Comments (9)
mdecimus
commented on May 11, 2024
Let's Encrypt certificates should be accepted, the CA certs are bundled with Stalwart. Do you see any warnings of errors if you run openssl s_client -showcerts -connect ldap.xyz.com:636?
The allow-invalid-certs option is not supported on LDAP directories but I'll add that option now.
Can your LDAP server be accessed from the internet? If you want I can also try debugging this from my side, I just need the hostname (you can email it to [email protected]).
from mail-server.
sirrkitt
commented on May 11, 2024
I'll shoot the email over in just a second, but here's the output from openssl:
openssl s_client -showcerts -connect ldap.xyz.tld:636
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ldap.xyz.tld
verify return:1
---
Certificate chain
0 s:CN = ldap.xyz.tld
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 9 11:04:11 2023 GMT; NotAfter: Sep 7 11:04:10 2023 GMT
-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgISA3KtJs35/KfPYlwqDQ0sv7FcMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA2MDkxMTA0MTFaFw0yMzA5MDcxMTA0MTBaMCAxHjAcBgNVBAMT
FWxkYXAubGVtdXNwZXNjaGVsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BOUvbmYK6ZZ27suzPmvSv5Jhj0nRuBd5kz9eRtvrpoQSzc5YMMKUQotfLH2lJOnZ
sYLlroR3LctmEsY1tCiJ+hujggJRMIICTTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FCqWcnrwVPQ7IyA7hL83JkWPj5cHMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMCAG
A1UdEQQZMBeCFWxkYXAubGVtdXNwZXNjaGVsLmNvbTBMBgNVHSAERTBDMAgGBmeB
DAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22
IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiKAK8VUAAAQDAEgwRgIhAMCZ0iUx
PLslGphjbI1B+1JmTQjVXqVNrLQu7avXI3cQAiEA3+RWt4ZPpLX/KQAMtg21pgee
gbhL2xZgky5vss0G3X8AdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yC
igAAAYigCvFmAAAEAwBHMEUCIQCeIaj02G7i+E7qfH9rDXDuzyOMUB3KWR/HlZdB
RKCGzAIgNcRbaV45tkH2AnEp1js3BNFCsCtVl6rUxp9XCZIX3qMwDQYJKoZIhvcN
AQELBQADggEBAG+vn3SlvDVdjmRoMDAEvx6ddnLjiZwUN8WboW6nSRL+y637SVj+
TupVoRDazWyUbSHEHuCybkTRvmchLfAYolFAbwbcvgCismC7ypLuoAukbESC83fw
0WY/mhU5O3t2XcMSe0oColeAIK2alWVzqH790uCN2a098oUB4vpq3rhJMmC6hc4Q
arxAoKDnivPOzWRJ7jdXh91nQwyD/UF4fqLWTA4HoxEzLf8G9FQj154wwyRmJfF5
yKo347AgPsDFRGZd7vDhzFYKWOeEmDH98lGdkqdvgUNZEDDSsmIqtdAx9Cfv6wlS
DiF1sCI2/2lEzp3owDlmDZFJgnfJi578xb4=
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = ldap.xyz.tld
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4197 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 782659CE5A1EF9D016EF0F63C3931744E62F0F0B4C6F8D34BA2663DE22FAAE9F
Session-ID-ctx:
Resumption PSK: 3AE9EE19BCA96F663E1F0816B359E1981FF09FDB4EB9A2C8B98C33CA990D1D37CA809DEB61AFE95DC4E6F10E2DFC2D39
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 94 87 7b 37 7a 32 cc 69-10 49 d3 2f 39 1d a3 2d ..{7z2.i.I./9..-
0010 - dc b5 49 f0 fc ba ad 59-ae 9c 12 1d 54 e6 09 09 ..I....Y....T...
0020 - 18 3c 6e 04 21 cc cc 2a-1c 4e 0f 3d ef 86 a2 4a .<n.!..*.N.=...J
0030 - 0d 8a 2e 60 95 a4 a5 2c-2e 95 fa c0 e6 ee a0 22 ...`...,......."
0040 - 01 ac 09 73 89 31 d3 cd-cc f9 04 42 bb e8 ec 54 ...s.1.....B...T
0050 - 98 af c8 61 71 80 0d 5b-6b ad 05 d7 b2 0b 91 46 ...aq..[k......F
0060 - a5 db b7 14 eb 9d 3c 4a-09 73 d6 c7 a6 fa aa a6 ......<J.s......
0070 - 61 f1 70 34 e0 3d ff d6-b2 37 1d a2 04 ed cd 10 a.p4.=...7......
0080 - c7 c6 db da 56 c8 0e 3e-00 8b a4 ae fa 99 42 6b ....V..>......Bk
0090 - 18 c3 0b 35 d9 2d 59 6a-de f4 9f 1e a8 09 62 c2 ...5.-Yj......b.
00a0 - 93 a8 52 0b 33 49 dd f5-d7 bf 20 95 53 99 52 c8 ..R.3I.... .S.R.
00b0 - 73 1d ba 67 d8 5c 0c 66-84 72 19 a5 cf 5c 89 f2 s..g.\.f.r...\..
00c0 - 60 10 85 8d e8 b0 27 fb-31 d6 92 f7 64 38 96 d9 `.....'.1...d8..
