[Dovecot] 2.1.7 TLS issues

Robert Schetterer robert at schetterer.org
Sun Jun 24 20:42:39 EEST 2012 

Am 24.06.2012 16:19, schrieb Timo Sirainen:
> On 24.6.2012, at 12.58, Christian Rößner wrote:
> 
>> I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
>>
>> At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
> 
> What was the Dovecot version you were using previously which worked?
> 

Hi Christian, i made all the way trough all versions of dovecot trunk
2.0.x and since 2.1.5 on lucid 64
no problems at , but i recent had big problems with compile other stuff
on ubuntu 12.4 with openssl ( didnt checked dovecot yet )
so my bet goes to the new ssl lib on 12.04
also there were workarounds in postfix to reflect this ssl update stuff,
as far i remember hte ssl lib has some more and new features wich makes
software
not reflecting this ,may not work or fail sometimes, it may fixed  with
setup parameters

i.e see here

http://comments.gmane.org/gmane.mail.postfix.user/229196

--snip
Viktor Dukhovni:
> The OpenSSL API does not provide an interface to allow older programs
> to disable new protocol versions defined in later versions of the API.
>
> Therefore, to disable TLS 1.1 or 1.2 one has to add code that uses
> the new constants introduced with OpenSSL 1.0.1.
>
> Proposed patch attached.

That will be a solution for Postfix 2.10.

Meanwhile, for earlier Postfix releases, how much of the problem
can be solved by changing from:

    mumble_tls_mandatory_protocols = SSLv3, TLSv1

(i.e. the current default) to:

    mumble_tls_mandatory_protocols = !SSLv2

I don't mind that the older Postfix versions would not be able to
turn on/off protocols that didn't exist at the time Postfix was
released.

	Wietse
--snipend


i guees there are equal workarounds settings possible in dovecot
perhaps with ssl_cipher_list ?

http://wiki.dovecot.org/SSL/DovecotConfiguration

sorry lot of speculate here until not testet myself


-- 
Best Regards
MfG Robert Schetterer

More information about the dovecot mailing list