Hi I'm running dovecot 1:1.2.15-7 and php webmail application is throwing errors when connecting to IMAP with TLS. Is there away to disable SSL/TLS for localhost connections? I googled, but didn't see anything specific. Can I assume that it's as simple as setting ssl_listen = to the external IP address(es) and leaving listen = * as it is? Thanks. Simon
If SSL/TLS works from the outside, but not the inside, you should probably find out why and fix that instead. What is the actual error text? Terry -- Terry Carmen CNY Support, LLC https://www.cnysupport.com
> -----Original Message----- > From: dovecot-bounces at dovecot.org [mailto:dovecot- > bounces at dovecot.org] On Behalf Of Terry Carmen> > If SSL/TLS works from the outside, but not the inside, you should > probably find out why and fix that instead.You'd think so - but since I don't actually need TLS from the inside, and given my skill level - disabling it seems easier :)> What is the actual error text?2011-09-29T15:33:14-04:00 WARN: HORDE4 [imp] PHP ERROR: fwrite(): SSL: Broken pipe [pid 23503 on line 3716 of "/usr/share/php/Horde/Imap/Client/Socket.php"] 2011-09-29T15:33:14-04:00 WARN: HORDE4 [imp] PHP ERROR: fwrite() expects parameter 1 to be resource, null given [pid 23503 on line 3714 of "/usr/share/php/Horde/Imap/Client/Socket.php"] 2011-09-29T15:33:14-04:00 WARN: HORDE4 [imp] PHP ERROR: fwrite() expects parameter 1 to be resource, null given [pid 23503 on line 3716 of "/usr/share/php/Horde/Imap/Client/Socket.php"] 2011-09-29T15:33:14-04:00 WARN: HORDE4 [imp] PHP ERROR: feof() expects parameter 1 to be resource, null given [pid 23503 on line 3909 of "/usr/share/php/Horde/Imap/Client/Socket.php"] 2011-09-29T15:33:14-04:00 WARN: HORDE4 [imp] PHP ERROR: fgets() expects parameter 1 to be resource, null given [pid 23503 on line 3925 of "/usr/share/php/Horde/Imap/Client/Socket.php"] 2011-09-29T15:33:14-04:00 ERR: HORDE4 [imp] IMAP server denied authentication. [pid 23503 on line 340 of "/usr/share/horde4/imp/lib/Imap.php"] 2011-09-29T15:38:05-04:00 ERR: HORDE4 [imp] Server does not support TLS connections. [pid 23596 on line 340 of "/usr/share/horde4/imp/lib/Imap.php"] The mail log (to which Dovecot logs) shows nothing for either of those time periods - and a single (successful) login with TLS at 15:33:15 - The consensus from the excellent Horde mailing list is that it's either an IMAP issue or a PHP one. Since the dovecot log isn't showing any errors I'm inclined to believe it's PHP. And since I have neither the skills nor the time to engage with those folks on the intricacies of fwrite, fget and feof, I'd rather just not have the TLS overhead on localhost connections (which probably makes sense even if I did have the inclination). So, would setting ssl_listen to the external IP remove the TLS offer from localhost connections? Simon
On 09/30/11 18:15, Terry Carmen wrote:> > If SSL/TLS works from the outside, but not the inside, you should probably > find out why and fix that instead. > > What is the actual error text?In my limited experience there are two main reasons why it can work from outside but not inside. One is a routing problem. The common problem is trying to connect from inside using the outside IP address where the replies try to take a different route back. The second reason is to do with the SSL certificate which will have a CN indicating the server name. If you try to connect from the inside the server name will not match and you'll get a certificate error. A third possibility is you're trying to use TLS on an SSL connection. You need to use port 143 for TLS and 993 for SSL. However your error messages show an authentication error and I suspect you are using an encrypted password on a connection that doesn't support it. It's fairly common if TLS is demanded that PLAIN auth is the only method accepted. Without more detail one can only guess. Dick
On Sun, 2 Oct 2011, Simon Brereton writes:> I don't have that file. Part of the problem is that I'm confused > between protocols and wrappers and interfaces :) Dick and Michael have > persuaded me that it's just easier to for Horde not to ask for TLS on > port 143 - because that's in fact what I was doing - and it's > pointless. > > Nonetheless, I think it would be nice to tell Dovecot listen on the > local interface for IMAP. Listen on the external interface for IMAP, > IMAPS, POP and POP3S. But if there's not simple way to do that I don't > have a valid use-case for doing it right now.I got into this thread rather late so maybe I missed something here. If you have different policies for your interface, you can run two different instances of dovecot (with 2 different base directories and sets of configuration files). I haven't tried it, but maybe it's also possible have interface specific CAPA strings and remove STARTTLS. Dovecot will support unencrypted sessions over the localhost interface, but your webmail seems to opportunistcally use it when offered, so don't offer it. Joseph Tam <jtam.home at gmail.com>