IMAP Fails with Gmail

jakespillstea

Hello, I am trying to set up IMAP with a Gmail account. I am able to send emails with SMTP, testing receiving emails fails with IMAP.

I have IMAP turned on in the settings for my gmail account. I have the php-pecl-mailparse and php-imap extensions installed. I have double checked the config on settings_mail.php page and everything is right. Sending and receiving port 993 is also open in my firewall. My ITFlow git is updated to version April 17, 2023.
Here are the error(s) from httpd-error.log:
[Tue Apr 18 14:53:16.850209 2023] PHP Warning: imap_open(): Couldn't open stream {imap.gmail.com:993/imap/readonly/ssl}INBOX in /usr/local/www/apache24/data/post.php on line 562, referer: https://mydomain.com/settings_mail.php

[Tue Apr 18 14:53:16.851163 2023] PHP Notice: Unknown: Certificate failure for imap.gmail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid (errflg=2) in Unknown on line 0, referer: https://mydomain.com/settings_mail.php

I also have gone as far as updating my ca-root-ns package and pointed php.ini directly to the path where it is located.

Can anyone help me clear this issue up? Let me know if you need any more information.

felix

jakespillstea Does the browser show a self signed certificate when you go to your ITFlow?

jakespillstea

felix Sorry for my awfully late reply. My SSL certificate is issued by Let's Encrypt. I am unsure how that is relevant to this error though? Should I have done some sort of extra feature config on my certificate? SMTP works perfectly fine.

felix

jakespillstea I wouldn't think it's related either if not for the log "Certificate failure for imap.gmail.com: self signed certificate". Check your server's date, it could be wrong.

Past that, the usual fix is to use a google app password. It's worth a shot however, if that is the solution in this case SMTP shouldn't be working either.

jakespillstea

felix I googled the error and I found this somewhat relevant post from someone with the same PHP error, and the fault may lie with either Google or the PHP IMAP extension. I am no PHP developer, but I edited line 615 in post.php to this:

$imap_mailbox = "$config_imap_host:$config_imap_port/imap/readonly/$config_imap_encryption/novalidate-cert";

Now, testing receiving emails is successful. I am however concerned about any possible security vulnerabilities "nonvalidated certs" might open, so I will probably go without ticket parsing for the time being. I don't know if you find this at all helpful, but just wanted to share my research on it. Related search results seem like a rabbit hole that I'm not qualified enough to understand.

I also tested both Google less-secure apps login, as well as a Google app password after turning 2FA, and both ways I could not connect to the IMAP server without the /nonvalidate-cert line.

TY for your help.

zm-brian

felix I'm having an issue too. First off, great job. I'm liking IT Flow and I think it has potential so kudos to you guys! Now, back to my email woes….

I tried setting up the email but it keeps failing. The site is running on an ubuntu server - v22.04 LTS with php 8.1

There are several other vhosts on the server and some relay through a local instance of sendmail. The rest of the vhosts don't.

Sendmail is configured to relay the email to a mail server we have in a protected network. The other websites that don't use sendmail, connect directly to this email server.

I have an account that does work for connecting to this email server for authentication.

Since the web server and email server are completely under our control, we have many options available for different configurations. The email server can accept unencrypted and encrypted SMTP connections but unfortunately, everything I've tried doesn't work.

I've tried using an unencrypted connection as well as encrypted connections - SSL and TLS.

I checked the logs and noticed something. Whether I select no encryption or SSL or TLS, it's always trying to establish an encrypted connection.

This is from the email servers logs:

"TCPIP" 4196 "2023-05-16 03:31:03.232" "TCPConnection - TLS/SSL handshake failed. Session Id: 19, Remote IP: <thewebserver>, Error code: 336151576, Message: tlsv1 alert unknown ca"

I googled that error code, and this was the first result - https://github.com/droe/sslsplit/issues/131

The issue is old but based on what @jakespillstea responded to address his issue, I think the content is relevant.

