[Dovecot] Dovecot on Solaris x86?
I'm trying to get dovecot working on Solaris x86. I've got itworking just fine on RH Desktop 4; and while I have a built, limping version on solx86, it's not actually usable except from other solx86 systems.
Basic details:
Version 1.0rc23
OS Solaris x86 (64 bit)
CPU Opteron
Filesystem NFS (but it's not getting that far)
The general problem is apparently SSL-related. I can connectproperly from another Solaris x86 machine, using either mutt or straight openssl; but when I try mutt from a Solaris or Linux machine, I get the error "SSL failed: I/O error" and it fails, and when I use openssl from a Linux machine, I get something like this:
victor ~> stelnet xxxxxxxx.ks.uiuc.edu 993
openssl s_client -connect xxxxxxxx.ks.uiuc.edu:993 -verify -debug verify depth is 0 CONNECTED(00000003) depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify return:1 24748:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
Annoyingly, the same command run from a Solaris machine connects,even though mutt doesn't. (I'm using 'mutt -f imaps://xxxx/', which I know works elsewhere; and the Linux mutt is the system default one, so I don't suspect that it is the source of the problem.)
The logs have been remarkably un-useful:
dovecot: Feb 21 09:41:21 Info: imap-login: Disconnected: rip=[...], lip=[...] TLS handshake
The software was built in all cases with:
./configure --prefix=/usr/local/encap/dovecot-1.0rc23.1
I've tried with both Sun's native cc and gcc compilers. I havealso tried building on SPARC Solaris with the native cc compiler, to the same (negative) effect. (I used to have v0.99.14 running just fine on this SPARC machine, so this worries me... but I only checked it just now as an after-thought.)
Any suggestions?
- Tim Skirvin (tskirvin@ks.uiuc.edu)-- Theoretical and Computational http://www.ks.uiuc.edu/~tskirvin/ Biophysics, Beckman Institute, UIUC Senior Systems Administrator
I use dovecot with Solaris 10 on x86.
I will point out that the OpenSSL that comes with Solaris 10 is very broken and will generally not work with ... anything. If you go fetch latest OpenSSL, either package from sunfreeware, or build yourself, and make sure to link against "/usr/local/ssl" instead. (I wouldn't advice pkg_rm the system ssl as the PAM module is linked against it, if you want to be able to login).
Tim Skirvin wrote:
I'm trying to get dovecot working on Solaris x86. I've got itworking just fine on RH Desktop 4; and while I have a built, limping version on solx86, it's not actually usable except from other solx86 systems.
Basic details: Version 1.0rc23 OS Solaris x86 (64 bit) CPU Opteron Filesystem NFS (but it's not getting that far) The general problem is apparently SSL-related. I can connectproperly from another Solaris x86 machine, using either mutt or straight openssl; but when I try mutt from a Solaris or Linux machine, I get the error "SSL failed: I/O error" and it fails, and when I use openssl from a Linux machine, I get something like this:
victor ~> stelnet xxxxxxxx.ks.uiuc.edu 993
openssl s_client -connect xxxxxxxx.ks.uiuc.edu:993 -verify -debug verify depth is 0 CONNECTED(00000003) depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify return:1 24748:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
Annoyingly, the same command run from a Solaris machine connects,even though mutt doesn't. (I'm using 'mutt -f imaps://xxxx/', which I know works elsewhere; and the Linux mutt is the system default one, so I don't suspect that it is the source of the problem.)
The logs have been remarkably un-useful:dovecot: Feb 21 09:41:21 Info: imap-login: Disconnected: rip=[...], lip=[...] TLS handshake
The software was built in all cases with: ./configure --prefix=/usr/local/encap/dovecot-1.0rc23.1 I've tried with both Sun's native cc and gcc compilers. I havealso tried building on SPARC Solaris with the native cc compiler, to the same (negative) effect. (I used to have v0.99.14 running just fine on this SPARC machine, so this worries me... but I only checked it just now as an after-thought.)
Any suggestions? - Tim Skirvin (tskirvin@ks.uiuc.edu)
-- Jorgen Lundman | lundman@lundman.net Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
At 5:02 PM +0900 2/22/07, Jorgen Lundman wrote:
I use dovecot with Solaris 10 on x86.
I will point out that the OpenSSL that comes with Solaris 10 is very broken and will generally not work with ... anything. If you go fetch latest OpenSSL, either package from sunfreeware, or build yourself, and make sure to link against "/usr/local/ssl" instead. (I wouldn't advice pkg_rm the system ssl as the PAM module is linked against it, if you want to be able to login).
I concur.
If you want to use anything Sun isn't giving you with SSL on Solaris, you want to get a standard build of OpenSSL and link anything you need against it, not the not-really-quite-OpenSSL Sun provides.
(incidentally, you don't mention the version of Solaris you are using. That might be relevant)
Tim Skirvin wrote:
I'm trying to get dovecot working on Solaris x86. I've got itworking just fine on RH Desktop 4; and while I have a built, limping version on solx86, it's not actually usable except from other solx86 systems.
Basic details: Version 1.0rc23 OS Solaris x86 (64 bit) CPU Opteron Filesystem NFS (but it's not getting that far) The general problem is apparently SSL-related. I can connectproperly from another Solaris x86 machine, using either mutt or straight openssl; but when I try mutt from a Solaris or Linux machine, I get the error "SSL failed: I/O error" and it fails, and when I use openssl from a Linux machine, I get something like this:
victor ~> stelnet xxxxxxxx.ks.uiuc.edu 993
openssl s_client -connect xxxxxxxx.ks.uiuc.edu:993 -verify -debug verify depth is 0 CONNECTED(00000003) depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify return:1 24748:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
Annoyingly, the same command run from a Solaris machine connects,even though mutt doesn't. (I'm using 'mutt -f imaps://xxxx/', which I know works elsewhere; and the Linux mutt is the system default one, so I don't suspect that it is the source of the problem.)
