selinux preventing PHP/Roundcube from connecting to local SMTP or IMAP ports

smtp selinux imap centos-7 roundcube

EDIT: I've determined the cause is selinux. After disabling enforcement with setenforce 0 everything worked. So the new question is, what's going on with selinux? I only have default CentOS 7 policies.

I've configured RoundCube mail on CentOS 7

<?php
  $config['db_dsnw'] = 'mysql://roundcube:redacted@localhost/webmail';
  $config['default_host'] = 'localhost';
  $config['default_port'] = 993;
  $config['smtp_server'] = 'localhost';
  $config['smtp_port'] = 587;
  $config['smtp_user'] = '%u';
  $config['smtp_pass'] = '%p';
  $config['support_url'] = '';
  $config['des_key'] = 'redacted';
  $config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'filesystem_attachments', 'help', 'hide_blockquote', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'userinfo', 'vcard_attachments', 'zipdownload');
  $config['language'] = 'en_US';
  $config['spellcheck_engine'] = 'pspell';
  $config['htmleditor'] = 2;
  $config['draft_autosave'] = 60;
  $config['preview_pane'] = true;

and when testing SMPT, I get the error:

Trying to send email...
SMTP send:  NOT OK(Connection failed: Failed to connect socket: Permission denied)

and with IMAP:

Connecting to localhost...
IMAP connect:  NOT OK(Login failed for user from my.ip.ad.dr Could not connect to localhost:993: Permission denied)

But... the ports are fine. They're open. I've verified this:

$ openssl s_client -connect 127.0.0.1:993 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect 127.0.0.1:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect [::1]:993 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect [::1]:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...

iptables is not installed, firewalld is used in its place.

I've taken down firewalld for testing.

Any idea what's going on here?

$ uname -a
Linux gbox 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux`
$ cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)`
$ httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jun 27 2018 13:48:59
$ php -v
PHP 5.4.16 (cli) (built: Apr 12 2018 19:02:01)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
$ postconf -d | grep mail_version
mail_version = 2.10.1
$ dovecot --version
2.2.10

Solution 1:

So, it was selinux. After digging deep and remembering how to read the audit log, I came up with:

setsebool -P httpd_can_network_connect 1

which allows httpd to initiate socket connections (from what I understand) across the network.

Related

Securing SSH port forwarding?
Does VLC Media Player play videos with a resolution of 2.39:1?
How to translate a full excel sheet to another language with the Microsoft Translator?
Shutdown button (Start Menu & Login Screen) logs out but doesn't shut down in Windows 10 Desktop PC
Blocking Windows 11 update on Windows 10 Pro
can I make harddisk access slower or less frequent?
How to remove transparent background in GIMP?
Forget iPlayer and video feeds, is there a way to view BBC.co.uk outside of the UK so I can read domestic articles?
Excel LEN between two symbols
What does ext.kotlin_version = '+' mean in Build.gradle?
Selenium element.text() is not considered as a string
Not found error with two Node projects served by NGINX with Docker