让dockerized roundcube与dockerized dovecot一起工作-不允许使用纯文本

tag-icon tag-icon ssl docker dovecot roundcube
让dockerized roundcube与dockerized dovecot一起工作-不允许使用纯文本

我有一台同时运行 roundcube 和 dovecot 的服务器,每个都在自己的容器中。该服务器使用 letsencrypt 进行保护,所有 http 流量都路由到 https。我设置了一个代理来将 https 路由到 http roundcube,这似乎运行良好。

location /webmail/ {
    proxy_pass  http://localhost:8080/;
}

我的 roundcube docker 是这样启动的:

docker run --name=roundcube -e ROUNDCUBEMAIL_DEFAULT_HOST=mail.blinkyvision.com -d -p "8080:80" roundcube/roundcubemail

我还告诉 roundcube 使用 https(defaults.inc.php)。所有其他 roundcube 选项均为默认选项:

$config['use_https'] = true;

当我转到 roundcube 页面时,地址确实正确显示为 https://

但是当我尝试登录时,我的 dovecot 服务器出现错误:

Jan  8 19:53:15 mail dovecot: imap-login: Login failed: Plaintext authentication disabled: user=<>, rip=172.18.0.1, lip=172.18.0.2, session=<dy43svd+8sOsEgAB>

Roundcube 日志中的错误如下:

172.17.0.1 - - [08/Jan/2019:19:53:03 +0000] "GET / HTTP/1.0" 200 2667 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
errors: <1228866d> IMAP Error: Login failed for sven from 172.17.0.1. LOGIN: Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 196 (POST /?_task=login&_action=login)172.17.0.1 - - [08/Jan/2019:19:53:15 +0000] "POST /?_task=login HTTP/1.0" 200 2935 "https://blinkyvision.com/webmail/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36

我想不出任何其他设置可以解决这个问题。

顺便说一下,这是鸽舍设置

root@mail:/# dovecot -n
# 2.2.34 (874deae): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.22 (22940fb7)
# OS: Linux 4.15.0-43-generic x86_64 Debian 9.6 ext4
# Hostname: mail.blinkyvision.com
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1:6
hostname = mail.blinkyvision.com
imap_idle_notify_interval = 29 mins
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_location = maildir:/var/mail/%d/%n
mail_privileged_group = docker
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify vnd.dovecot.pipe vnd.dovecot.filter
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/userdb
  driver = passwd-file
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags +vnd.dovecot.pipe +vnd.dovecot.filter
  sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
  sieve_plugins = sieve_extprograms
}
postmaster_address = [email protected]
protocols = " imap lmtp sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = docker
    mode = 0666
    user = docker
  }
  unix_listener auth-master {
    group = docker
    mode = 0600
    user = docker
  }
  unix_listener auth-userdb {
    group = docker
    mode = 0666
    user = docker
  }
}
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0660
  }
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.blinkyvision.com/fullchain.pem
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv3,!TLSv1,!TLSv1.1
userdb {
  args = username_format=%u /etc/dovecot/userdb
  default_fields = uid=docker gid=docker home=/var/mail/%d/%u
  driver = passwd-file
}
protocol lmtp {
  mail_plugins = " sieve"
}
protocol lda {
  mail_plugins = " sieve"
}

答案1

除了在 Google 上查找过之外,我对 Roundcube 或 Dovecot 几乎一无所知......但这看起来像是 IMAP 错误,而不是 HTTP 错误。

似乎有人或某物正在尝试在不使用 SSL 的情况下登录 IMAP 服务器。我的意思是在 IMAP 服务上。

我的猜测是:Roundcube 充当实际邮件服务器 Dovecot 的 Webmail 前端,它使用 IMAP 连接到 Dovecot。但是此连接未使用 SSL因此 Dovecot 拒绝登录,Roundcube 只是报告它从 Dovecot 收到的错误。这与最终用户如何访问 Roundcube 本身(HTTPS)完全无关。

再次快速搜索,结果出现了以下结果:https://github.com/roundcube/roundcubemail/wiki/Configuration

如果您想使用加密连接,Roundcube 的默认 IMAP 服务器似乎应该以“ssl://”或“tls://”为前缀。尝试更改ROUNDCUBEMAIL_DEFAULT_HOST=mail.blinkyvision.comROUNDCUBEMAIL_DEFAULT_HOST=ssl://mail.blinkyvision.com:993

相关内容