Hi,

I can no longer connect to Dovecot (IMAP). The connection is terminated by Dovecot after Client Helo.

My server:
Dovecot 2.3.3
Debian buster/sid
Architecture: ppc

My problems started in late August after upgrading Dovecot.

SSL settings:
ssl_dh = </etc/ssl/dh2048.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_prefer_server_ciphers = yes

Client:
OS Android 6.0.1
Aquamail

Log from Dovecot:

Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=598: fatal unknown
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument
Sep 15 23:19:02 debian2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX,TLS handshaking: SSL_accept() syscall failed: Invalid argument, session=<XXXXXXXXXXX>

Log from client (Aquamail) is a bit longer (see attachment).


I have also listened to the communication using Wireshark. The last piece of communication is Client Helo. After the client sends Client Helo, there is no reply from Dovecot and the server closes the communication.

This is the Client Helo, in the "structured view" iin Wireshark:

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 176
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 172
            Version: TLS 1.2 (0x0303)
            Random: 2b7af5ba92040f081a5a3621e9d9cbab2d50b829b7fe755f...
            Session ID Length: 0
            Cipher Suites Length: 62
            Cipher Suites (31 suites)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_FALLBACK_SCSV (0x5600)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 69
            Extension: server_name (len=17)
            Extension: extended_master_secret (len=0)
            Extension: signature_algorithms (len=22)
                Type: signature_algorithms (13)
                Length: 22
                Signature Hash Algorithms Length: 20
                Signature Hash Algorithms (10 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: SHA224 RSA (0x0301)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Algorithm: ecdsa_sha1 (0x0203)


What I tried:

I also got in touch with the developer of Aquamail (see our discussion here: https://www.aqua-mail.com/forum/index.php?topic=6824.0 ).

The developer was able to reproduce the handshake error. We believe that the problem is that Dovecot rejects ClientHello as long as it is wrapped in the TLSv1 Record Layer (see the second lilne in the Wireshark log). According to the developer, Dovecot should accept Client Helo wrapped in the TLSv1 Record Layer.

Thank you very much for your help.

Best regards

VB