[closed] Mail app - unable to verify CA

M_A · March 16, 2025, 11:52pm

[Nextcloud Hub 8] (29.0.5)

I had the Nextcloud mail app running with hmailserver as backend. Worked fine.
Then i switched to dovecot/postfix as mail server. Same user accounts, passwords, same IP address. Only thing that changed: TLSv1.2 and higher is required by the new mail server.

This seems to break the 29.0.5 mail app. From what i can see from the logs on the mail server, while establishing a TLS connection, a protocol version mismatch happens and the connection is terminated.

Now, running openssl s_client -connect imap.server.com:993 on the servers console, a TLSv1.3 connection is established. So connectivity and incorrect openssl version can be ruled out as root cause. I conclude, the NC mailapp is trying to establish connection using SSL or TLSv1.

Is there a way to force the Nextcloud mail app to only use TLSV1.2 and above?

jtr · March 17, 2025, 1:37pm

You can enable additional logging to troubleshoot things in the Mail app:

See Mail: Troubleshooting

M_A · March 17, 2025, 3:26pm

Enabling and checking the NC mail app debug log in combiantion with running a tcpdump in parallel reveils the mail server log was a bit misleading:

NC log
{“reqId”:“-----------------”,“level”:3,“time”:“March 17, 2025 14:33:33”,“remoteAddr”:“-----------------------”,“user”:“-----------”,“app”:“PHP”,“method”:“PUT”,“url”:“/index.php/apps/mail/api/accounts/1”,“message”:“stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /var/www/html/nextcloud/apps/mail/vendor/bytestream/horde-socket-client/lib/Horde/Socket/Client.php#294”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0”,“version”:“29.0.5.1”,“data”:{“app”:“PHP”}}

tcpdump
TLSv1.3 Alert (Level: Fatal, Description: Unknown CA)

So this sounds like

the NC mail client is using TLSv1.3
tries to validate the CA
and fails to do so

where failing doesn’t seem to mean the app isn’t working correctly but rather it can’t get a positive validation.

Am I correct CA validation happens on the client, meaning the NC host? So during establishing a TLS connection, the clent receives the servers cert, extracts its CA and then tries to validate this CA against the CA in the NC hosts cert store? Is it correct to conclude from the error messages that this is where the validation fails?

This is would be a bit weired, since the configuration, certs, domains, … on the mail server have not changed. Neither has the NC configuration or the NC host. However, other clients connecting to the mail server have no issues. So it must be something on the NC host.

Follwing the error message, i thought, I try to force NC to not validate the CA. If i correctly understand, this is done by:

“mail_smtpstreamoptions” => array(
‘ssl’ => array(
‘allow_self_signed’ => true,
‘verify_peer’ => false,
‘verify_peer_name’ => false
)
),

Although I’m using letsencrypt, i set allow_self_signed just to have the most relaxed configuration possible.

However, it didn’t change the result nor the behaviour. Error messages in the logs and the tcpdump remain the same. It seems as if the configuration snipplet above has no effect → the mail app still tried to validate the CA.

Now i ran out of ideas. I’m thankful for any hint what i could try to do next.

M_A · March 19, 2025, 11:43am

Wait a minute… is “mail_smtpstreamoptions” only applied to smtp? Meaning, it has no effect on IMAP? If so, are the same options also available for IMAP?

To answer my own question after performing some tests: mail_smtpstreamoptions has not effect on imap configuration. And there seems to be no related conf options for imap.

jtr · March 19, 2025, 2:30pm

The Nextcloud Mail Admin Documentation link where the Troubleshooting bit was provided above, has additional documentation which covers similar options for the Mail app at Mail: Disable TLS verification for IMAP/SMTP if you want to try them.