Paul,

This is now looking more like a problem squirrelmail is having with Postfix
3. All the installs I have, up to and including Postfix 2.9 work. However this
latest Archlinux box has Postfix 3.

Specifically, the server on which I have 14405 has:

postfix 2.9.3-3

The server with 14501 that is failing has:

postfix 3.0.1-1

This can be seen with configtest.php results. All check succeed until the
'Checkin IMAP server' test which fails at line 740 of configtest.php:

/** Can we open a connection? */
$stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress, $imapPort,
$errorNumber, $errorString);

Which I've compared with the test in rev 14405 and they are the same, so it
isn't the test that is causing the failure, but rather something internal to
squirrelmail handling Postfix 3.0/dovecot. Here is the full configtest output:

SquirrelMail configtest

This script will try to check some aspects of your SquirrelMail configuration
and point you to errors whereever it can find them. You need to go run conf.pl
in the config/ directory first before you run this script.

SquirrelMail version: 1.5.2 [SVN]
Config file version: 1.5.0
Config file last modified: 13 June 2015 23:31:25

Checking PHP configuration...
PHP version 5.6.9 OK. (You have: 5.6.9. Minimum: 4.1.0)
Running as N/A(N/A) / N/A(N/A)
display_errors: (overridden with 1 for this page only)
error_reporting: 22527 (overridden with 32767 for this page only)
variables_order OK: GPCS.
PHP extensions OK. Dynamic loading is disabled.

WARNING: You have configured PHP not to allow short tags
(short_open_tag=off). This shouldn't be a problem with SquirrelMail or any
plugin coded coded according to the SquirrelMail Coding Guidelines, but if you
experience problems with PHP code being displayed in some of the pages and
changing setting to "on" solves the problem, please file a bug report against
the failing plugin. The correct contact information is most likely to be found
in the plugin documentation.
Checking paths...
Data dir OK.
Attachment dir OK.
Checking plugins...
Plugin versions...
squirrelspell 0.5
calendar ??
Plugins OK.
Themes OK.
Default language OK.
Base URL detected as: http://www.*******.com:443/squirrelmail/src (location
base autodetected)
Checking outgoing mail service....
SMTP server OK (220 myhost.*******.com ESMTP Postfix)
Checking IMAP service....
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
failed in /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning:
fsockopen(): Failed to enable crypto in
/srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning:
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
/srv/http/htdocs/squirrelmail/src/configtest.php on line 740

FATAL ERROR: Error connecting to IMAP server "localhost:993".Server error: (0)

I tarred and moved the working rev 14405 to the new server, (checked diff
between the config.php files and they were the same for all practical purposes).
Updated the config for the site and ran configtest.php. Exact same error (except
the line number is 739 on ref 14405):

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
failed in /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739
Warning: fsockopen(): Failed to enable crypto in
/srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 Warning:
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
/srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739

What does this tell us? It tells us the problem is a change to either the
imap server, TLS or PHP that squirrelmail isn't handling properly. That's the
only thing that makes sense. If it were a change in squirrelmail, the moving
14405 over to the new server would have produces a working install. Instead
14405 experiences the same failure that 14501 does. That points directly to an
update most likely in postfix (2x -> 3x) causing the issue.

In summary the working install has

postfix 2.9.3-3
dovecot 2.1.8-2

The failures are occurring with:

postfix 3.0.1-1
dovecot 2.2.18-1

Between the two, the most significant API changes that are likely at issue
are those in the move from postfix 2.9.3-3 -> postfix 3.0.1-1.

Let me know if I can send anything else.

The GTK WARNINGS (they are NOT ERRORS at this time) are nothing to currently
worry about.. they are just a warning of FUTURE problems to come...


Set the timezone in the /etc/php.ini file as such (RHEL/CentOS/Fedora):

;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = 'America/Denver'

Restart Apache.


Do NOT use SSLv3 as it is deprecated and compromised thus making it insecure.
Use only TLS/STARTTLS authentication. Disable SSLv3 in both the SMTP (Sendmail?)
and IMAP (Dovecot?) servers.

Disble SSLv3 in /etc/dovecot/conf.d/10-ssl.conf:

# SSL ciphers to use
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM

Disable SSLv3 by adding to /etc/mail/sendmail.mc and rerun make.

LOCAL_CONFIG
O CipherList=HIGH:RC4-SHA,RC4-MD5
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Make sure you recompile the sendmail.mc to generate the new sendmail.cf file and
then restart your IMAP and SMTP servers.

-Rich

--
------------------------------------------------------------------------
Rich Hall
***@netlynx.us
http://www.netlynx.us/rich/
ham radio: kf6arx
GPG Fingerprint: 1FE661FF5EBACE0CEC60C4CCA7DA943DD2722CC4
------------------------------------------------------------------------
Some people are like slinkies.. Not really good for anything useful,
but they bring a smile to your face when pushed down the stairs.
------------------------------------------------------------------------
And remember - if it ain't broke, hit it again.

David,

Just an outside guess. Check the number of dovecot processes currently
running on the host for any given user. (with imap access via desktop, laptop,
tablet, iphone each can open 2+ session which easily exceed the default 10
allowed) On all my dovecot installs, I've had to increase the number of
simultaneous connections to 30. Otherwise, dovecot just refuses to allow a
connection giving an ("Unknown error").

To increase the max allowed connections, edit /etc/dovecot/dovecot.conf and
add the following:

protocol imap {
mail_max_userip_connections = 30
}

I've been bitten by this more than once -- I don't have excess hair to pull
out anymore...

A few years back the certificate CN recommendation changed for cert generation from:

'host.domain.tld'

to

'*.domain.tld'


This was intended to allow additional flexibility. I know I've made use of that
format for at least the last 2-3 years of certificate generation. peer
verification in php will deal with the wildcard properly allowing the normal
CNames for a host. (e.g. hostname, ftp, mail, www, etc..). This recommendation
applies to both server certificates (httpd, etc.) and mail certificates.

I don't know if it will help with your setup, but it does help keep you from
being locked into a specific cert CN.

SquirrelMail is not confused about anything. Apparently you have
misconfigured your PHP SSL settings and/or the ones on your IMAP
server. A CA can be used to sign more than one certificate and is not
restricted to any one server. If you don't understand how certificate
generation and signing works, you should do more research and learning
or perhaps avoid using self-signed certs.
Nothing has to be hard coded. You have some knowledge gaps that need
to be filled, after which your journey to correct your SSL
configuration will become easier.