Dovecot 2.2.27 & windows 10 outlook (no auth attempts in 0 secs) error.
Hello.
Few days ago upgraded from v2.2.26.0 >v2.2.27 and now windows 10, with any outlook version (2007,2010,2013,2016) doesn't connect IMAP SSL:
Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL error: Disconnected Dec 12 12:29:35 server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): x.x.x.x, TLS handshaking: Disconnected
Is this a bug or some new feature? How to fix it?
-- Mart
Can you
On 12.12.2016 13:00, Mart Pirita wrote:
Hello.
Few days ago upgraded from v2.2.26.0 >v2.2.27 and now windows 10, with any outlook version (2007,2010,2013,2016) doesn't connect IMAP SSL:
Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x] Dec 12 12:29:35 server dovecot: imap-login: Debug: SSL error: Disconnected Dec 12 12:29:35 server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): x.x.x.x, TLS handshaking: Disconnected
Is this a bug or some new feature? How to fix it?
Can you do
doveconf -a | grep auth_mech
Aki
Aki Tuomi wrote:
Can you do
doveconf -a | grep auth_mech
auth_mechanisms = plain login
P.S. Seems this 2.2.24 is the last win10 compatible version (as my testserver doesn't have win10 users and thunderbird works well), any never version gives an error. However I didn't find any hint from http://www.dovecot.org/list/dovecot-news/2016-July/000324.html etc.
-- Mart
On 12.12.2016 13:29, Mart Pirita wrote:
Aki Tuomi wrote:
Can you do
doveconf -a | grep auth_mech
auth_mechanisms = plain login
P.S. Seems this 2.2.24 is the last win10 compatible version (as my testserver doesn't have win10 users and thunderbird works well), any never version gives an error. However I didn't find any hint from http://www.dovecot.org/list/dovecot-news/2016-July/000324.html etc.
https://wiki2.dovecot.org/Debugging/Rawlog
can you try this to get rawlogs to find out what happens?
Aki
Aki Tuomi wrote:
https://wiki2.dovecot.org/Debugging/Rawlog
can you try this to get rawlogs to find out what happens?
Aki I'm bit confused, how this rawlog works. I did:
doveadm user -u kaka userdb: kaka user : kaka system_groups_user: kaka uid : 566 gid : 566 home : /home/kaka
ls -al /home/kaka total 16 drwx------ 4 kaka kaka 4096 Dec 12 15:36 . drwxr-xr-x 12 root root 4096 Dec 12 12:41 .. drwx------ 2 kaka kaka 4096 Dec 12 12:41 dovecot.rawlog drwx------ 2 kaka kaka 4096 Dec 12 12:41 Maildir
Added into dovecot.conf:
protocol imap { rawlog_dir = /tmp/rawlog/%u }
service imap { executable = imap postlogin }
service postlogin { executable = script-login -d rawlog unix_listener postlogin { } }
But /tmp/rawlog/kaka/ and /home/kaka/dovecot.rawlog/ are empty. What did I miss?
The whole conf:
listen = * plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_group_events = no mail_log_fields = uid box msgid size from subject vsize } login_log_format_elements = %u %r %m %c service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { } } service imap { executable = imap postlogin } service pop3 { } service postlogin { executable = script-login -d rawlog unix_listener postlogin { } } service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } service auth-worker { } service dict { unix_listener dict { } } disable_plaintext_auth = no auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 1 hour auth_failure_delay = 60 secs auth_mechanisms = plain login passdb { driver = pam args = cache_key=%u%r%s * } userdb { driver = passwd } mail_location = maildir:~/Maildir mail_plugin_dir = /usr/lib/dovecot mail_plugins = $mail_plugins mail_log notify maildir_very_dirty_syncs = yes protocol imap { mail_max_userip_connections = 90 imap_logout_format = bytes=%i/%o imap_client_workarounds = tb-extra-mailbox-sep delay-newmail rawlog_dir = /tmp/rawlog/%u } protocol pop3 { pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s mail_max_userip_connections = 9 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } ssl_cert =
-- Mart
Edit: When using win8, then logs started appear in dovecot.rawlog. But as win10 gives error in ssl level, before user authentication, then no debug logs will be written into user dovecot.rawlog folder.
