Unable to connect to Mailbox via Roundcube webmail or any email client via IMAP if Plesk Premium Email is installed: Connection failed

Symptoms

• Plesk Obsidian running on a Linux-based operating system
• The Plesk Premium Email extension is installed (it does not matter if it is enabled or disabled as an Extension)
• Unable to connect to Mailbox via Roundcube webmail, while the following error appears:
  

  PLESK_INFO: Connection to IMAP failed

• Errors that are similar to the following can be found in the Guam service log by running the journalctl -uguam command:
  

  CONFIG_TEXT: Mar 11 15:45:43 example.com guam[694]: 14:45:43.785 [warning] TLS handshake failed with a tls_alert: {insufficient_security,"TLS server: In state hello at tls_handshake.erl:314 generated SERVER ALERT: Fatal - Insufficient Security\n no_suitable_ciphers"}
  Mar 11 15:45:44 example.com guam[694]: 14:45:44.053 [error] gen_server <0.31142.8> terminated with reason: no match of right hand value {error,{tls_alert,{insufficient_security,"TLS server: In state hello at tls_handshake.erl:314 generated SERVER ALERT: Fatal - Insufficient Security\n no_suitable_ciphers"}}} in kolab_guam_session:start_client_tls/4 line 400
  Apr 13 11:01:36 example.com guam[313457]: 11:01:36.142 [error] gen_fsm <0.563.0> in state disconnected terminated with reason: no match of right hand value {{error,closed},true,<0.563.0>,{[],[]}} in eimap:disconnected/2 line 140
  Apr 13 11:01:36 example.com guam[313457]: 11:01:36.142 [error] CRASH REPORT Process <0.563.0> with 0 neighbours exited with reason: no match of right hand value {{error,closed},true,<0.563.0>,{[],[]}} in eimap:disconnected/2 line 140 in gen_fsm:terminate/8 line 623

• Many errors that are similar to the following can be found in the /var/log/guam/console.log:
  

  CONFIG_TEXT: 2022-07-16 00:34:13.262 [error] <0.20002.218> SSL: certify: ssl_alert.erl:93:Fatal error: certificate unknown
  2022-07-16 00:34:13.262 [warning] <0.18160.218>@kolab_guam_session:accept_client:187 TLS handshake failed with a tls_alert: "certificate unknown"
  2022-07-16 00:34:13.287 [error] <0.18725.218> SSL: certify: ssl_alert.erl:93:Fatal error: certificate unknown
  2022-07-16 00:34:13.287 [warning] <0.19394.218>@kolab_guam_session:accept_client:187 TLS handshake failed with a tls_alert: "certificate unknown"

• Unable to check the IMAP certificate on port 993 (the check may work fine on the POP3 port 995), TLSv1.2 protocol is used, but the Cipher is returned as 0000:
  

  # [root@server ~]# openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com
  CONNECTED(00000003)
  139836725192592:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 0 bytes and written 314 bytes
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  SSL-Session:
  Protocol : TLSv1.2
  Cipher : 0000
  Session-ID:
  Session-ID-ctx:
  Master-Key:
  Key-Arg : None
  Krb5 Principal: None
  PSK identity: None
  PSK identity hint: None
  Start Time: 1722342657
  Timeout : 300 (sec)
  Verify return code: 0 (ok)
  ---

• Unable to check the IMAP certificate on port 993 (the check may work fine on the POP3 port 995), TLSv1.3 protocol is used, but the Cipher is returned as 0000:

  # % openssl s_client -crlf -connect example.com:993
  CONNECTED(00000005)
  read:errno=0
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 0 bytes and written 287 bytes
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  SSL-Session:
  Protocol : TLSv1.3
  Cipher : 0000
  Session-ID:
  Session-ID-ctx:
  Master-Key:
  Start Time: 1681374915
  Timeout : 7200 (sec)
  Verify return code: 0 (ok)
  ---

Cause

The Ciphers, mentioned in /etc/guam/sys.config configuration file of the Plesk Premium Email extension are incorrect and are unable to work properly with either TLSv1.2 or TLSv1.3 via the IMAP port 993.

Resolution

The issue is fixed permanently in the latest version of the extension, due to which you should first try and resolve the issue by updating the Plesk Premium Email extension to its latest version by using the steps in this article:

How to manage Plesk extensions (install, disable, remove, update)

If the issue persists after the extension has been updated to its latest version, you should do the following:

1. Log into your server via SSH
2. Execute the following command in order to make sure the /etc/guam/sys.config configuration file is synchronized properly:

# plesk bin extension -e kolab sync-guam-config.php

3. Restart the Guam service by executing the following command:

# systemctl restart guam

Additional information

How to verify that SSL for IMAP/POP3/SMTP works and a proper SSL certificate is in use