Cyrus 2.2.12 / TLS problems (SSL working) / Thunderbird - kontact

From: Denis Sacchet (no email)
Date: Wed Jul 05 2006 - 08:20:35 EDT

  • Next message: John Madden: "Re: Mailstore filesystem"

    Hi,

    I've got since 1 or 2 month problems with TLS connection to my cyrus
    server in IMAP. I will try to explain the configuration and the problem.

    First of all, here is my cyrus.conf and imapd.conf :

    /ETC/CYRUS.CONF :

    START {
      recover cmd="ctl_cyrusdb -r"
    }
    SERVICES {
      imap cmd="imapd -p 2 -s -U 1 -T 60" listen="143" prefork=8
      imaps cmd="imapd -p 2 -s -U 1 -T 60" listen="993" prefork=1
      cyradm cmd="imapd -p 0 -U 1 -T 60" listen="8143" prefork=1
      sieve cmd="timsieved" listen="127.0.0.1:2000" prefork=0
      lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
    }

    EVENTS {
      checkpoint cmd="ctl_cyrusdb -c" period=30
      delprune cmd="ctl_deliver -E 3" period=1440
      tlsprune cmd="tls_prune" period=1440
    }

    /ETC/IMAPD.CONF

    configdirectory: /var/imap
    partition-default: /var/spool/imap
    sievedir: /var/imap/sieve

    tls_ca_file: /etc/ssl/certs/XXXX.pem
    tls_cert_file: /etc/cyrus/imap.crt
    tls_key_file: /etc/cyrus/imap.key

    admins:
    hashimapspool: yes
    allowanonymouslogin: no
    allowplaintext: yes
    allowusermoves: no
    sieveusehomedir: no
    defaultdomain: XXXX.loc
    virtdomains: yes
    sasl_pwcheck_method: saslauthd
    sasl_mech_list: PLAIN LOGIN
    sasl_minimum_layer: 0

    As you can see, I have a little CA, so I put the CA root certificate,
    and the imap.crt is signed by XXXX.pem.

    The server run a Gentoo 2006.0 installation with the following version
    of cyrus-imapd and openssl :

    [ebuild R ] net-mail/cyrus-imapd-2.2.12
    [ebuild R ] dev-libs/openssl-0.9.7i

    Here is the result of the imtest in TLS (-s on the port 143) :

    imtest -p 143 -s -a 127.0.0.1
    verify error:num=19:self signed certificate in certificate chain
    TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
    S: * OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
    C: C01 CAPABILITY
    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
    BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMO
    RE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
    S: C01 OK Completed
    C: A01 AUTHENTICATE LOGIN
    S: + VXNlcm5hbWU6
    Please enter your password:
    C: b3ViYUBvdWJhLm9yZw==
    S: + UGFzc3dvcmQ6
    C: bGdXM2l2e1s=
    S: A01 OK Success (tls protection)
    Authenticated.
    Security strength factor: 256
    . logout
    * BYE LOGOUT received
    . OK Completed
    Connection closed.

    With the log :

    ==> notice.log <==
    Jul 5 14:01:07 smtp imap[27666]: starttls: TLSv1 with cipher AES256-SHA
    (256/256 bits new) no authentication
    Jul 5 14:01:10 smtp imap[27666]: login: localhost [127.0.0.1]
     LOGIN+TLS User logged in

    And also the result of the imtest in SSL (-s on the port 993) :

    imtest -p 993 -s -a 127.0.0.1
    verify error:num=19:self signed certificate in certificate chain
    TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
    S: * OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
    C: C01 CAPABILITY
    S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
    NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
    BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMO
    RE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
    S: C01 OK Completed
    C: A01 AUTHENTICATE LOGIN
    S: + VXNlcm5hbWU6
    Please enter your password:
    C: b3ViYUBvdWJhLm9yZw==
    S: + UGFzc3dvcmQ6
    C: bGdXM2l2e1s=
    S: A01 OK Success (tls protection)
    Authenticated.
    Security strength factor: 256
    . LOGOUT
    * BYE LOGOUT received
    . OK Completed
    Connection closed.

    With the log :

    ==> notice.log <==
    Jul 5 14:02:08 smtp imap[27665]: starttls: TLSv1 with cipher AES256-SHA
    (256/256 bits new) no authentication
    Jul 5 14:02:11 smtp imap[27665]: login: localhost [127.0.0.1]
     LOGIN+TLS User logged in

    The same thing with the s_client of openssl :

    penssl s_client -host 127.0.0.1 -port 143 -tls1
    CONNECTED(00000003)
    depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
    C.A./emailAddress=
    verify error:num=19:self signed certificate in certificate chain
    verify return:0 