So how to debug this ssl issue?
Aki Tuomi wrote:
https://wiki2.dovecot.org/Debugging/Rawlog
can you try this to get rawlogs to find out what happens?
Aki I'm bit confused, how this rawlog works. I did:
doveadm user -u kaka userdb: kaka user : kaka system_groups_user: kaka uid : 566 gid : 566 home : /home/kaka
ls -al /home/kaka total 16 drwx------ 4 kaka kaka 4096 Dec 12 15:36 . drwxr-xr-x 12 root root 4096 Dec 12 12:41 .. drwx------ 2 kaka kaka 4096 Dec 12 12:41 dovecot.rawlog drwx------ 2 kaka kaka 4096 Dec 12 12:41 Maildir
Added into dovecot.conf:
protocol imap { rawlog_dir = /tmp/rawlog/%u }
service imap { executable = imap postlogin }
service postlogin { executable = script-login -d rawlog unix_listener postlogin { } }
But /tmp/rawlog/kaka/ and /home/kaka/dovecot.rawlog/ are empty. What did I miss?
The whole conf:
listen = * plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_group_events = no mail_log_fields = uid box msgid size from subject vsize } login_log_format_elements = %u %r %m %c service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { } } service imap { executable = imap postlogin } service pop3 { } service postlogin { executable = script-login -d rawlog unix_listener postlogin { } } service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } service auth-worker { } service dict { unix_listener dict { } } disable_plaintext_auth = no auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 1 hour auth_failure_delay = 60 secs auth_mechanisms = plain login passdb { driver = pam args = cache_key=%u%r%s * } userdb { driver = passwd } mail_location = maildir:~/Maildir mail_plugin_dir = /usr/lib/dovecot mail_plugins = $mail_plugins mail_log notify maildir_very_dirty_syncs = yes protocol imap { mail_max_userip_connections = 90 imap_logout_format = bytes=%i/%o imap_client_workarounds = tb-extra-mailbox-sep delay-newmail rawlog_dir = /tmp/rawlog/%u } protocol pop3 { pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s mail_max_userip_connections = 9 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } ssl_cert =
-- Mart
On 12.12.2016 16:21, Mart Pirita wrote:
Edit: When using win8, then logs started appear in dovecot.rawlog. But as win10 gives error in ssl level, before user authentication, then no debug logs will be written into user dovecot.rawlog folder.
So how to debug this ssl issue?
Aki Tuomi wrote:
https://wiki2.dovecot.org/Debugging/Rawlog
can you try this to get rawlogs to find out what happens?
Aki I'm bit confused, how this rawlog works. I did:
doveadm user -u kaka userdb: kaka user : kaka system_groups_user: kaka uid : 566 gid : 566 home : /home/kaka
ls -al /home/kaka total 16 drwx------ 4 kaka kaka 4096 Dec 12 15:36 . drwxr-xr-x 12 root root 4096 Dec 12 12:41 .. drwx------ 2 kaka kaka 4096 Dec 12 12:41 dovecot.rawlog drwx------ 2 kaka kaka 4096 Dec 12 12:41 Maildir
Added into dovecot.conf:
protocol imap { rawlog_dir = /tmp/rawlog/%u }
service imap { executable = imap postlogin }
service postlogin { executable = script-login -d rawlog unix_listener postlogin { } }
But /tmp/rawlog/kaka/ and /home/kaka/dovecot.rawlog/ are empty. What did I miss?