As I mentioned, even if I select the "None" for the Encryption option in IT Flow, the same error message is logged on the email server.

I'm just trying to setup SMTP, I haven't even got to providing values for the IMAP connection yet.

The Ubuntu server is fully patched. In the php.ini file I had to update the capath for php-curl to work for another website. So the rootca.pem file is as updated as it could be.

My website is also secured with a certificate from Let's Encrypt just like @jakespillstea AND the email server also uses a certificate from Let's Encrypt for TLS and SSL connections.

There are several other sites running on that web server with some of them establishing an SMTP connection to the email server that connect and send email without issue.

Several email clients connect to that email server (publicly) and when I'm in the office even privately. We have this email server, mostly for our customers. It's kind works like an SMTP2GO, or SendGrid service (and you can get a username and password to connect via SMTP to SendGrid.

We don't send millions of emails a day ;-) but it does see it's fair share of load, so I really don't think it's the email server. If it were, I'm sure we would of heard something from some customer by now. But Hey! Anything's possible right!

I glanced over the code a month or two ago but didn't check out the email component.

I was one of those people trying to use MySQL as the backend instead of MariaDB. We have MySQL clusters so why would I want another database engine… Of course, that would be in addition to the MongoDB instances and PostgreSQL instances, and MSSQL instances but whatever.

I don't know if the code has some type of security checking where it's looking at the Common name of the cert and verifying that against the SMTP EHLO or what.

I'll see what else I can figure out later in the week when I have time.

OH, and before I forget, I tried running the last update and the site was updated, but I was left with a database update that needed to be done. Unfortunately, whenever I click on the update button, nothing happens. :-(

But that's another issue for another day.

johnny

@jakespillstea Im curious what OS and version of OpenSSL are you using?

jakespillstea

johnny FreeBSD 13.1 (inside a jail) and OpenSSL version 1.1.1o-freebsd 3 May 2022. I understand that this project has mainly been created to run on Ubuntu server, however my experience on FreeBSD has been completely smooth and imaginably identical to Ubuntu, besides this one issue. I do have the option to install OpenSSL 3.x. if you think that might improve anything.

wrongecho

jakespillstea

Good find. The issue/lack of SNI Support was seemingly in the php-imap package / libssl when this was an issue in Ubuntu, but has since been patched: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340

I'd suggest the issue is likely with your PHP IMAP module, but I know very little about FreeBSD.

felix

zm-brian Hi. I'm not a dev, just active in the forum. Credit goes to @johnny, @aftechro, @wrongecho, and @bhopkins0 .

When you do the database update it should show incremental increases until you get to 0.5.7 (at time of writing). Just keep clicking until you get there.

The mysql/mariadb issue has been fixed. If you should ever find another project with similar needs you can change the sql mode for just that session leaving your other databases unaffected. Use the following line in the projects config.php.

$mysqli->query("SET SESSION sql_mode = 'TRADITIONAL'");

Your email issue is the same one @jakespillstea is having, except on the SMTP side. You can update your PHP SMTP module or you can use /nonvalidate-cert. As far as using /nonvalidate-cert the validation that is skipped is checking if "verisign" recognizes the certificate. It's akin to the "SSL seals" that websites would show in the early 2000s. The cert is still no more or less secure than the one that is issued by an authority (in this case it is, but the module doesn't know that). Of course, the problem lies in the PHP modules and this would just be a work around.

I'll let the pros takeover from here.

wrongecho

zm-brian

Hey, thanks for getting in touch.

It's interesting you say you're having this issue with SMTP - a quick Google search suggests that PHPMailer (the package we use for sending mail - this is separate to IMAP) tries to perform Opportunistic TLS even if you tell if not to.

What happens if you adjust functions.php line 519 (or anywhere in that first block will do) to include:

$mail->SMTPAutoTLS = false;

Not entirely sure what to make of the update loop, what version is it stuck on? Any error logs when you click the button?