Error configuring IMAP - stream_socket_client Unknown Error

jiit · Aug 30, 2023

Hi Kevin,

I've confirmed there are no IMAP-related entries recorded in the PHP error log. It was an easy check because the log was so short, just a couple unrelated entries from when it was first installed, and nothing at all from the last few days.

As a test, I also tried downgrading from PHP 8.2.9 to 8.2.8 and 8.1. Same result on all versions.

Besides testing osTicket v1.16 successfully, I've also now tested v1.17 and IMAP connects successfully to the same mail server using the same settings and account. So there must be something in the osTicket or PHP configuration of my 1.18 version that is breaking it.

Looks like I'll have to install osTicket version 1.17 and start this setup from scratch to get e-mail to work.

KevinTheJedi · Aug 30, 2023

jiit

I wish I could be more helpful but I’m unable to assist without any further errors. I’m also unable to replicate this using v1.18 and PHP 8.2. Of course I don’t have a local exchange server so not too sure if it’s PHP related or mailserver related.

Make sure you have enabled all PHP extensions for your version of PHP. It’s possible you are missing some extensions on the new version of PHP.

Cheers.

jiit · Aug 31, 2023

KevinTheJedi

Hi Kevin,

We found the issue, so I'll post it here for anyone else's benefit who comes across this thread.

The error was due to the fact that Exchange was using a self-signed SSL certificate for the IMAP service, and osTicket did not trust that certificate. Once we installed the self-signed certificate locally to the trusted store on our osTicket server, the problem was resolved.

It appears this requirement to have a trusted SSL certificate must have been added to a relatively recent version of osTicket or PHP. It's too bad the error message doesn't indicate anything about the cert, and just gives "Unknown Error." Not sure if that's something osTicket can update to improve, or if that's purely a PHP thing.

(As to why we wouldn't just use a signed SSL certificate issued by a public CA: We do have one installed on the Exchange server, but it does not allow us to use it for IMAP. It might be because the cert is a wildcard certificate, but we didn't troubleshoot that part any further, because it doesn't matter at this point. IMAP is only going to be used internally, not open to the web, and the osTicket server is internal.)

epdguez · Aug 31, 2023

jiit Perfecto, se ajusta a mi situación. MI servidor de correo usa cert. auto firmado. puedes aportarme como hacer ese procedimiento de agregar el certificado autoformado al almacen de osticket?

epdguez · Aug 31, 2023

epdguez

bueno en mi server cree una carpeta include/pluggins/certificates
descargue el certificado de mi servidor
openssl s_client -connect mail.midominio:993 -showcerts | openssl x509 -outform PEM > certificado.crt
reinicie apache, e intente config nuevamente y no me funciona. quizás este haciendo algo mal o que deba hacer otra cosa.

epdguez · Sep 1, 2023

epdguez Debo aportar más información, o captura de alguna pantalla?
Datos: Servidor de correo Zimbra 8.x el mismo que estaba config en la v de osticket 1.15 y funcionaba ok
puertos habilitados en el serv de correo

Port #22 (ssh): listening
Port #25 (smtp): listening
Port #110 (pop3): listening
Port #143 (imap): listening
Port #389 (ldap): listening
Port #443 (https): listening
Port #993 (imaps): listening
Port #995 (pop3s): listening
Port #8443 (caldav-ssl): listening
El certificado es autofirmado, pero siguiendo sugerencias lo incorpore a include/pluggins/certificates
usando la sgte orden para descargarlo
openssl s_client -connect mail.midominio:993 -showcerts | openssl x509 -outform PEM > certificado.crt

pero no sé como comprobar que esta haciendo uso del certificado.
La verdad es que este detalle me tiene preocupado, pues la empresa usa el servicio para todos los reportes y desde la migración no recibimos los msg x correo, solo los que se agregan desde la web

jiit · Sep 1, 2023

epdguez

it doesn't sound like you have a similar environment to me. We're using Exchange and running osTicket on a Windows server. It sounds like you're using different platforms for both the mail and web servers. So, I'm afraid I can't help you beyond what I've already posted above. Buena suerte!

SimplyYogurt32 · Sep 18, 2023

We have the same behaviour like jiit in our environment. We use exchange 2016 onpremise with osTicket installed on ubuntu Linux. With 1.16.6 everything ist fine, but with higher versions, we get the same error message.
cannot connect to host; error = stream_socket_client(): Unable to connect to ssl://myserver:993 (Unknown error) (errno = 0 )

We also use a self sgined certificate for IMAP on our exchange server for internal use.
My problem is, how and where to put the self signed certificate on the ubuntu server,
so that osTicket start pulling the mails?
Any ideas?

Best regards

KevinTheJedi · Sep 18, 2023

Everyone,

I will post a patch in this thread shortly that should skip certificate validation for IMAP/POP3 and SMTP. If it works we'll see about adding it to core.

Cheers.

KevinTheJedi · Sep 18, 2023

Everyone,

Please try this and let me know if this works without installing self-signed cert locally on the server:

diff --git a/include/class.mail.php b/include/class.mail.php
index 1a476de2..788af3f0 100644
--- a/include/class.mail.php
+++ b/include/class.mail.php
@@ -657,7 +657,10 @@ namespace osTicket\Mail {
         // Build out SmtpOptions options based on SmtpAccount Settings
         private function buildOptions(AccountSetting $setting) {
             // Dont send 'QUIT' on __destruct()
-            $config = ['use_complete_quit' => false];
+            $config = [
+                'use_complete_quit' => false,
+                'novalidatecert' => true
+            ];
             $connect = $setting->getConnectionConfig();
             $auth = $setting->getAuthCredentials();
             switch (true) {
@@ -912,6 +915,7 @@ namespace osTicket\Mail {
                 'ssl' => $ssl,
                 'protocol' => strtoupper($account->getProtocol()),
                 'name' => self::get_hostname(),
+                'novalidatecert' => true
             ];
 
             // Set errors to null to clear validation

Cheers.

jiit · Sep 18, 2023

Since we've got it working by installing the self-signed cert, I'm not going to rock the boat by testing this fix presently. But I'll give it a try next time we do a deployment. We may be upgrading our own in a few months. In the meantime, I'll be interested to hear if anyone else has success with this. Thanks, KevinTheJedi !

