[Dovecot] 2.1.7 TLS issues
Hi,
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
Thanks in advance
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
On 2012-06-24 5:58 AM, Christian Rößner c@roessner-network-solutions.com wrote:
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
Maybe related to the OpenSSL bug that caused the problem (it sometimes helps to read/search emails on this list before posting) discussed just yesterday in this thread:
http://www.mail-archive.com/dovecot@dovecot.org/msg45828.html
?
--
Best regards,
Charles
Maybe related to the OpenSSL bug that caused the problem (it sometimes helps to read/search emails on this list before posting) discussed just yesterday in this thread:
http://www.mail-archive.com/dovecot@dovecot.org/msg45828.html
well, the packages I built are still running under 10.04 and therefor the library has not been upgraded to 1.0.1. This is the reason for this post. My question is, if doevcot got some code or anything else that focuses on the newer 1.0.1 library, and maybe broke something in older versions?
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
On 2012-06-24 6:42 AM, Christian Rößner c@roessner-network-solutions.com wrote:
Maybe related to the OpenSSL bug that caused the problem (it sometimes helps to read/search emails on this list before posting) discussed just yesterday in this thread:
http://www.mail-archive.com/dovecot@dovecot.org/msg45828.html
well, the packages I built are still running under 10.04 and therefor the library has not been upgraded to 1.0.1. This is the reason for this post. My question is, if doevcot got some code or anything else that focuses on the newer 1.0.1 library, and maybe broke something in older versions?
Ah, ok, missed that...
Well, sorry I can't help, hopefully Timo will have an answer for you...
--
Best regards,
Charles
On 24.6.2012, at 12.58, Christian Rößner wrote:
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
What was the Dovecot version you were using previously which worked?
Am 24.06.2012 16:19, schrieb Timo Sirainen:
On 24.6.2012, at 12.58, Christian Rößner wrote:
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
What was the Dovecot version you were using previously which worked?
Hi Christian, i made all the way trough all versions of dovecot trunk 2.0.x and since 2.1.5 on lucid 64 no problems at , but i recent had big problems with compile other stuff on ubuntu 12.4 with openssl ( didnt checked dovecot yet ) so my bet goes to the new ssl lib on 12.04 also there were workarounds in postfix to reflect this ssl update stuff, as far i remember hte ssl lib has some more and new features wich makes software not reflecting this ,may not work or fail sometimes, it may fixed with setup parameters
i.e see here
http://comments.gmane.org/gmane.mail.postfix.user/229196
--snip Viktor Dukhovni:
The OpenSSL API does not provide an interface to allow older programs to disable new protocol versions defined in later versions of the API.
Therefore, to disable TLS 1.1 or 1.2 one has to add code that uses the new constants introduced with OpenSSL 1.0.1.
Proposed patch attached.
That will be a solution for Postfix 2.10.
Meanwhile, for earlier Postfix releases, how much of the problem can be solved by changing from:
mumble_tls_mandatory_protocols = SSLv3, TLSv1(i.e. the current default) to:
mumble_tls_mandatory_protocols = !SSLv2I don't mind that the older Postfix versions would not be able to turn on/off protocols that didn't exist at the time Postfix was released.
Wietse--snipend
i guees there are equal workarounds settings possible in dovecot perhaps with ssl_cipher_list ?
http://wiki.dovecot.org/SSL/DovecotConfiguration
sorry lot of speculate here until not testet myself
-- Best Regards MfG Robert Schetterer
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
What was the Dovecot version you were using previously which worked?
I am not sure which version worked. My best guess is 2.1.4 or 2.1.5, because I skipped 2.1.6. But 2.1.6 has the same issues, as my friend Uwe did report the same issues with that one.
@Robert: I am talking about Ubuntu 10.04, so this can not be a problem with openssl itself, as that did not change
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
On 24 Jun 2012, at 21:20, Christian Rößner wrote:
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
What was the Dovecot version you were using previously which worked?
I am not sure which version worked. My best guess is 2.1.4 or 2.1.5, because I skipped 2.1.6. But 2.1.6 has the same issues, as my friend Uwe did report the same issues with that one.
@Robert: I am talking about Ubuntu 10.04, so this can not be a problem with openssl itself, as that did not change
I've seen problems with all kinds of clients and servers, even with Dovecot 1.x where TLS/Auto settings fail and I simply always instruct end users to explicitly choose 993/SSL to get a good TLS connection reliably.
It seems like it might not be so version-specific or even anything wrong at the server end.
James.
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
What was the Dovecot version you were using previously which worked?
I am not sure which version worked. My best guess is 2.1.4 or 2.1.5, because I skipped 2.1.6. But 2.1.6 has the same issues, as my friend Uwe did report the same issues with that one.
@Robert: I am talking about Ubuntu 10.04, so this can not be a problem with openssl itself, as that did not change
I've seen problems with all kinds of clients and servers, even with Dovecot 1.x where TLS/Auto settings fail and I simply always instruct end users to explicitly choose 993/SSL to get a good TLS connection reliably.
It seems like it might not be so version-specific or even anything wrong at the server end.
I never had such problems before. When I was coding automx, all tests succeeded with Dovecot and Outlook 2007/2010 and also Thunderbird was working perfectly. So in my opinion this is a version specific problem, as it started somewhere in 2.1.4+. I am using Dovecot since 1.0 (something like this) and never had 143/TLS problems
Best regards Christian
On 24.6.2012, at 23.20, Christian Rößner wrote:
I have an interesting problem: I am building dovecot packages for Ubuntu since 10.04. Never had bigger trouble with it. Now since 2.1.6 or 2.1.7 (I can not say more precisely), Thunderbird 10ESR and Outlook 2010 can no longer use 143/TLS correctly. Automx delvers 143/TLS and Outlook tells me that it can not create a secure connection. I changed automx to use 993/SSL and everything works. Under Thunderbird 10ESR, I get a box that tells me that I need to change settings. When I sent mail, TB told me that it could not copy the mail to the sent folder. I also changed to 993/SSL and everything is perfect.
At the other and, Apples Mail.app and iOS devices work perfectly over 143/TLS. So my guess is that it has to do with OpenSSL. Did something change in dovecot concerning TLS? Can I change options in the built process?
What was the Dovecot version you were using previously which worked?
I am not sure which version worked. My best guess is 2.1.4 or 2.1.5, because I skipped 2.1.6. But 2.1.6 has the same issues, as my friend Uwe did report the same issues with that one.
Well, there hasn't been many changes in the SSL code. The only thing I can think of is this memory leak fix, which temporarily wasn't implemented correctly. You could try what happens if you revert it:
changeset: 14418:85ad4baedd43 user: Timo Sirainen tss@iki.fi date: Thu Apr 12 10:48:55 2012 +0300 summary: login: Another attempt at fixing SSL memory leak.
changeset: 14417:f80f18d0ffa3 user: Timo Sirainen tss@iki.fi date: Thu Apr 12 10:41:44 2012 +0300 summary: login: Reverted memory leak fix, because it broke some SSL setups?
changeset: 14416:584bd77c38fd user: Timo Sirainen tss@iki.fi date: Wed Apr 11 19:06:44 2012 +0300 summary: Memory leak fixes.
participants (5)
-
Charles Marcus
-
Christian Rößner
-
J E Lyon
-
Robert Schetterer
-
Timo Sirainen