Mail "unexpected error while creating account"/"Unerwarteter Fehler bei der Erstellung des Kontos"

Hi there,
i run my own mail server. This stands behind a smart host / mail relay. When I set up the Mail app in Nextcloud, I get the following error message:
“Unexpected error while creating the account”
My mail settings are as follows:

Manuell
Name E-Mail-Adresse => stefan.harbich@example.com
IMAP-Einstellungen:
IMAP-Host => dsme01.intern.example.com
IMAP-Sicherheit => SSL/TLS
IMAP-Port => 993
IMAP-Benutzer => stefan.harbich@example.com
IMAP-Passwort => xxxxxxxxxxxxx
SMTP-Einstellungen:
SMTP-Host => dsme01.intern.example.com
SMTP-Sicherheit => SSL/TLS
SMTP-Port => 465
SMTP-Benutzer => stefan.harbich@example.com
SMTP-Passwort => xxxxxxxxxxxxx

I use the same settings for Evolution and I can access my mailbox.

[/details]

Nextcloud version (22.2.0):
Operating system and version (Debian 10 Buster):
Apache version (Apache 2.4.38-3+deb10u5):
PHP version (7.3.29-1~deb10u1):

Is this the first time you’ve seen this error? (Y):

Steps to replicate it:

1. Mail app version 1.10.5 activated
2. Set up an account

The output of your Nextcloud log in Admin > Logging:

"2021-10-23T09:51:12+02:00","remoteAddr":"192.168.30.67","user":"stefan.harbich","app":"mail","method":"POST","url":"/index.php/apps/mail/api/accounts","message":"Creating account failed: Connection to IMAP at dsme01.intern.example.com:993 failed. Error connecting to mail server.","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0","version":"22.2.0.2"}

The output of your journalctl log:

Okt 23 09:53:06 dsme01 dovecot[23564]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.20.20, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<J4QIawDPnobAqBQU>

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '#############',
  'passwordsalt' => '##############################',
  'secret' => '################################################',
  'trusted_domains' => 
  array (
    0 => 'nextcloud.intern.example.com',
  ),
  'log_type' => 'file',
  'logfile' => 'nextcloud.log',
  'loglevel' => 0,
  'logtimezone' => 'Europe/Berlin',
  'log_rotate_size' => 104857600,
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '22.2.0.2',
  'overwrite.cli.url' => 'https://nextcloud.intern.example.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'nextcloud',
  'installed' => true,
  'default_phone_region' => 'DE',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 1.5,
  ),
  'app_install_overwrite' => 
  array (
    0 => 'ldapcontacts',
    1 => 'ldaporg',
  ),
  'ldapIgnoreNamingRules' => false,
  'maintenance' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_from_address' => 'stefan.harbich',
  'mail_domain' => 'example.com',
  'mail_smtphost' => 'dsme01.intern.example.com',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'stefan.harbich',
  'mail_smtppassword' => '###############',
  'mail_smtpstreamoptions' => array( 'ssl' => array( 'allow_self_signed' => true, 'verify_peer' => false, 'verify_peer_name' => false ) ),
  'app.mail.imap.timeout' => 40,
  'app.mail.smtp.timeout' => 20,
  'app.mail.verify-tls-peer' => 'false',
  'app.mail.transport' => 'php-mail'
);

The output of your Apache/system log in /var/log/:

