Managesieve plugin fails with DIGEST-MD5

[earonyk]

(Sorry about the line breaks...)

When attempting to use the managesieve plugin I get the error "Unable to connect to managesieve server". I have tried extensive troubleshooting and debugging. Here are my findings so far. I would appreciate any guidance that you could offer me.

The system in question is a FreeBSD 8.0 amd64 machine with the following software from the ports tree:

* VERSIONS *
dovecot-1.2.10 = up-to-date with port
dovecot-managesieve-0.11.11 = up-to-date with port
dovecot-sieve-1.2+0.1.15 = up-to-date with port
pecl-fileinfo-1.0.4 = up-to-date with port
pecl-pdflib-2.1.6_1 = up-to-date with port
php5-5.2.12_1 = up-to-date with port
php5-bcmath-5.2.12_1 = up-to-date with port
php5-bz2-5.2.12_1 = up-to-date with port
php5-calendar-5.2.12_1 = up-to-date with port
php5-ctype-5.2.12_1 = up-to-date with port
php5-curl-5.2.12_1 = up-to-date with port
php5-dba-5.2.12_1 = up-to-date with port
php5-dom-5.2.12_1 = up-to-date with port
php5-exif-5.2.12_1 = up-to-date with port
php5-extensions-1.3 = up-to-date with port
php5-filter-5.2.12_1 = up-to-date with port
php5-ftp-5.2.12_1 = up-to-date with port
php5-gd-5.2.12_1 = up-to-date with port
php5-gettext-5.2.12_1 = up-to-date with port
php5-hash-5.2.12_1 = up-to-date with port
php5-iconv-5.2.12_1 = up-to-date with port
php5-imap-5.2.12_1 = up-to-date with port
php5-json-5.2.12_1 = up-to-date with port
php5-ldap-5.2.12_1 = up-to-date with port
php5-mbstring-5.2.12_1 = up-to-date with port
php5-mcrypt-5.2.12_1 = up-to-date with port
php5-mhash-5.2.12_1 = up-to-date with port
php5-mysql-5.2.12_1 = up-to-date with port
php5-mysqli-5.2.12_1 = up-to-date with port
php5-ncurses-5.2.12_1 = up-to-date with port
php5-odbc-5.2.12_1 = up-to-date with port
php5-openssl-5.2.12_1 = up-to-date with port
php5-pcre-5.2.12_1 = up-to-date with port
php5-pdo-5.2.12_1 = up-to-date with port
php5-pdo_sqlite-5.2.12_1 = up-to-date with port
php5-posix-5.2.12_1 = up-to-date with port
php5-pspell-5.2.12_1 = up-to-date with port
php5-readline-5.2.12_1 = up-to-date with port
php5-session-5.2.12_1 = up-to-date with port
php5-simplexml-5.2.12_1 = up-to-date with port
php5-snmp-5.2.12_1 = up-to-date with port
php5-soap-5.2.12_1 = up-to-date with port
php5-sockets-5.2.12_1 = up-to-date with port
php5-spl-5.2.12_1 = up-to-date with port
php5-sqlite-5.2.12_1 = up-to-date with port
php5-tokenizer-5.2.12_1 = up-to-date with port
php5-xml-5.2.12_1 = up-to-date with port
php5-xmlreader-5.2.12_1 = up-to-date with port
php5-xmlrpc-5.2.12_1 = up-to-date with port
php5-xmlwriter-5.2.12_1 = up-to-date with port
php5-xsl-5.2.12_1 = up-to-date with port
php5-zip-5.2.12_1 = up-to-date with port
php5-zlib-5.2.12_1 = up-to-date with port
postfix-2.7.0,1 = up-to-date with port
roundcube-0.3.1,1 = up-to-date with port
(Irrelevant ports omitted)

I can verify that managesieve is working properly when not used with roundcube. I followed the instructions on ​http://wiki.dovecot.org/ManageSieve/Troubleshooting and got the following results:

* TELNET DEBUG SESSION *
root@mail:/usr/local/www/roundcube/plugins/managesieve# telnet localhost 2000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^{]'.
"IMPLEMENTATION" "dovecot"
"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
"STARTTLS"
"NOTIFY" "mailto"
"VERSION" "1.0"
OK "Dovecot ready."
AUTHENTICATE "PLAIN" "XXXXXXXXX==" (PASSWORD OMITTED)
OK "Logged in."}