The whole conf:
listen = * plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_group_events = no mail_log_fields = uid box msgid size from subject vsize } login_log_format_elements = %u %r %m %c service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { } } service imap { executable = imap postlogin } service pop3 { } service postlogin { executable = script-login -d rawlog unix_listener postlogin { } } service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } service auth-worker { } service dict { unix_listener dict { } } disable_plaintext_auth = no auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 1 hour auth_failure_delay = 60 secs auth_mechanisms = plain login passdb { driver = pam args = cache_key=%u%r%s * } userdb { driver = passwd } mail_location = maildir:~/Maildir mail_plugin_dir = /usr/lib/dovecot mail_plugins = $mail_plugins mail_log notify maildir_very_dirty_syncs = yes protocol imap { mail_max_userip_connections = 90 imap_logout_format = bytes=%i/%o imap_client_workarounds = tb-extra-mailbox-sep delay-newmail rawlog_dir = /tmp/rawlog/%u } protocol pop3 { pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s mail_max_userip_connections = 9 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } ssl_cert =
This sounds like issue with SSL itself. Is your certificate self-signed or issued by some trusted CA?
Aki
On 12/12/2016 10:42 AM, Aki Tuomi wrote:
On 12.12.2016 16:21, Mart Pirita wrote:
Edit: When using win8, then logs started appear in dovecot.rawlog. But as win10 gives error in ssl level, before user authentication, then no debug logs will be written into user dovecot.rawlog folder.
So how to debug this ssl issue?
Aki Tuomi wrote:
https://wiki2.dovecot.org/Debugging/Rawlog
can you try this to get rawlogs to find out what happens?
Aki I'm bit confused, how this rawlog works. I did:
doveadm user -u kaka userdb: kaka user : kaka system_groups_user: kaka uid : 566 gid : 566 home : /home/kaka
ls -al /home/kaka total 16 drwx------ 4 kaka kaka 4096 Dec 12 15:36 . drwxr-xr-x 12 root root 4096 Dec 12 12:41 .. drwx------ 2 kaka kaka 4096 Dec 12 12:41 dovecot.rawlog drwx------ 2 kaka kaka 4096 Dec 12 12:41 Maildir
Added into dovecot.conf:
protocol imap { rawlog_dir = /tmp/rawlog/%u }
service imap { executable = imap postlogin }
service postlogin { executable = script-login -d rawlog unix_listener postlogin { } }
But /tmp/rawlog/kaka/ and /home/kaka/dovecot.rawlog/ are empty. What did I miss?
The whole conf:
listen = * plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_group_events = no mail_log_fields = uid box msgid size from subject vsize } login_log_format_elements = %u %r %m %c service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { } } service imap { executable = imap postlogin } service pop3 { } service postlogin { executable = script-login -d rawlog unix_listener postlogin { } } service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } service auth-worker { } service dict { unix_listener dict { } } disable_plaintext_auth = no auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 1 hour auth_failure_delay = 60 secs auth_mechanisms = plain login passdb { driver = pam args = cache_key=%u%r%s * } userdb { driver = passwd } mail_location = maildir:~/Maildir mail_plugin_dir = /usr/lib/dovecot mail_plugins = $mail_plugins mail_log notify maildir_very_dirty_syncs = yes protocol imap { mail_max_userip_connections = 90 imap_logout_format = bytes=%i/%o imap_client_workarounds = tb-extra-mailbox-sep delay-newmail rawlog_dir = /tmp/rawlog/%u } protocol pop3 { pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s mail_max_userip_connections = 9 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } ssl_cert =
This sounds like issue with SSL itself. Is your certificate self-signed or issued by some trusted CA?
Aki
I don't mean to but in but my dovecot-2.2.27 running on CentOS 6/CentOS 7 with Outlook 2007/2013 is working just fine. Also, Outlook doesn't allow storage of a certificate like Thunderbird but it does allow you to accept it (every time one opens Outlook) and open.
On 12.12.2016 20:21, Mart Pirita wrote:
Eric Broch wrote:
Also, Outlook doesn't allow storage of a certificate like Thunderbird but it does allow you to accept it (every time one opens Outlook) and open. Install certificate to the trusted root and no pop-ups -s anymore:).
