Roundcube & Postfix SMTP: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c

Error message above looks like a client (PHP script invoked by roundcube) fails to verify peer certificate because unknown CA. There are many reasons why this error happened.

Regarding openssl, Roundcube version 1.0-RC and later shipped with SSL connection option. Parameter smtp_conn_options and imap_conn_options was added in version 1.0-RC and 1.0.3 respectively. By default, the value of both parameters was null. The snippet below was taken from roundcube file config/defaults.inc.php. You can refers to PHP manual to get complete description of this parameter.

// SMTP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation, and
// requires 'smtp_timeout' to be non zero.
// $config['smtp_conn_options'] = array(
//   'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
$config['smtp_conn_options'] = null;

In many systems who using self signed certificate, the default value works for PHP 5.5 and earlier. By default, PHP 5.6 will verify peer certificate against installed CA and verify the peer name.

Now, looks like Debian jessie also shipped with default PHP version 5.6. Apparently PHP fails to verify postfix certificate. The possible reasons, PHP fails in verify_peer_name (because you specify localhost in hostname) or in verify_peer (because CA was unknown)

---

Similar case was also happened to Arch Linux user. The solution was either:

• Install CA certificate in openssl cert directory
• In roundcube smtp_server option, change localhost to Postfix FQDN (solution from OP)
• Disable verify_peer and/or verify_peer_name in smtp_conn_options