Re: [Dovecot] SSL with startssl.com certificates

On 2013-09-17 09:08, Jerry wrote:

On Tue, 17 Sep 2013 09:01:49 -0400 Dan Langille articulated:

On 2013-09-17 08:43, Reindl Harald wrote:

...

Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works.

I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2

But, if it does work on port 143 with TLS I wouldnt worry too much about it

tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2

It seems that TLS is not supported by my client. Pity.

iPhone is the worst mail client on this planet but for sure supports TLS

Apple is here the same as Microsoft

• remove the account completly
• add it again and it will detect that encryption is available

Done. But tcpdump is still showing me plain text.

# dovecot -n # 2.1.16: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes disable_plaintext_auth = no first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 port = 0 } } ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep }

Show the entire dump from when you first attempt to make a connection to the start of message transmission.

13:22:17.985508 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [S], seq 2703590158, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 773682446 ecr 0,sackOK,eol], length 0 EH.@?.@.3._...U2.........%.................Z....... ..u......... 13:22:17.985579 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags [S.], seq 2030926149, ack 2703590159, win 65535, options [mss 1370,nop,wscale 6,sackOK,TS val 2484342793 ecr 773682446], length 0 yE.%......w......Z....... ... ..u. 13:22:18.066507 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], ack 1, win 8232, options [nop,nop,TS val 773682522 ecr 2484342793], length 0 yF.. (........U2.........%..y ..uZ... 13:22:18.093983 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags [P.], seq 1:113, ack 1, win 1039, options [nop,nop,TS val 2484342901 ecr 773682522], length 112 yF.%......R.......U2....y ...u..uZ* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 13:22:18.224227 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], ack 113, win 8225, options [nop,nop,TS val 773682659 ecr 2484342901], length 0 y... !.9......U2.........%..y ..u....u

It was after this that the login details were passsed. That was in plain text, and omitted from this paste.

13:22:18.245486 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags [P.], seq 113:432, ack 32, win 1039, options [nop,nop,TS val 2484343053 ecr 773682667], length 319 y..%..............U2....y ..u.1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in

13:22:18.311309 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], ack 432, win 8205, options [nop,nop,TS val 773682774 ecr 2484343053], length 0 ........3.s...U2.........%..y ..vV... 13:22:18.384236 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [P.], seq 32:121, ack 432, win 8205, options [nop,nop,TS val 773682824 ecr 2484343053], length 89 .!......3.6...U2.........%..y 2 ID ("name" "iPhone Mail" "version" "10B350" "os" "iOS" "os-version" "6.1.4 (10B350)")

13:22:18.384634 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags [P.], seq 432:462, ack 121, win 1039, options [nop,nop,TS val 2484343192 ecr 773682824], length 30 z..%..............U2....y ......v.* ID NIL 2 OK ID completed.

13:22:18.455096 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], ack 462, win 8204, options [nop,nop,TS val 773682899 ecr 2484343192], length 0 {... ..f......U2.........%..y ..v..... 13:22:18.464945 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [P.], seq 121:136, ack 462, win 8204, options [nop,nop,TS val 773682901 ecr 2484343192], length 15 {... .........U2.........%..y ..v.....3 LIST "" "*"

-- Dan Langille - http://langille.org/