Or spend 10 minutes to get one from LetsEncrypt for free? =)
Aki
Edit: Maybe it's the DH file issue (like https://i-mscp.net/index.php/Thread/10005-Notice-SSL-for-services-with-Couri...), so added to the conf:
ssl_dh_parameters_length = 2048
removed old file /usr/var/lib/dovecot/ssl-parameters.dat and dovecot generated new file. Still same error.
Stared to look files timestaps and found the reason. I have a RH based custom disto and I'm using self compiled openssl, simple make, without any special options:
./config --prefix=/usr/local/ssl && make && make install
And at some point, after building dovecot 2.2.24, I built new openssl, openssl-1.0.1t and with this and also with latest openssl-1.0.2j dovecot builds fine but doesn't work with windows 10. So finally I built latest openssl-0.9.8zh and dovecot 2.2.27 against it and windows 10 works like a charm.
But I'm still curios, why latest openssl and latest dovecot doesn't work for windows 10. As new openssl should even provide more options, than older.
/usr/local/ssl/bin/openssl version -a OpenSSL 0.9.8za 5 Jun 2014 built on: Wed Aug 6 15:45:46 EEST 2014 platform: linux-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: "/usr/local/ssl/ssl"
/usr/local/ssl/bin/openssl version -o options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
##################
/usr/local/ssl/bin/openssl version -a OpenSSL 1.0.2j 26 Sep 2016 built on: reproducible build, date unspecified platform: linux-elf options: bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/local/ssl/ssl"
/usr/local/ssl/bin/openssl version -o options: bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int) blowfish(idx)
###############
Edit: When using win8, then logs started appear in dovecot.rawlog. But as win10 gives error in ssl level, before user authentication, then no debug logs will be written into user dovecot.rawlog folder.
So how to debug this ssl issue?
Aki Tuomi wrote:
https://wiki2.dovecot.org/Debugging/Rawlog
can you try this to get rawlogs to find out what happens?
Aki I'm bit confused, how this rawlog works. I did:
doveadm user -u kaka userdb: kaka user : kaka system_groups_user: kaka uid : 566 gid : 566 home : /home/kaka
ls -al /home/kaka total 16 drwx------ 4 kaka kaka 4096 Dec 12 15:36 . drwxr-xr-x 12 root root 4096 Dec 12 12:41 .. drwx------ 2 kaka kaka 4096 Dec 12 12:41 dovecot.rawlog drwx------ 2 kaka kaka 4096 Dec 12 12:41 Maildir
Added into dovecot.conf:
protocol imap { rawlog_dir = /tmp/rawlog/%u }
service imap { executable = imap postlogin }
service postlogin { executable = script-login -d rawlog unix_listener postlogin { } }
But /tmp/rawlog/kaka/ and /home/kaka/dovecot.rawlog/ are empty. What did I miss?
The whole conf:
listen = * plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_group_events = no mail_log_fields = uid box msgid size from subject vsize } login_log_format_elements = %u %r %m %c service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { } } service imap { executable = imap postlogin } service pop3 { } service postlogin { executable = script-login -d rawlog unix_listener postlogin { } } service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } service auth-worker { } service dict { unix_listener dict { } } disable_plaintext_auth = no auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 1 hour auth_failure_delay = 60 secs auth_mechanisms = plain login passdb { driver = pam args = cache_key=%u%r%s * } userdb { driver = passwd } mail_location = maildir:~/Maildir mail_plugin_dir = /usr/lib/dovecot mail_plugins = $mail_plugins mail_log notify maildir_very_dirty_syncs = yes protocol imap { mail_max_userip_connections = 90 imap_logout_format = bytes=%i/%o imap_client_workarounds = tb-extra-mailbox-sep delay-newmail rawlog_dir = /tmp/rawlog/%u } protocol pop3 { pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s mail_max_userip_connections = 9 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } ssl_cert =
-- Mart
participants (3)
-
Aki Tuomi
-
Eric Broch
-
Mart Pirita