    ---
Certificate chain
 0
s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
 1 s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
---
Server certificate
-----BEGIN CERTIFICATE-----
<...snip...>
-----END CERTIFICATE-----
subject=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=
issuer=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
---
No client certificate CA names sent
---
SSL handshake has read 2058 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
CA9CCA52A78CCF48A2947BC93ADCCA46D886F571E6349AED3BBE5A49ABD1BC73
    Session-ID-ctx:
    Master-Key:
EEF680291C80759D9C511FD0EA081E9F198157113BC1FF845B262B7F4CBE97E6D985671CC32F9D2DF1D106A125DE4FBB
    Key-Arg   : None
    Start Time: 1152101081
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
* OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
. LOGOUT
* BYE LOGOUT received
. OK Completed
read:errno=0
And in SSL :
openssl s_client -host 127.0.0.1 -port 993 -ssl3
CONNECTED(00000003)
depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0
s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
 1 s:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
   i:/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
---
Server certificate
-----BEGIN CERTIFICATE-----
<...snip...>
-----END CERTIFICATE-----
subject=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=imap.XXXX.XXX/emailAddress=
issuer=/C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
C.A./emailAddress=
---
No client certificate CA names sent
---
SSL handshake has read 2074 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID:
DF383DECC1677110482A1FEA576EB9D52EBE1E2124DD5C871C1B192F7B6FE000
    Session-ID-ctx:
    Master-Key:
9C92EA25D229A8847795511A83D3790E6CDDC8E7AA4B97A9DF964D4DDA054104CD93E1C852F7D0B848B3CE647F177CAA
    Key-Arg   : None
    Start Time: 1152101127
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
* OK smtp Cyrus IMAP4 v2.2.12-Gentoo server ready
. LOGOUT
* BYE LOGOUT received
. OK Completed
read:errno=0
With the two lines of log (I didn't authenticate mysel) :
Jul  5 14:04:41 smtp imap[27742]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Jul  5 14:05:27 smtp imaps[28081]: starttls: SSLv3 with cipher
AES256-SHA (256/256 bits new) no authentication
So, it seems eveything works fine, now try to connect with thunderbird
with a fresh new profile :
If I choose SSL onto port 993 :
Jul  5 14:09:03 smtp imaps[28175]: starttls: TLSv1 with cipher
AES256-SHA (256/256 bits new) no authentication
Jul  5 14:09:09 smtp imaps[28175]: login:
4be54-5-82-244-105-30.fbx.proxad.net [82.244.105.30] 
plain+TLS User logged in
But if I switch to TLS on port 143, after a while (about 2 or 3 minutes) :
==> err.log <==
Jul  5 14:11:05 smtp imap[27757]: Fatal error: tls_start_servertls() failed
 
==> notice.log <==
Jul  5 14:11:05 smtp imap[27757]: imaps TLS negotiation failed:
4be54-5-82-244-105-30.fbx.proxad.net [82.244.105.30]
If I do a SSLDUMP session in TLS on port 143, I only got :
ssldump \( port 993 or port 143 \) and host www.ouba.org
New TCP connection #1: XXXX.XXXX.XXX(35964) <-> smtp.ouba.org(143)
It seems to not even try to negotiate something
But in SSL on port 993 :
ssldump \( port 993 or port 143 \) and host XXX.XXXX.XXX
New TCP connection #1: XXXX.XXXX.XXX(32799) <-> XXXX.XXXX.XXX(993)
1 1  0.0555 (0.0555)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  SSL2_CK_RC4
  SSL2_CK_RC2
  SSL2_CK_3DES
  SSL2_CK_DES
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2_EXPORT40
  Unknown value 0x39
  Unknown value 0x38
  Unknown value 0x35
  Unknown value 0x33
  Unknown value 0x32
  TLS_RSA_WITH_RC4_128_MD5
  TLS_RSA_WITH_RC4_128_SHA
  Unknown value 0x2f
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xfeff
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_RSA_WITH_DES_CBC_SHA
  TLS_DHE_DSS_WITH_DES_CBC_SHA
  Unknown value 0xfefe
  TLS_RSA_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2  0.1763 (0.1208)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          58 5d aa 2a 1a dd 12 9d 98 d6 be e0 56 8b 75 a3
          95 70 c3 8b 96 7b 90 de 9c 5c 75 68 f1 ef 6d d2
        cipherSuite         Unknown value 0x35
        compressionMethod                   NULL
1 3  0.1813 (0.0049)  S>C  Handshake
      Certificate
1 4  0.1813 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  4.1021 (3.9208)  C>S  Handshake
      ClientKeyExchange
1 6  4.1021 (0.0000)  C>S  ChangeCipherSpec
1 7  4.1021 (0.0000)  C>S  Handshake
1 8  4.1753 (0.0731)  S>C  ChangeCipherSpec
1 9  4.1753 (0.0000)  S>C  Handshake
1 10 4.2324 (0.0571)  S>C  application_data
1 11 4.2360 (0.0036)  C>S  application_data
1 12 4.2965 (0.0604)  S>C  application_data
Do you think the problems come from Thunderbird or from Cyrus.
Thunderbird use to works well in TLS, I've got the same problem with
Kontact. I don't try with another client, if I have the time, I wil
l have a test with Outlook Express, Outlook and Opera.
Thanks for you help if possible.
Best regards
Denis Sacchet
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
  • Next message: John Madden: "Re: Mailstore filesystem"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD