On Sep 14, 2013, at 10:36 PM, Noel Butler wrote:
> On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote:
>
>
>>>
>>
>> Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect.
>>
>
>
> Well, its likely an Apple fault, after all their implementation of pop3
> has been known to be broken for many many many years, but still after
> all these years are incapable of finding a developer to fix it by
> inserting a QUIT after its done everything.
>
>
>>
>> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed:
>> where=0x2002: SSLv3 read client
>> certificate A [173.49.195.214]
>
>
>
>> What is this… read client certificate? There is no client certification in
>> this config.
>
>
>
> dovecot wants to know if your client wishes to authenticate using a
> local-to-client certificate, wouldnt focus too much on that
> (unless that client is trying to give a certificate that is invalid -
> not sure, I have never ever in 20 years, seen any client try to auth
> with a local certificate to a mail server)...
>
> is this just one user? or all using apple? is it you?
It is just me (I'm my only user).
Neither my Macbook nor my iPhone can use this IMAP server.
I got a colleague to try his iPhone; same problem there too.
> Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs
> has really be deprecated everywhere for some time now)
For this test, I reconfigured the server to NOT use IMAPS and restarted it.
Then I went
to my iPhone and turned off SSL for this mail account.
That configuration works for my iPhone.
# doveconf nf -n
# 2.2.5: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
disable_plaintext_auth = no
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=BLF-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
address = 199.233.228.197
}
inet_listener imaps {
port = 0
}
}
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
Looking via tcpdump, I can see that emails are indeed being downloaded in clear
text.
I suppose that's not so big an issue, given they are delivered in plain text.
But it would be better
to have the IMAP connection secured.
>
> a successful TLS login appears like (and this particular user I know
> uses an ipad) :
>
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
> initialization [101.xxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1:
> before/accept initialization [101.xx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3
> read client hello A [101.xxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client hello A [101.xxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server hello A [101.xxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> certificate A [101.xxxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server done A [101.xxxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [101.xxxxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [101.xxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [101.xxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client key exchange A [101.xxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> finished A [101.xxxxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> change cipher spec A [101.xxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> finished A [101.xxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [101.xxxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x20, ret=1: SSL
> negotiation finished successfully [101.xxxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
> negotiation finished successfully [101.xxxxx]
> Sep 15 12:09:45 imap-login: Info: Login: user<x@x>, method=PLAIN,
> rip=xxxxx, TLS
>
>
>
>> protocols = imap
>> service imap-login {
>> inet_listener imap {
>> port = 0
>> }
>> inet_listener imaps {
>> address = 199.233.228.197
>> }
>> }
>
> inet_listener imap {
> port = 143 <-- use it for TLS, its possible
> this is why fails as its falling back to TLS, i cant test that theory
> } since we all use
> android devices.
> inet_listener imaps {
> port = 993
> }
>
> Anyway, the fact you said thunderbird works, indicates it is not a cert
> issue, and I fail to see dovecot issue, have they tried another mail
> app?
I have not. That's a good test… I'm searching for a free mail client to test
with now…. failing...
--
Dan Langille - http://langille.org
