selinux preventing PHP/Roundcube from connecting to local SMTP or IMAP ports
EDIT: I've determined the cause is selinux. After disabling enforcement with setenforce 0
everything worked. So the new question is, what's going on with selinux? I only have default CentOS 7 policies.
I've configured RoundCube mail on CentOS 7
<?php
$config['db_dsnw'] = 'mysql://roundcube:redacted@localhost/webmail';
$config['default_host'] = 'localhost';
$config['default_port'] = 993;
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['support_url'] = '';
$config['des_key'] = 'redacted';
$config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'filesystem_attachments', 'help', 'hide_blockquote', 'managesieve', 'markasjunk', 'newmail_notifier', 'password', 'userinfo', 'vcard_attachments', 'zipdownload');
$config['language'] = 'en_US';
$config['spellcheck_engine'] = 'pspell';
$config['htmleditor'] = 2;
$config['draft_autosave'] = 60;
$config['preview_pane'] = true;
and when testing SMPT, I get the error:
Trying to send email...
SMTP send: NOT OK(Connection failed: Failed to connect socket: Permission denied)
and with IMAP:
Connecting to localhost...
IMAP connect: NOT OK(Login failed for user from my.ip.ad.dr Could not connect to localhost:993: Permission denied)
But... the ports are fine. They're open. I've verified this:
$ openssl s_client -connect 127.0.0.1:993 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect 127.0.0.1:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect [::1]:993 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
$ openssl s_client -connect [::1]:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...
iptables
is not installed, firewalld
is used in its place.
I've taken down firewalld
for testing.
Any idea what's going on here?
$ uname -a
Linux gbox 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux`
$ cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)`
$ httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59
$ php -v
PHP 5.4.16 (cli) (built: Apr 12 2018 19:02:01)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
$ postconf -d | grep mail_version
mail_version = 2.10.1
$ dovecot --version
2.2.10
Solution 1:
So, it was selinux. After digging deep and remembering how to read the audit log, I came up with:
setsebool -P httpd_can_network_connect 1
which allows httpd to initiate socket connections (from what I understand) across the network.