dovecot - May 2012 - IMAP STARTTLS Problem

Hello,

I have this problem:
May  5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth 
attempts): rip=84.150.52.31, lip=78.46.216.126

Connecting via Thunderbird to STARTTLS won't work, but with a website 
from the same server it works for tls://opsys.de.
So why is the port closed for external ip's?
IPTABLES entry for imap is this:
fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere       
     multiport dports pop3,pop3s,imap2,imaps

Key files are correct TLS is working from localhost.

System is Debian squeeze

-- 
Markus Fritz
Administration

opsys.de

Hi,

STARTTTLS refers to a client connecting on the normal. plaintext IMAP 
port, 143, and then issuing a STARTTLS command, starting a TLS session. 
I am able to connect from my computer to your IMAP server using STARTTLS 
using this command:
openssl s_client -starttls imap -connect 78.46.216.126:143

Your server seems to not be listening on ports 993 and 995 for imaps and 
pop3s, respectively, where a TLS session is started immediately when the 
connection is initiated.

If you are using dovecot 2, you need to have something like the 
following in your config

service imap-login {
   inet_listener imap {
     #port = 143
   }
   inet_listener imaps {
     #port = 993
     #ssl = yes
   }
}

service pop3-login {
   inet_listener pop3 {
     #port = 110
   }
   inet_listener pop3s {
     #port = 995
     #ssl = yes
   }
}

(The commented out lines represent the defaults, you uncomment them only 
if you want to change them)

For dovecot 1.2, you need  a line like this:
protocols = imap imaps pop3 pop3s


On 5/5/2012 3:06 PM, Markus Fritz wrote:
> Hello,
>
> I have this problem:
> May  5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth 
> attempts): rip=84.150.52.31, lip=78.46.216.126
>
> Connecting via Thunderbird to STARTTLS won't work, but with a website 
> from the same server it works for tls://opsys.de.
> So why is the port closed for external ip's?
> IPTABLES entry for imap is this:
> fail2ban-dovecot-pop3imap  tcp  --  anywhere             
> anywhere           multiport dports pop3,pop3s,imap2,imaps
>
> Key files are correct TLS is working from localhost.
>
> System is Debian squeeze
>

Am 05.05.2012 21:06, schrieb Markus Fritz:
> Hello,
>
> I have this problem:
> May  5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth
> attempts): rip=84.150.52.31, lip=78.46.216.126
>
> Connecting via Thunderbird to STARTTLS won't work, but with a website
> from the same server it works for tls://opsys.de.
> So why is the port closed for external ip's?
> IPTABLES entry for imap is this:
> fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere
>      multiport dports pop3,pop3s,imap2,imaps
>
> Key files are correct TLS is working from localhost.
>
> System is Debian squeeze
Thunderbird says 'tls not available due temporary reason' now.

Dovecot.conf:
http://pastie.org/private/64sbirlohqnflz74isf4a

-- 
Markus Fritz
Administration

opsys.de

* markus at opsys.de <markus at opsys.de>:
> Am 05.05.2012 22:44, schrieb Patrick Ben Koetter:
> >* Markus Fritz <markus.fritz at opsys.de>:
> >>Am 05.05.2012 21:06, schrieb Markus Fritz:
> >Assuming your server cert is located in
> >/etc/ssl/certs/ca-certificates.crt try
> >this on your server:
> >
> >openssl s_client -starttls imap -CAfile
> >/etc/ssl/certs/ca-certificates.crt -connect localhost:143
> >
> >Use "2 logout" to get out of the session.
> >
> >If it works, try the same from your client host.
> >
> >Does it work both times?
> 
> yes:
> 
>  Verify return code: 0 (ok)
> ---
> . OK Capability completed.
> 
> it works. But I cannot login with Thunderbird. I imported the cert
> in Thunderbird, too.
IIRC it is not enough to import the cert. You also need to set a policy i.e.
allow the cert to be used for e-mail.

p at rick

-- 
state of mind ()

http://www.state-of-mind.de

Franziskanerstra?e 15      Telefon +49 89 3090 4664
81669 M?nchen              Telefax +49 89 3090 4666

Amtsgericht M?nchen        Partnerschaftsregister PR 563

* markus at opsys.de <markus at opsys.de>:
> Yep, I set the rights for the cert in Thunderbird. With this CERT
> SSL is working in Thunderbird but not with STARTTLS.
> 
> 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: 1
> BAD TLS not available due to temporary reason
Your server responds it has a temporary problem. Set the server verbose to get
more useful log output.

p at rick

P.S.
And please keep this thread onlist.

> That's the message I get from Thunderbird.
> 
> And that's the hole log:
> 
> 4440[af7d580]: ImapThreadMainLoop entering [this=bcde800]
> 0[c0f140]: bcde800:mail.opsys.de:NA:SetupWithUrl: clearing
> IMAP_CONNECTION_IS_OPEN
> 4440[af7d580]: bcde800:mail.opsys.de:NA:ProcessCurrentURL: entering
> 4440[af7d580]:
bcde800:mail.opsys.de:NA:ProcessCurrentURL:imap://markus%40opsys%2Ede at
mail.opsys.de:143/select%3E.INBOX:
> = currentUrl
> 4440[af7d580]: ReadNextLine [stream=bc59ca8 nb=118 needmore=0]
> 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: *
> OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
> 
> 4440[af7d580]: bcde800:mail.opsys.de:NA:SendData: 1 STARTTLS
> 
> 4440[af7d580]: ReadNextLine [stream=bc59ca8 nb=49 needmore=0]
> 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: 1
> BAD TLS not available due to temporary reason
> 
> 4440[af7d580]: try to log in
> 4440[af7d580]: IMAP auth: server caps 0x4405427, pref 0x1006, failed
> 0x0, avail caps 0x1006
> 4440[af7d580]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000,
> MSN =  0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login >
0x4)auth external IMAP login = 0x20000000
> 4440[af7d580]: trying auth method 0x1000
> 4440[af7d580]: got new password
> 4440[af7d580]: IMAP: trying auth method 0x1000
> 4440[af7d580]: PLAIN auth
> 4440[af7d580]: bcde800:mail.opsys.de:NA:SendData: 2 authenticate plain
> 
> 4440[af7d580]: ReadNextLine [stream=bc59ca8 nb=4294967295 needmore=0]
> 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket:
> clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002
> 4440[af7d580]: bcde800:mail.opsys.de:NA:TellThreadToDie: close
> socket connection
> 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: (null)
> 4440[af7d580]: authlogin failed
> 4440[af7d580]: marking auth method 0x1000 failed
> 4440[af7d580]: IMAP auth: server caps 0x4405427, pref 0x1006, failed
> 0x1000, avail caps 0x6
> 4440[af7d580]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000,
> MSN =  0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login >
0x4)auth external IMAP login = 0x20000000
> 4440[af7d580]: trying auth method 0x2
> 4440[af7d580]: login failed entirely
-- 
state of mind ()

http://www.state-of-mind.de

Franziskanerstra?e 15      Telefon +49 89 3090 4664
81669 M?nchen              Telefax +49 89 3090 4666

Amtsgericht M?nchen        Partnerschaftsregister PR 563