[Sun Oct 24 10:56:51.365860 2021] [gnutls:debug] [pid 12544] gnutls_hooks.c(1252): [client 192.168.30.67:48534] mgs_hook_pre_connection declined connection
[Sun Oct 24 10:56:51.365924 2021] [ssl:info] [pid 12544] [client 192.168.30.67:48534] AH01964: Connection to child 5 established (server nextcloud.intern.example.com:443)
[Sun Oct 24 10:56:51.366298 2021] [ssl:debug] [pid 12544] ssl_engine_kernel.c(2319): [client 192.168.30.67:48534] AH02043: SSL virtual host for servername nextcloud.intern.example.com found
[Sun Oct 24 10:56:51.366324 2021] [ssl:debug] [pid 12544] ssl_engine_kernel.c(2319): [client 192.168.30.67:48534] AH02043: SSL virtual host for servername nextcloud.intern.example.com found
[Sun Oct 24 10:56:51.366334 2021] [core:debug] [pid 12544] protocol.c(2314): [client 192.168.30.67:48534] AH03155: select protocol from , choices=h2,http/1.1 for server nextcloud.intern.example.com
[Sun Oct 24 10:56:51.371521 2021] [ssl:debug] [pid 12544] ssl_engine_kernel.c(2235): [client 192.168.30.67:48534] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Sun Oct 24 10:56:51.371682 2021] [socache_shmcb:debug] [pid 12544] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x0f -> subcache 15)
[Sun Oct 24 10:56:51.371703 2021] [socache_shmcb:debug] [pid 12544] mod_socache_shmcb.c(732): AH00842: expiring 1 and reclaiming 0 removed socache entries
[Sun Oct 24 10:56:51.371712 2021] [socache_shmcb:debug] [pid 12544] mod_socache_shmcb.c(751): AH00843: we now have 0 socache entries
[Sun Oct 24 10:56:51.371719 2021] [socache_shmcb:debug] [pid 12544] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Sun Oct 24 10:56:51.371727 2021] [socache_shmcb:debug] [pid 12544] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/214
[Sun Oct 24 10:56:51.371734 2021] [socache_shmcb:debug] [pid 12544] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Sun Oct 24 10:56:51.374913 2021] [ssl:debug] [pid 12544] ssl_engine_kernel.c(383): [client 192.168.30.67:48534] AH02034: Initial (No.1) HTTPS request received for child 5 (server nextcloud.intern.example.com:443)
[Sun Oct 24 10:56:51.375732 2021] [authz_core:debug] [pid 12544] mod_authz_core.c(820): [client 192.168.30.67:48534] AH01626: authorization result of Require all granted: granted
[Sun Oct 24 10:56:51.375754 2021] [authz_core:debug] [pid 12544] mod_authz_core.c(820): [client 192.168.30.67:48534] AH01626: authorization result of <RequireAny>: granted
[Sun Oct 24 10:56:51.375767 2021] [gnutls:debug] [pid 12544] gnutls_hooks.c(1354): [client 192.168.30.67:48534] request declined in mgs_hook_fixups
[Sun Oct 24 10:56:51.375937 2021] [authz_core:debug] [pid 12544] mod_authz_core.c(820): [client 192.168.30.67:48534] AH01626: authorization result of Require all granted: granted
[Sun Oct 24 10:56:51.375961 2021] [authz_core:debug] [pid 12544] mod_authz_core.c(820): [client 192.168.30.67:48534] AH01626: authorization result of <RequireAny>: granted
[Sun Oct 24 10:56:51.375971 2021] [gnutls:debug] [pid 12544] gnutls_hooks.c(1354): [client 192.168.30.67:48534] request declined in mgs_hook_fixups
[Sun Oct 24 10:56:51.708188 2021] [ssl:debug] [pid 12544] ssl_engine_io.c(1106): [client 192.168.30.67:48534] AH02001: Connection closed to child 5 with standard shutdown (server nextcloud.intern.example.com:443)
[Sun Oct 24 10:56:54.632665 2021] [gnutls:debug] [pid 30970] gnutls_hooks.c(1252): [client 192.168.30.67:48536] mgs_hook_pre_connection declined connection
[Sun Oct 24 10:56:54.632710 2021] [ssl:info] [pid 30970] [client 192.168.30.67:48536] AH01964: Connection to child 2 established (server nextcloud.intern.example.com:443)
[Sun Oct 24 10:56:54.633062 2021] [ssl:debug] [pid 30970] ssl_engine_kernel.c(2319): [client 192.168.30.67:48536] AH02043: SSL virtual host for servername nextcloud.intern.example.com found
[Sun Oct 24 10:56:54.633089 2021] [ssl:debug] [pid 30970] ssl_engine_kernel.c(2319): [client 192.168.30.67:48536] AH02043: SSL virtual host for servername nextcloud.intern.example.com found
[Sun Oct 24 10:56:54.633099 2021] [core:debug] [pid 30970] protocol.c(2314): [client 192.168.30.67:48536] AH03155: select protocol from , choices=h2,http/1.1 for server nextcloud.intern.example.com
[Sun Oct 24 10:56:54.637969 2021] [ssl:debug] [pid 30970] ssl_engine_kernel.c(2235): [client 192.168.30.67:48536] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Sun Oct 24 10:56:54.638121 2021] [socache_shmcb:debug] [pid 30970] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x7a -> subcache 26)
[Sun Oct 24 10:56:54.638140 2021] [socache_shmcb:debug] [pid 30970] mod_socache_shmcb.c(732): AH00842: expiring 2 and reclaiming 0 removed socache entries
[Sun Oct 24 10:56:54.638148 2021] [socache_shmcb:debug] [pid 30970] mod_socache_shmcb.c(751): AH00843: we now have 0 socache entries
[Sun Oct 24 10:56:54.638161 2021] [socache_shmcb:debug] [pid 30970] mod_socache_shmcb.c(849): AH00847: insert happened at idx=2, data=(429:461)
[Sun Oct 24 10:56:54.638168 2021] [socache_shmcb:debug] [pid 30970] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=2/1, data_pos/data_used=429/214
[Sun Oct 24 10:56:54.638175 2021] [socache_shmcb:debug] [pid 30970] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Sun Oct 24 10:56:54.641818 2021] [ssl:debug] [pid 30970] ssl_engine_kernel.c(383): [client 192.168.30.67:48536] AH02034: Initial (No.1) HTTPS request received for child 2 (server nextcloud.intern.example.com:443)
[Sun Oct 24 10:56:54.642661 2021] [authz_core:debug] [pid 30970] mod_authz_core.c(820): [client 192.168.30.67:48536] AH01626: authorization result of Require all granted: granted
[Sun Oct 24 10:56:54.642683 2021] [authz_core:debug] [pid 30970] mod_authz_core.c(820): [client 192.168.30.67:48536] AH01626: authorization result of <RequireAny>: granted
[Sun Oct 24 10:56:54.642697 2021] [gnutls:debug] [pid 30970] gnutls_hooks.c(1354): [client 192.168.30.67:48536] request declined in mgs_hook_fixups
[Sun Oct 24 10:56:54.642883 2021] [authz_core:debug] [pid 30970] mod_authz_core.c(820): [client 192.168.30.67:48536] AH01626: authorization result of Require all granted: granted
[Sun Oct 24 10:56:54.642900 2021] [authz_core:debug] [pid 30970] mod_authz_core.c(820): [client 192.168.30.67:48536] AH01626: authorization result of <RequireAny>: granted
[Sun Oct 24 10:56:54.642910 2021] [gnutls:debug] [pid 30970] gnutls_hooks.c(1354): [client 192.168.30.67:48536] request declined in mgs_hook_fixups