Start Time: 1689672710
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C8ED5A35600A385D55D8167F825C0C88B57423193D64CEF965306C766B66B1A0
Session-ID-ctx:
Resumption PSK: ACF4BECFCD80F66FFFF3C3B0A1C7E2A887DCCB518547162F08456DE31B14B3727884836A3129D9FCAB5D7EEBECBACB5B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 94 87 7b 37 7a 32 cc 69-10 49 d3 2f 39 1d a3 2d ..{7z2.i.I./9..-
0010 - 04 e8 80 0d c6 bf 49 09-1a 1f 62 41 25 20 cb 19 ......I...bA% ..
0020 - 14 56 08 00 8d b2 28 84-1d be 4a 57 93 1d 2e 7f .V....(...JW....
0030 - d9 1b 1e f0 97 44 10 82-5e a0 1f 9f bf df 17 e2 .....D..^.......
0040 - b3 cf 0a 9d 34 2b 16 39-dd 7a d7 c2 e3 3f 95 e6 ....4+.9.z...?..
0050 - 5a e4 eb 0d 41 77 ed 8c-03 e6 fc 12 6c 90 ff 6c Z...Aw......l..l
0060 - 43 de d9 1e 95 9a ac 09-3a 9d f0 5d df bd 2a b9 C.......:..]..*.
0070 - 1a 50 96 02 83 36 d7 55-60 ba 73 d5 df cc c0 7b .P...6.U`.s....{
0080 - 0c ec cb 85 37 1b 87 9e-93 81 ed 1d 8b 38 76 d8 ....7........8v.
0090 - a4 52 2d d9 7e 0d 20 2b-a2 b5 72 5c 7a 46 61 aa .R-.~. +..r\zFa.
00a0 - 79 74 d9 fa 2a 3b 83 64-ae aa 79 2d 23 38 e4 b3 yt..*;.d..y-#8..
00b0 - d7 1c 91 67 2e 06 c4 00-4d 82 52 b7 7f 95 66 34 ...g....M.R...f4
00c0 - 97 35 c6 aa 5e 19 08 c7-d5 f0 cb ff e8 ba bf 5c .5..^..........\
Start Time: 1689672710
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
from mail-server.
mdecimus
commented on May 11, 2024
Thanks, got the email. I'll look into it this afternoon and send you an update.
from mail-server.
mdecimus
commented on May 11, 2024
I just tried connecting to your server over SSL and it seems to be working fine. I get an error code 32 (noSuchObject) but no SSL errors. Are you specifying the port number in the connection string?
[directory."ldap"]
type = "ldap"
address = "ldaps://ldap.xyz.com:636"from mail-server.
sirrkitt
commented on May 11, 2024
Still a no-go, even if I specify port number. For whatever reason it keeps spitting out a TLS negotiation error in the OpenLDAP logs and Stalwart spits out an error about the certificates being presented by OpenLDAP being from an unknown issuer.
I'm not sure if this might be specific to the arm64 container or whatnot but I can get it to work with LDAPS as long as I disable certificate verification, so I can do that for now at least.
Normally I'd just use ldapi to connect via unix socket but for now I can just connect over localhost and turn off the cert verification.
from mail-server.
mdecimus
commented on May 11, 2024
I have confirmed this is a container issue, the CA certs are missing. To fix it login to the container and run:
$ apt-get update
$ apt-get install ca-certificatesI'll update the Dockerfile now.
from mail-server.
mdecimus
commented on May 11, 2024
Btw, I incorrectly said that the LDAP directory did not support self-signed certificates. It does support this as well as STARTLS. I'll be updating soon the documentation:
The connection details for the LDAP directory are specified under the directory.<name>.ldap key in the configuration file with the following attributes:
address: The URL of the LDAP server.base-dn: The base distinguished name (DN) from where searches should begin.tls: Whether to useSTARTTLSto encrypt the connection. This is disabled by default.allow-invalid-certs: Whether to allow self-signed certificates. This is disabled by default.timeout: The timeout for LDAP operations. This is set to 30 seconds by default.
For example,
[directory."ldap"]
type = "ldap"
address = "ldap://localhost:3893"
base-dn = "dc=example,dc=org"
tls = true
allow-invalid-certs = falsefrom mail-server.
sirrkitt
commented on May 11, 2024
New dockerfile fixed it.
Thanks!
from mail-server.
mdecimus
commented on May 11, 2024
Great! I'll group some other changes and publish a new version soon.
from mail-server.
Related Issues (20)
- [bug]: ignore acme.<name>.secret trailing newline HOT 4
- Error when using foundationdb store HOT 4
- [enhancement]: Support Mail autoconfig HOT 3
- [bug]: Temporary lookup failure on delivery
- [bug]: ACME HOT 2
- [enhancement]: Allow rewritten `FROM` addresses for authenticated users
- [bug]: Connection To ManageSieve With Roundcube Fails HOT 8
- [enhancement]: Generate TLSA Records for DANE HOT 8
- [bug]: case sensitivity issue (maybe?) HOT 2
- [enhancement]: Method to delete mails from users mailboxes based on date
- [bug]: Build error for "certificate.default": No certificates found. HOT 3
- [bug]: OOM killer on stalwart-email when importing accounts HOT 3
- [enhancement]: Support RocksDB 9.X HOT 1
- [bug]: Using foundationdb results in a panik in the tokio-runtime-worker HOT 2
- [bug]: Accounts not showing up when @ symbol is in username HOT 4
- [bug]: Stalwart docker image build failed with FoundationDB client support using Dockerfile.fdb HOT 2
- [enhancement]: MySQL - mandatory TLS HOT 1
- [enhancement]: update rustls dependency to one requiring ring 0.17
- [bug]: Newlines from SMTP error messages in log entries are not removed
- [enhancement]: Delimit all messages in log outputs to make them easier to extract
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mail-server.