Hello, I have this problem: May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth attempts): rip=84.150.52.31, lip=78.46.216.126 Connecting via Thunderbird to STARTTLS won't work, but with a website from the same server it works for tls://opsys.de. So why is the port closed for external ip's? IPTABLES entry for imap is this: fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps Key files are correct TLS is working from localhost. System is Debian squeeze -- Markus Fritz Administration opsys.de
Hi, STARTTTLS refers to a client connecting on the normal. plaintext IMAP port, 143, and then issuing a STARTTLS command, starting a TLS session. I am able to connect from my computer to your IMAP server using STARTTLS using this command: openssl s_client -starttls imap -connect 78.46.216.126:143 Your server seems to not be listening on ports 993 and 995 for imaps and pop3s, respectively, where a TLS session is started immediately when the connection is initiated. If you are using dovecot 2, you need to have something like the following in your config service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { #port = 993 #ssl = yes } } service pop3-login { inet_listener pop3 { #port = 110 } inet_listener pop3s { #port = 995 #ssl = yes } } (The commented out lines represent the defaults, you uncomment them only if you want to change them) For dovecot 1.2, you need a line like this: protocols = imap imaps pop3 pop3s On 5/5/2012 3:06 PM, Markus Fritz wrote:> Hello, > > I have this problem: > May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth > attempts): rip=84.150.52.31, lip=78.46.216.126 > > Connecting via Thunderbird to STARTTLS won't work, but with a website > from the same server it works for tls://opsys.de. > So why is the port closed for external ip's? > IPTABLES entry for imap is this: > fail2ban-dovecot-pop3imap tcp -- anywhere > anywhere multiport dports pop3,pop3s,imap2,imaps > > Key files are correct TLS is working from localhost. > > System is Debian squeeze >
Am 05.05.2012 21:06, schrieb Markus Fritz:> Hello, > > I have this problem: > May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth > attempts): rip=84.150.52.31, lip=78.46.216.126 > > Connecting via Thunderbird to STARTTLS won't work, but with a website > from the same server it works for tls://opsys.de. > So why is the port closed for external ip's? > IPTABLES entry for imap is this: > fail2ban-dovecot-pop3imap tcp -- anywhere anywhere > multiport dports pop3,pop3s,imap2,imaps > > Key files are correct TLS is working from localhost. > > System is Debian squeezeThunderbird says 'tls not available due temporary reason' now. Dovecot.conf: http://pastie.org/private/64sbirlohqnflz74isf4a -- Markus Fritz Administration opsys.de
* markus at opsys.de <markus at opsys.de>:> Am 05.05.2012 22:44, schrieb Patrick Ben Koetter: > >* Markus Fritz <markus.fritz at opsys.de>: > >>Am 05.05.2012 21:06, schrieb Markus Fritz: > >Assuming your server cert is located in > >/etc/ssl/certs/ca-certificates.crt try > >this on your server: > > > >openssl s_client -starttls imap -CAfile > >/etc/ssl/certs/ca-certificates.crt -connect localhost:143 > > > >Use "2 logout" to get out of the session. > > > >If it works, try the same from your client host. > > > >Does it work both times? > > yes: > > Verify return code: 0 (ok) > --- > . OK Capability completed. > > it works. But I cannot login with Thunderbird. I imported the cert > in Thunderbird, too.IIRC it is not enough to import the cert. You also need to set a policy i.e. allow the cert to be used for e-mail. p at rick -- state of mind () http://www.state-of-mind.de Franziskanerstra?e 15 Telefon +49 89 3090 4664 81669 M?nchen Telefax +49 89 3090 4666 Amtsgericht M?nchen Partnerschaftsregister PR 563
* markus at opsys.de <markus at opsys.de>:> Yep, I set the rights for the cert in Thunderbird. With this CERT > SSL is working in Thunderbird but not with STARTTLS. > > 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: 1 > BAD TLS not available due to temporary reasonYour server responds it has a temporary problem. Set the server verbose to get more useful log output. p at rick P.S. And please keep this thread onlist.> That's the message I get from Thunderbird. > > And that's the hole log: > > 4440[af7d580]: ImapThreadMainLoop entering [this=bcde800] > 0[c0f140]: bcde800:mail.opsys.de:NA:SetupWithUrl: clearing > IMAP_CONNECTION_IS_OPEN > 4440[af7d580]: bcde800:mail.opsys.de:NA:ProcessCurrentURL: entering > 4440[af7d580]: bcde800:mail.opsys.de:NA:ProcessCurrentURL:imap://markus%40opsys%2Ede at mail.opsys.de:143/select%3E.INBOX: > = currentUrl > 4440[af7d580]: ReadNextLine [stream=bc59ca8 nb=118 needmore=0] > 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: * > OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. > > 4440[af7d580]: bcde800:mail.opsys.de:NA:SendData: 1 STARTTLS > > 4440[af7d580]: ReadNextLine [stream=bc59ca8 nb=49 needmore=0] > 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: 1 > BAD TLS not available due to temporary reason > > 4440[af7d580]: try to log in > 4440[af7d580]: IMAP auth: server caps 0x4405427, pref 0x1006, failed > 0x0, avail caps 0x1006 > 4440[af7d580]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, > MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login > 0x4)auth external IMAP login = 0x20000000 > 4440[af7d580]: trying auth method 0x1000 > 4440[af7d580]: got new password > 4440[af7d580]: IMAP: trying auth method 0x1000 > 4440[af7d580]: PLAIN auth > 4440[af7d580]: bcde800:mail.opsys.de:NA:SendData: 2 authenticate plain > > 4440[af7d580]: ReadNextLine [stream=bc59ca8 nb=4294967295 needmore=0] > 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: > clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 > 4440[af7d580]: bcde800:mail.opsys.de:NA:TellThreadToDie: close > socket connection > 4440[af7d580]: bcde800:mail.opsys.de:NA:CreateNewLineFromSocket: (null) > 4440[af7d580]: authlogin failed > 4440[af7d580]: marking auth method 0x1000 failed > 4440[af7d580]: IMAP auth: server caps 0x4405427, pref 0x1006, failed > 0x1000, avail caps 0x6 > 4440[af7d580]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, > MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login > 0x4)auth external IMAP login = 0x20000000 > 4440[af7d580]: trying auth method 0x2 > 4440[af7d580]: login failed entirely-- state of mind () http://www.state-of-mind.de Franziskanerstra?e 15 Telefon +49 89 3090 4664 81669 M?nchen Telefax +49 89 3090 4666 Amtsgericht M?nchen Partnerschaftsregister PR 563