dovecot - Jul 2009 - STARTTLS problem

Hi

I have a problem with STARTTLS, with imaps all ok.
I have  tried to connect to server with different clients (thunderbird, the 
bat, mulberry) and had same result.
Thunderbird log for example:

0[284708]: 25c0e08:192.168.4.200:NA:SetupWithUrl: clearing 
IMAP_CONNECTION_IS_OPEN
1920[25c77c8]: ImapThreadMainLoop entering [this=25c0e08]
1920[25c77c8]: 25c0e08:192.168.4.200:NA:ProcessCurrentURL: entering
1920[25c77c8]: 
25c0e08:192.168.4.200:NA:ProcessCurrentURL:imap://test%40my%2Elocal at
192.168.4.200:143/select%3E/INBOX:
= currentUrl
1920[25c77c8]: ReadNextLine [stream=25c8020 nb=210 needmore=0]
1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: * OK 
[CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT 
LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

1920[25c77c8]: 25c0e08:192.168.4.200:NA:SendData: 1 capability

1920[25c77c8]: ReadNextLine [stream=25c8020 nb=190 needmore=0]
1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: * 
CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT 
LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 STARTTLS AUTH=PLAIN AUTH=LOGIN

1920[25c77c8]: ReadNextLine [stream=25c8020 nb=28 needmore=0]
1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: 1 OK 
Capability completed.

1920[25c77c8]: 25c0e08:192.168.4.200:NA:SendData: 2 STARTTLS

1920[25c77c8]: ReadNextLine [stream=25c8020 nb=33 needmore=0]
1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: 2 OK Begin 
TLS negotiation now.

1920[25c77c8]: 25c0e08:192.168.4.200:NA:SendData: 3 capability

my comment - at this place the process is waiting

1920[25c77c8]: ReadNextLine [stream=25c8020 nb=0 needmore=1]
1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: clearing 
IMAP_CONNECTION_IS_OPEN - rv = 804b0014
1920[25c77c8]: 25c0e08:192.168.4.200:NA:TellThreadToDie: close socket 
connection
1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: (null)
1920[25c77c8]: 25c0e08:192.168.4.200:NA:ProcessCurrentURL: aborting queued 
urls
1920[25c77c8]: ImapThreadMainLoop leaving [this=25c0e08]

At same time dovecot log:

Jul 29 18:33:08 freebsd dovecot: auth(default): new auth connection: 
pid=3339
Jul 29 18:33:34 freebsd dovecot: imap-login: Disconnected (no auth 
attempts): rip=192.168.4.100, lip=192.168.4.200, TLS handshaking: 
Disconnected

What does it mean, i don't know, because if I try to connect with gnutls-cli
it  works perfectly.

freebsd# dovecot -n
# 1.1.16: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.2-RELEASE i386  ufs
syslog_facility: local0
protocols: imap imaps pop3 pop3s
ssl_key_file: /etc/ssl/keys/dovecot.pem
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_greeting_capability(default): yes
login_greeting_capability(imap): yes
login_greeting_capability(pop3): no
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_uid: 4738
mail_gid: 4738
mail_location: maildir:/var/mail/vmail/%d/%n
mail_debug: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugins(default): acl
mail_plugins(imap): acl
mail_plugins(pop3):
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
imap_client_workarounds(default): delay-newmail netscape-eoh 
tb-extra-mailbox-sep
imap_client_workarounds(imap): delay-newmail netscape-eoh 
tb-extra-mailbox-sep
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
namespace:
  type: public
  separator: /
  prefix: public/
  location: 
maildir:/var/mail/vmail/%d/public:INDEX=/var/mail/vmail/%d/%n/public/index:CONTROL=/var/mail/vmail/%d/%n/public/control
  list: yes
  subscriptions: yes
auth default:
  mechanisms: plain login
  username_format: %Lu
  verbose: yes
  debug: yes
  passdb:
    driver: passwd-file
    args: /usr/local/etc/passwd.dovecot
  userdb:
    driver: passwd-file
    args: /usr/local/etc/passwd.dovecot
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
plugin:
  acl: vfile

any ideas ?

Regards, Sergey

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 29 Jul 2009, ?????? ?????? wrote:
> I have a problem with STARTTLS, with imaps all ok.
Do you have a Cisco Firewall/IDS or a software firewall running between 
your client and Dovecot? If so, try to disable it for a test.

Some firewalls don't understand that after STARTTLS they have to stop 
listening / checking the connection.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSnBdRXWSIuGy1ktrAQJQeQgAmivfQZS9CeH33e5NPFnJ7yWCRvkI99VL
L6qKPBHQO144BjvHpHOaqms7trKUBYSmOClF3M7AB13S9WMlnVK596VYpD0QvBlS
rNghpX2rE6oboEXpQ4Zf2iuvogYuf3wN0vGTE6W5EdbZf025a3nUH3kjY7z04qXe
RBsz1dJrpXPGarGa0f9/JU3zmLVf0RZwKLnd8bxQ8cuFFgttinxnfi+8MP9+QmsY
qLDixog1DPhg18txVxTUW9NuTtTbr73u3StGnSEzCwkwvPYrGW+iCrLn/PuW2Fnr
u6XgTiRbmWoJZUuxaElKlaSN6mufALL+NcKbRteB161DrquDZxZvwA==Zfuc
-----END PGP SIGNATURE-----