Chefkeks · Oct 10, 2023

Hi KevinTheJedi my colleague and I fixed it!
Seems you did not call the constructor from the laminas-mail protocoltrait class on line 318 in include/class.mail.php which is necessary to set the novalidatecert to true. So we add this call including "true" as the last parameter for the novalidatecert to fix it. All that was necessary is to add this line:
parent::__construct($connect['host'], $connect['port'], $connect['ssl'], true);

Here is how it looks then inside include/class.mail.php file:

    // MailBoxProtocolTrait
    use Laminas\Mail\Protocol\Imap as ImapProtocol;
    use Laminas\Mail\Protocol\Pop3 as Pop3Protocol;
    trait MailBoxProtocolTrait {
        final public function init(AccountSetting $setting) {
            // Attempt to connect to the mail server
            $connect = $setting->getConnectionConfig();
            // Let's go Brandon
            parent::__construct($connect['host'], $connect['port'], $connect['ssl'], true);
            parent::connect($connect['host'], $connect['port'],
                    $connect['ssl']);
            // Attempt authentication based on MailBoxAccount settings
            $auth = $setting->getAuthCredentials();

Another fix as mentioned by someone else is to add the base64 encoded certificate of the mail / exchange server or the certificate of your CA to the local certificate store. To do this (for debian linux) place the cert under /usr/local/share/ca-certificates/ and name it e.g. mailserver.crt. Make sure to use .crt file extension. Then update the cert store by sudo update-ca-certificates. Output looks like this then:

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

sakbari · Oct 10, 2023

@Chefkeks

This how my file looks

// Attempt to connect to the mail server
$connect = $setting->getConnectionConfig();
// Let's go Brandon
//parent::connect($connect['host'], $connect['port'],
// $connect['ssl']);
parent::__construct($connect['host'], $connect['port'], $connect['ssl'], true);
parent::connect($connect['host'], $connect['port'],
$connect['ssl']);
// Attempt authentication based on MailBoxAccount settings

but it;s does nog work

KevinTheJedi · Oct 16, 2023

Chefkeks

After looking into this a little deeper the only changes we need to successfully disable certificate validation for IMAP/POP3 and SMTP are the following:

diff --git a/include/class.mail.php b/include/class.mail.php
index 1e347f5a4..441fcf450 100644
--- a/include/class.mail.php
+++ b/include/class.mail.php
@@ -315,8 +315,8 @@ namespace osTicket\Mail {
             // Attempt to connect to the mail server
             $connect = $setting->getConnectionConfig();
             // Let's go Brandon
-            parent::connect($connect['host'], $connect['port'],
-                    $connect['ssl']);
+            parent::__construct($connect['host'], $connect['port'],
+                    $connect['ssl'], true);
             // Attempt authentication based on MailBoxAccount settings
             $auth = $setting->getAuthCredentials();
             switch (true) {
@@ -657,7 +657,10 @@ namespace osTicket\Mail {
         // Build out SmtpOptions options based on SmtpAccount Settings
         private function buildOptions(AccountSetting $setting) {
             // Dont send 'QUIT' on __destruct()
-            $config = ['use_complete_quit' => false];
+            $config = [
+                'use_complete_quit' => false,
+                'novalidatecert' => true
+            ];
             $connect = $setting->getConnectionConfig();
             $auth = $setting->getAuthCredentials();
             switch (true) {

I would like to thank you again for your input and testing! These changes will be included in the next set of releases, so please stay tuned.

Cheers.

KevinTheJedi · Oct 16, 2023

sakbari

You can apply my DIFF file above. If you don't know how to apply a diff file you can Google "how to apply a diff file"; it's very simple. Once the changes are applied you should restart the webserver and/or PHP-FPM (to ensure nothing is being cached) and retest.

Cheers.

KevinTheJedi · Oct 16, 2023

Everyone,

Here is the official Pull Request for these changes:

https://github.com/osTicket/osTicket/pull/6618

If anything changes the pull request will be updated.

Cheers.

nor_rem · Oct 17, 2023

Where to change the setting in version 1.18

nor_rem · Oct 17, 2023

I changed the following lines and certificate verification was disabled
// Set the connection settings $this->connection = [ 'host' => $host, 'port' => $port, 'ssl' => $ssl, 'protocol' => strtoupper($account->getProtocol()), 'name' => self::get_hostname(), 'use_complete_quit' => false, 'novalidatecert' => true ]; oraz private function buildOptions(AccountSetting $setting) { // Dont send 'QUIT' on __destruct() $config = ['use_complete_quit' => false,'novalidatecert' => true]; $connect = $setting->getConnectionConfig(); $auth = $setting->getAuthCredentials();

asadler · Feb 13, 2024

Hello
This is my /includes/class.mail.php, where do I change this in osTicket version 1.18 for the emails to work, I am using Gmail

KevinTheJedi · Feb 13, 2024

asadler

Install the latest release of v1.18.1 from our website, install the latest build of the OAuth2 plugin from our website, install/enable the URL Rewrite module on your web server, follow the below guide to configure Gmail Modern Authentication (OAuth2):

https://docs.osticket.com/en/latest/OAuth2/Google%20Authorization%20Guide.html

Cheers.