On 2019-06-06, kasak <ka...@kasakoff.net> wrote: > > Excuse me, can this issue also break dovecot and latest thunderbird? > With the latest thunderbird 60.7.0 (on fedora) my dovecot (and > opensmtpd) suddenly refuse to log me in. > Dovecot shows something like this in logs: > > TLS handshaking: SSL_accept() failed: error:140270E3:SSL > routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext
Yes I am pretty much certain this has the same cause. Fixes: - move the server to current where this has been fixed already - the fix has been committed to -stable today so you can update libssl from there; if you already have a checkout you can do this cd /usr/src/lib/libssl cvs up -r OPENBSD_6_5 -Pd make obj make make install (and restart the relevant services) - an errata/syspatch is planned for this issue; should show up in the next few days (possibly Monday) - update crypto-policies from the Fedora testing repository, see links in comments 10/11 on https://bugzilla.redhat.com/show_bug.cgi?id=1713777 > I found workarond for this, by switching from "STARTTLS" to SLL/TLS for > imap. But OpenSMTPD still not working. > As I said, this behavior appeared in latest thunderbird 60.7.0. Older > versions of thunderbird work. btw, where possible it's usually a good idea to use a port which just uses plain TLS rather than starting as text and switching with STARTTLS, this avoids the risk of a cleartext connection being intercepted and modified to disable the STARTTLS. (of course if a client is configured to never send cleartext credentials then it doesn't matter, but that's not always done)