is your nextcloud server able to reach that IMAP host?

Yes, the mail server and Nextcloud server run on the same hardware.

root@dsme01:~# nslookup
> dsme01
Server:		192.168.20.20
Address:	192.168.20.20#53

Non-authoritative answer:
Name:	dsme01.intern.example.com
Address: 192.168.20.20
> nextcloud
Server:		192.168.20.20
Address:	192.168.20.20#53

Non-authoritative answer:
Name:	nextcloud.intern.example.com
Address: 192.168.20.50
> exit

Hi Christoph,

i run my own root CA that is self-signed. From this root CA I created a server certificate for the mail server. In both the Dovecot and Postfix configuration I refer to the CA root file. I also refer to a self-created certificate in Nextcloud’s config.php.

But it just doesn’t work.

Hi Christoph,
do you have another tip what I can do to fix the problem?

See mail/admin.md at master · nextcloud/mail · GitHub

Hello Christoph,
Thank you very much for the further assistance. I’ve tried everything you wrote in the link. Unfortunately without success. What I noticed is that the mail notification works for the user. But not the access to the mail account via the app. If I compare the mail settings, I notice the following:

'mail_smtpstreamoptions' => array( 'ssl' => array( 'allow_self_signed' => true, 'verify_peer' => false, 'verify_peer_name' => false ) ),
'app.mail.verify-tls-peer' => 'false'

I think the following error message is the problem:

Nov 07 10:21:39 dsme01 dovecot[1645]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.20.20, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<aC9ZZy/Q9KzAqBQU>

Access to the mail account works via Evolution. Do you have another tip for me?
Greetings from Stefan Harbich

Don’t mix up Nextcloud server’s mail settings and the Mail app. They are two independent systems. Nextcloud server uses Swiftmailer for SMTP, Mail uses Horde for IMAP and SMTP. Anything you set for system mail has no influence on Mail.

You can see the troubleshooting section. There are logging options that could help: mail/admin.md at master · nextcloud/mail · GitHub

Hi there,
everything that I have described in GitHub for troubleshooting has already been done by me. Unfortunately without success. I can’t get to the point Get account ID’s because I can’t get the mail account created.
Why does access via the Evolution mail app work without problems?

Different code base that does different stuff.

Hi there,
i’ve been trying to solve the problem for 3 weeks now. Despite the log files that I posted here, nobody could help me. It seems that the mail app cannot handle self-signed certificates.
So unfortunately I have to close the nextcloud project. Isn’t so far for me to go live with it (mail and LDAP functions) very bad.
The mail problem must be with the app, because all other mail programs that I use to access my own mail server work without any problems.

Fortunately, we live in in times where free SSL certificates from Let’s Encrypt are a thing. So it would be possible to solve this issue, if the self-signed certificates should indeed be the reason that the mail app or the LDAP connection does not work. No need to use self signed certificates in 2021 anymore.

Have you ever considered that you are all dependent on “Let’s Encrypt”. You probably know who is behind it? And you have dealt with cryptography?
How often have I already written these sentences.

There are other CAs but why should I trust them more…? And self signed is imho not an option for public facing services, especially when other people besides yourself have to use them.

Yes. It’s all public. And I assume you use a Linux kernel on the OS on which you run Nextcloud and OpenSSL for the self-signed certificates. Do you know everybody who is behind these projects and contributes code? At least with the Linux kernel, it’s many of the same companies that are backing the ISRG, and a whole lot more…

I’m not a cryptography expert if that’s what you mean by “have dealt with cryptography”? Probably very few people who administer servers are…

Back to the topic: Is it officially confirmed that self-signed certificates do not work with Nextcloud Mail? Maybe you could open an issue or create a feature request on GitHub…

Hi b77 and ChristophWurst,

i have to apologize. I made the mistake. I copied the following entry incorrectly:

'app.mail.verify-tls-peer' => false

Sorry, greetings from Stefan Harbich