In order to debug this I uncommented "$this->sieve->setDebug();" in the file /usr/local/www/roundcube/plugins/managesieve/lib/rcube_sieve.php. I tested with TLS enabled and disabled, and got the following results:

* DEBUG OUTPUT WITH TLS ENABLED *
S:"IMPLEMENTATION" "dovecot"
S:"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
S:"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
S:"STARTTLS"
S:"NOTIFY" "mailto"
S:"VERSION" "1.0"
S:OK "Dovecot ready."
C:CAPABILITY
S:"IMPLEMENTATION" "dovecot"
S:"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
S:"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
S:"STARTTLS"
S:"NOTIFY" "mailto"
S:"VERSION" "1.0"
S:OK "Capability completed."
C:STARTTLS
S:OK "Begin TLS negotiation now."
STARTTLS Negotiation Successful
S:"IMPLEMENTATION" "dovecot"
S:"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
S:"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
S:"NOTIFY" "mailto"
S:"VERSION" "1.0"
S:OK "TLS negotiation successful."
C:CAPABILITY
S:"IMPLEMENTATION" "dovecot"
S:"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
S:"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
S:"NOTIFY" "mailto"
S:"VERSION" "1.0"
S:OK "Capability completed."
C:AUTHENTICATE "DIGEST-MD5"
S:"cmVhbG09IiIsbm9uY2U9Ill3MEtnV0xCM0tXSityTStWUDduM2c9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI="
S:BYE "Disconnected for inactivity."

* DEBUG OUTPUT WITHOUT TLS ENABLED *
S:"IMPLEMENTATION" "dovecot"
S:"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
S:"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
S:"STARTTLS"
S:"NOTIFY" "mailto"
S:"VERSION" "1.0"
S:OK "Dovecot ready."
C:CAPABILITY
S:"IMPLEMENTATION" "dovecot"
S:"SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"
S:"SASL" "LOGIN DIGEST-MD5 CRAM-MD5 PLAIN"
S:"STARTTLS"
S:"NOTIFY" "mailto"
S:"VERSION" "1.0"
S:OK "Capability completed."
C:AUTHENTICATE "DIGEST-MD5"
S:"cmVhbG09IiIsbm9uY2U9ImVKMGJtTUEvZ0xWeTFYSEhjTFdXNFE9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI="
S:

These attempts generate the following log messages:

* EXCERPTS FROM /var/log/maillog *
Apr 5 21:49:52 mail dovecot: managesieve-login: Disconnected (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 5 21:49:52 mail dovecot: managesieve-login: Disconnected (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 5 21:49:59 mail dovecot: managesieve-login: Disconnected (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 5 21:49:59 mail dovecot: managesieve-login: Disconnected (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 5 21:53:57 mail dovecot: managesieve-login: Disconnected: Inactivity (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, TLS
Apr 5 21:53:57 mail dovecot: managesieve-login: Disconnected: Inactivity (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, TLS
Apr 5 21:59:00 mail dovecot: managesieve-login: Disconnected (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 5 21:59:00 mail dovecot: managesieve-login: Disconnected (disconnected while authenticating): method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured

From looking at the debug messages and logs, it seems like roundcube's managesieve plugin never responds with an actual DIGEST-MD5 after annoucing the intention to use such. Is there a configuation change I can make to work around this? It's a local login, so is there a way to use PLAIN authentication?

Relevant entries from config files:

* config.inc.php *
root@mail:/usr/local/www/roundcube/plugins/managesieve# cat config.inc.php | grep rcmail
$rcmail_configmanagesieve_port? = 2000;
$rcmail_configmanagesieve_host? = 'localhost';
$rcmail_configmanagesieve_usetls? = false;
$rcmail_configmanagesieve_default? = '/etc/dovecot/sieve/global';
$rcmail_configmanagesieve_mbox_encoding? = 'UTF7-IMAP';
$rcmail_configmanagesieve_replace_delimiter? = ;
$rcmail_configmanagesieve_disabled_extensions? = array();

* /usr/local/etc/dovecot.conf *
protocols = imap pop3 imaps pop3s managesieve
protocol lda {

postmaster_address = postmaster@…
mail_plugins = sieve

}
plugin {

sieve=~/.dovecot.sieve
sieve_dir=~/sieve

}

I appreciate any guidance you can give me!

Thanks,
Ed Aronyk

[earonyk]

Just noticed... this is a known bug in Net_Sieve 1.1.7, and is fixed in 1.2.0. Perhaps that version should be included in the future?

[alec]

Fixed in r3453/svn.