dovecot - Sep 2013 - Problem getting a dovecot proxy to connect to another dovecot machine via STARTTLS

Hi,

I'm having a bit of a problem trying to setup a dovecot proxy. I have a
setup with two nodes. One is a working Dovecot/Postfix mail server (node
a). The other is running a dovecot proxy and roundcube webmail.

Currently I can telnet to port 143 (or openssl s_client to port 993) to
localhost on node b. I can then login to a test account on node a. This all
works.

However, once I instruct the proxy to use SSL or TLS my problems start.
When I try to login on node b (both on port 143 and 993), it will send two
TCP packets on port 993 to node a. There is no TLS handshake. Consequently,
my telnet session will just hang until dovecot reaches a timeout. It will
then disconnect me for inactivity. I can not find any information in the
logs.

To clarify, the dialog:

Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN] Dovecot ready.
a login atest at company.nl test123
* BYE Disconnected for inactivity.

I have tried to use the following values in my proxy database:
ssl='any-cert', starttls='Y'
ssl='any-cert', starttls='any-cert'
ssl=NULL, starttls='any-cert'

Here is a strace of the imap-login process on node B:
http://dpaste.com/1377232/
The illegal seek on line 30 of the strace looked suspicious to me.

Here is the corresponding lsof:
http://dpaste.com/1377239/

Here is node A's config:
http://dpaste.com/1377247/

And here is node B's:
http://dpaste.com/1377241/

This is node B's password query:

password_query = SELECT NULL AS password, 'Y' AS nopassword, host,
'Y' as
proxy, starttls, `ssl`, 10 AS proxy_timeout FROM proxy WHERE domain =
'%d'

The logs tell me the password query succeeds:

Sep 12 16:32:35 auth-worker: Debug: sql(atest at company.nl,127.0.0.1): query:
SELECT NULL AS password, 'Y' AS nopassword, host, 'Y' as proxy,
starttls,
`ssl`, 10 AS proxy_timeout FROM proxy WHERE domain = 'company.nl'
Sep 12 16:32:35 auth: Debug: client out: OK     1       useratest at company.nl 
host=31.CENCOR      p
roxy    starttls=Yt     ssl=any-cert    proxy_timeout=10        pass=test123

Nothing after that.

Node A's log gives me this:

2013-09-12 16:26:51 imap-login: Info: Disconnected (no auth attempts):
rip=149.CENCORED, lip=31.CENCORED, TLS handshaking: Disconnected


I'm running out of ideas. If anyone would be able to help I would be
extremely grateful.

Regards,

Arnoud van Heuvelen

I've solved the issue by setting ssl to 'any-cert' and starttls to
NULL.
This does a proper SSL request to the node.

I still don't understand why Dovecot does a non-SSL request on an SSL port
whenever I enable starttls, but I'm happy using normal SSL.

Regards,