[Dovecot] STARTTLS problem
Hi
I have a problem with STARTTLS, with imaps all ok. I have tried to connect to server with different clients (thunderbird, the bat, mulberry) and had same result. Thunderbird log for example:
0[284708]: 25c0e08:192.168.4.200:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN 1920[25c77c8]: ImapThreadMainLoop entering [this=25c0e08] 1920[25c77c8]: 25c0e08:192.168.4.200:NA:ProcessCurrentURL: entering 1920[25c77c8]: 25c0e08:192.168.4.200:NA:ProcessCurrentURL:imap://test%40my%2Elocal@192.168.4.200:143/select%3E/INBOX: = currentUrl 1920[25c77c8]: ReadNextLine [stream=25c8020 nb=210 needmore=0] 1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: * OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED I18NLEVEL=1 STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
1920[25c77c8]: 25c0e08:192.168.4.200:NA:SendData: 1 capability
1920[25c77c8]: ReadNextLine [stream=25c8020 nb=190 needmore=0] 1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED I18NLEVEL=1 STARTTLS AUTH=PLAIN AUTH=LOGIN
1920[25c77c8]: ReadNextLine [stream=25c8020 nb=28 needmore=0] 1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: 1 OK Capability completed.
1920[25c77c8]: 25c0e08:192.168.4.200:NA:SendData: 2 STARTTLS
1920[25c77c8]: ReadNextLine [stream=25c8020 nb=33 needmore=0] 1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: 2 OK Begin TLS negotiation now.
1920[25c77c8]: 25c0e08:192.168.4.200:NA:SendData: 3 capability
my comment - at this place the process is waiting
1920[25c77c8]: ReadNextLine [stream=25c8020 nb=0 needmore=1] 1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b0014 1920[25c77c8]: 25c0e08:192.168.4.200:NA:TellThreadToDie: close socket connection 1920[25c77c8]: 25c0e08:192.168.4.200:NA:CreateNewLineFromSocket: (null) 1920[25c77c8]: 25c0e08:192.168.4.200:NA:ProcessCurrentURL: aborting queued urls 1920[25c77c8]: ImapThreadMainLoop leaving [this=25c0e08]
At same time dovecot log:
Jul 29 18:33:08 freebsd dovecot: auth(default): new auth connection: pid=3339 Jul 29 18:33:34 freebsd dovecot: imap-login: Disconnected (no auth attempts): rip=192.168.4.100, lip=192.168.4.200, TLS handshaking: Disconnected
What does it mean, i don't know, because if I try to connect with gnutls-cli it works perfectly.
freebsd# dovecot -n # 1.1.16: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.2-RELEASE i386 ufs syslog_facility: local0 protocols: imap imaps pop3 pop3s ssl_key_file: /etc/ssl/keys/dovecot.pem disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_greeting_capability(default): yes login_greeting_capability(imap): yes login_greeting_capability(pop3): no verbose_proctitle: yes first_valid_uid: 1000 first_valid_gid: 1000 mail_privileged_group: mail mail_uid: 4738 mail_gid: 4738 mail_location: maildir:/var/mail/vmail/%d/%n mail_debug: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugins(default): acl mail_plugins(imap): acl mail_plugins(pop3): mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 imap_client_workarounds(default): delay-newmail netscape-eoh tb-extra-mailbox-sep imap_client_workarounds(imap): delay-newmail netscape-eoh tb-extra-mailbox-sep imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh namespace: type: private separator: / inbox: yes list: yes subscriptions: yes namespace: type: public separator: / prefix: public/ location: maildir:/var/mail/vmail/%d/public:INDEX=/var/mail/vmail/%d/%n/public/index:CONTROL=/var/mail/vmail/%d/%n/public/control list: yes subscriptions: yes auth default: mechanisms: plain login username_format: %Lu verbose: yes debug: yes passdb: driver: passwd-file args: /usr/local/etc/passwd.dovecot userdb: driver: passwd-file args: /usr/local/etc/passwd.dovecot socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 plugin: acl: vfile
any ideas ?
Regards, Sergey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 29 Jul 2009, Рачков Сергей wrote:
I have a problem with STARTTLS, with imaps all ok.
Do you have a Cisco Firewall/IDS or a software firewall running between your client and Dovecot? If so, try to disable it for a test.
