS (Code: 220) in /var/www/html/program/lib/Roundcube/rcube.php on line 1794 (POST /?_task=mail&_unlock=loading1702834244555&_framed=1&_lang=en&_action=send)

My postfix log:

Dec 17 17:30:49 mail.rokal.es postfix/smtpd[9891]: connect from ip51.ip-87-98-146.eu[87.98.146.51]
Dec 17 17:30:50 mail.rokal.es postfix/smtpd[9891]: lost connection after STARTTLS from ip51.ip-87-98-146.eu[87.98.146.51]
Dec 17 17:30:50 mail.rokal.es postfix/smtpd[9891]: disconnect from ip51.ip-87-98-146.eu[87.98.146.51]

[fager]

I have the same problem with my installation.

Connections (imap and smtp) without tls work but as soon as I activate tls I get these error messages.

My Postfix and Dovecot have certificates from Let's Encrypt. Both certificate chains don't seem to be present in the Docker image.

Test:

docker exec -it <container-name> bash
curl -v https://<FQDN-of-some-Lets-Encrypt-Website>/
...
curl: (60) SSL certificate problem: unable to get local issuer certificate
...

I created my own container image in which I added the Let's Encrypt certificate chain to /usr/local/share/ca-certificates/ and updated the CA files with "RUN update-ca-certificates".

Afterwards I can successfully validate the server certificate using curl.

PHP can now apparently validate the certificate with the PHP default config.

Test:

php -r "print(file_get_contents('https://<FQDN-of-some-Lets-Encrypt-Website>'));"

But Roundcube still cannot validate the Let's Encrypt certificate during imap or smtp connections with tls.

I then converted my configuration to the advanced configuration and set the options "smtp_conn_options" and "imap_conn_options" to point to /etc/ssl/certs/ca-certificates.crt.

$config['imap_conn_options'] = [
    'ssl' => [
        'verify_peer'  => true,
        'verify_depth' => 3,
        'cafile'       => '/etc/ssl/certs/ca-certificates.crt',
    ],
];
$config['smtp_conn_options'] = [
    'ssl' => [
        'verify_peer'  => true,
        'verify_depth' => 3,
        'cafile'       => '/etc/ssl/certs/ca-certificates.crt',
    ],
];

With this configuration, SMTP and IMAP are both TLS protected and working.

It would be nice to extend the Entrypoint script so that it updates the CA chain if, for example, a directory with additional CA certificates is mounted under /certs/. And an adapted *_conn_options configuration could be included in the container image, which points to the correct ca_file.

[pabzm]

I cannot reproduce that. Can you specify a full example, including a hostname?