Hi,
I can no longer connect to Dovecot (IMAP). The connection is
terminated by Dovecot after Client Helo.
My server:
Dovecot 2.3.3
Debian buster/sid
Architecture: ppc
My problems started in late August after upgrading Dovecot.
SSL settings:
ssl_dh = </etc/ssl/dh2048.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_prefer_server_ciphers = yes
Client:
OS Android 6.0.1
Aquamail
Log from Dovecot:
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL alert:
where=0x4008, ret=598: fatal unknown
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:14209175:SSL
routines:tls_early_post_process_client_hello:inappropriate
fallback
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error:
SSL_accept() syscall failed: Invalid argument
Sep 15 23:19:02 debian2 dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX,
lip=XXX.XXX.XXX.XXX,TLS handshaking: SSL_accept() syscall failed:
Invalid argument, session=<XXXXXXXXXXX>
Log from client (Aquamail) is a bit longer (see attachment).
I have also listened to the communication using Wireshark. The
last piece of communication is Client Helo. After the client sends
Client Helo, there is no reply from Dovecot and the server closes
the communication.
This is the Client Helo, in the "structured view" iin Wireshark:
Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 176 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 172 Version: TLS 1.2 (0x0303) Random: 2b7af5ba92040f081a5a3621e9d9cbab2d50b829b7fe755f... Session ID Length: 0 Cipher Suites Length: 62 Cipher Suites (31 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher Suite: TLS_FALLBACK_SCSV (0x5600) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 69 Extension: server_name (len=17) Extension: extended_master_secret (len=0) Extension: signature_algorithms (len=22) Type: signature_algorithms (13) Length: 22 Signature Hash Algorithms Length: 20 Signature Hash Algorithms (10 algorithms) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: SHA224 RSA (0x0301) Signature Algorithm: SHA224 ECDSA (0x0303) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: ecdsa_sha1 (0x0203)
What I tried:
change all possible settings in Dovecot
(ssl_min_protocol, ssl_cipher_list ...)
change certificate I use
I also got in touch with the developer of Aquamail (see our
discussion here:
https://www.aqua-mail.com/forum/index.php?topic=6824.0 ).
The developer was able to reproduce the handshake error. We
believe that the problem is that Dovecot rejects ClientHello as
long as it is wrapped in the TLSv1 Record Layer (see the second
lilne in the Wireshark log). According to the developer, Dovecot
should accept Client Helo wrapped in the TLSv1 Record Layer.
Thank you very much for your help.
Best regards
VB