Some firewalls don't understand that after STARTTLS they have to stop listening / checking the connection.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSnBdRXWSIuGy1ktrAQJQeQgAmivfQZS9CeH33e5NPFnJ7yWCRvkI99VL L6qKPBHQO144BjvHpHOaqms7trKUBYSmOClF3M7AB13S9WMlnVK596VYpD0QvBlS rNghpX2rE6oboEXpQ4Zf2iuvogYuf3wN0vGTE6W5EdbZf025a3nUH3kjY7z04qXe RBsz1dJrpXPGarGa0f9/JU3zmLVf0RZwKLnd8bxQ8cuFFgttinxnfi+8MP9+QmsY qLDixog1DPhg18txVxTUW9NuTtTbr73u3StGnSEzCwkwvPYrGW+iCrLn/PuW2Fnr u6XgTiRbmWoJZUuxaElKlaSN6mufALL+NcKbRteB161DrquDZxZvwA== =Zfuc -----END PGP SIGNATURE-----
On 7/29/2009, Steffen Kaiser (skdovecot@smail.inf.fh-brs.de) wrote:
Do you have a Cisco Firewall/IDS or a software firewall running between your client and Dovecot? If so, try to disable it for a test.
Some firewalls don't understand that after STARTTLS they have to stop listening / checking the connection.
If its a Cisco PIX, diable the 'smtp fixup' crap that breaks smtp...
--
Best regards,
Charles
Charles Marcus schrieb:
On 7/29/2009, Steffen Kaiser (skdovecot@smail.inf.fh-brs.de) wrote:
Do you have a Cisco Firewall/IDS or a software firewall running between your client and Dovecot? If so, try to disable it for a test.
Some firewalls don't understand that after STARTTLS they have to stop listening / checking the connection.
If its a Cisco PIX, diable the 'smtp fixup' crap that breaks smtp...
What has the Cisco PIX "smtp fixup" feature got to do with IMAP STARTTLS?
On 7/29/2009, Matthias Andree (matthias.andree@gmx.de) wrote:
If its a Cisco PIX, diable the 'smtp fixup' crap that breaks smtp...
What has the Cisco PIX "smtp fixup" feature got to do with IMAP STARTTLS?
Obviously, nothing... ;)
Sorry, wrong list (I'm on the postfix list and this is a common reply whenever CISCO is mentioned)...
--
Best regards,
Charles
It's working !!!! A lot of thanks, Steffen! My problem was a "Kaspersky Internet Security". It has a "network traffic control" function and option "check SSL connection", if this option checked - everything work, if not checked - don't work.
Best regards, Sergey.
----- Original Message ----- From: "Steffen Kaiser" <skdovecot@smail.inf.fh-brs.de> To: <dovecot@dovecot.org> Sent: Wednesday, July 29, 2009 8:31 PM Subject: Re: [Dovecot] STARTTLS problem
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 29 Jul 2009, Рачков Сергей wrote:
I have a problem with STARTTLS, with imaps all ok.
Do you have a Cisco Firewall/IDS or a software firewall running between your client and Dovecot? If so, try to disable it for a test.
Some firewalls don't understand that after STARTTLS they have to stop listening / checking the connection.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSnBdRXWSIuGy1ktrAQJQeQgAmivfQZS9CeH33e5NPFnJ7yWCRvkI99VL L6qKPBHQO144BjvHpHOaqms7trKUBYSmOClF3M7AB13S9WMlnVK596VYpD0QvBlS rNghpX2rE6oboEXpQ4Zf2iuvogYuf3wN0vGTE6W5EdbZf025a3nUH3kjY7z04qXe RBsz1dJrpXPGarGa0f9/JU3zmLVf0RZwKLnd8bxQ8cuFFgttinxnfi+8MP9+QmsY qLDixog1DPhg18txVxTUW9NuTtTbr73u3StGnSEzCwkwvPYrGW+iCrLn/PuW2Fnr u6XgTiRbmWoJZUuxaElKlaSN6mufALL+NcKbRteB161DrquDZxZvwA== =Zfuc -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 30 Jul 2009, Рачков Сергей wrote:
A lot of thanks, Steffen! My problem was a "Kaspersky Internet Security". It has a "network traffic control" function and option "check SSL connection", if this option checked - everything work, if not checked - don't work.
_Please_ file a bug report with Kaspersky Support. This annoying bug is eons old now.
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSnFLB3WSIuGy1ktrAQLhcwf/UBsTQ4eadnNRohpkzdSQoqvDjYFa7Qpw emPywXgVmjVPq4FMRSdJG4rEoY652XWXBt+R3qz9rB7TQAY2sFZQlEd9G5Ic5E+3 aDocOoORieJpRKeJSBo4XgGq6gMlxrwU/8Rxd2jgRHDM7SNeHGft88xWl54Cs+5g Md3+cog+uC3XpkZDgPAi4sXIOlr5EPLacxHtHHot5KuL8ZXHJisBBQ/LS0gImODV WbRjc3Fl6I73YFUgIhLMONE9YfAcizJAk6DWaK+XAu20l6F3D6SjCWuKkiBOlAMC jn638UEeOIyXGVL6Pv/Pc22Vj4c7dbmIEFXYNP4zTgvSmIdIzTCMew== =FDt4 -----END PGP SIGNATURE-----
participants (4)
-
Charles Marcus
-
Matthias Andree
-
Steffen Kaiser
-
Рачков Сергей