The logs have been remarkably un-useful:dovecot: Feb 21 09:41:21 Info: imap-login: Disconnected: rip=[...], lip=[...] TLS handshake
The software was built in all cases with: ./configure --prefix=/usr/local/encap/dovecot-1.0rc23.1 I've tried with both Sun's native cc and gcc compilers. I havealso tried building on SPARC Solaris with the native cc compiler, to the same (negative) effect. (I used to have v0.99.14 running just fine on this SPARC machine, so this worries me... but I only checked it just now as an after-thought.)
Any suggestions? - Tim Skirvin (tskirvin@ks.uiuc.edu)-- Jorgen Lundman | lundman@lundman.net Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
--
Bill Cole
bill@scconsult.com
Bill Cole wrote:
At 5:02 PM +0900 2/22/07, Jorgen Lundman wrote:
I use dovecot with Solaris 10 on x86.
I will point out that the OpenSSL that comes with Solaris 10 is very broken and will generally not work with ... anything. If you go fetch latest OpenSSL, either package from sunfreeware, or build yourself, and make sure to link against "/usr/local/ssl" instead. (I wouldn't advice pkg_rm the system ssl as the PAM module is linked against it, if you want to be able to login).
I concur.
If you want to use anything Sun isn't giving you with SSL on Solaris, you want to get a standard build of OpenSSL and link anything you need against it, not the not-really-quite-OpenSSL Sun provides.
(incidentally, you don't mention the version of Solaris you are using. That might be relevant)
That is one option; the other is to install SUNWcry and SUNWcryr packages; these restore the missing ciphers (removed due to certain countries forbidding import of strong cryptography in years past).
This will be fixed soon in OpenSolaris.
I've added the two packages and have no problem with both dovecot & postfix, using TLS and SMTP AUTH.
- Bart
At 10:57 PM -0800 2/23/07, Bart Smaalders wrote:
Bill Cole wrote:
At 5:02 PM +0900 2/22/07, Jorgen Lundman wrote:
I use dovecot with Solaris 10 on x86.
I will point out that the OpenSSL that comes with Solaris 10 is very broken and will generally not work with ... anything. If you go fetch latest OpenSSL, either package from sunfreeware, or build yourself, and make sure to link against "/usr/local/ssl" instead. (I wouldn't advice pkg_rm the system ssl as the PAM module is linked against it, if you want to be able to login).
I concur.
If you want to use anything Sun isn't giving you with SSL on Solaris, you want to get a standard build of OpenSSL and link anything you need against it, not the not-really-quite-OpenSSL Sun provides.
(incidentally, you don't mention the version of Solaris you are using. That might be relevant)
That is one option; the other is to install SUNWcry and SUNWcryr packages; these restore the missing ciphers (removed due to certain countries forbidding import of strong cryptography in years past).
Thanks for the details. I had not previously analyzed the problem in detail, only addressed the operational issues by writing off the Sun customized version as inadequate (see Sendmail, SSH, etc...)
(I say that as someone who works with almost exclusively Sun gear running Solaris. I love the system overall, but hate the way Sun integrates critical bits of open source. )
--
Bill Cole
bill@scconsult.com
Bill Cole wrote:
Thanks for the details. I had not previously analyzed the problem in detail, only addressed the operational issues by writing off the Sun customized version as inadequate (see Sendmail, SSH, etc...)
(I say that as someone who works with almost exclusively Sun gear running Solaris. I love the system overall, but hate the way Sun integrates critical bits of open source. )
This particular problem has been a long standing irritant, and is getting fixed. There's pretty active set of communities and mailing lists over at opensolaris.org, so if you've got issues or suggestions, speaking up there would be a pretty effective way of letting those of us actively working on OpenSolaris (both inside and outside of Sun) know.
Thanks -
- Bart
Tim Skirvin wrote:
I'm trying to get dovecot working on Solaris x86. I've got itworking just fine on RH Desktop 4; and while I have a built, limping version on solx86, it's not actually usable except from other solx86 systems.
Basic details: Version 1.0rc23 OS Solaris x86 (64 bit) CPU Opteron Filesystem NFS (but it's not getting that far) The general problem is apparently SSL-related. I can connectproperly from another Solaris x86 machine, using either mutt or straight openssl; but when I try mutt from a Solaris or Linux machine, I get the error "SSL failed: I/O error" and it fails, and when I use openssl from a Linux machine, I get something like this:
victor ~> stelnet xxxxxxxx.ks.uiuc.edu 993
openssl s_client -connect xxxxxxxx.ks.uiuc.edu:993 -verify -debug verify depth is 0 CONNECTED(00000003) depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Illinois/L=Urbana/O=UIUC/OU=[...] verify return:1 24748:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
Annoyingly, the same command run from a Solaris machine connects,even though mutt doesn't. (I'm using 'mutt -f imaps://xxxx/', which I know works elsewhere; and the Linux mutt is the system default one, so I don't suspect that it is the source of the problem.)
The logs have been remarkably un-useful:dovecot: Feb 21 09:41:21 Info: imap-login: Disconnected: rip=[...], lip=[...] TLS handshake
The software was built in all cases with: ./configure --prefix=/usr/local/encap/dovecot-1.0rc23.1 I've tried with both Sun's native cc and gcc compilers. I havealso tried building on SPARC Solaris with the native cc compiler, to the same (negative) effect. (I used to have v0.99.14 running just fine on this SPARC machine, so this worries me... but I only checked it just now as an after-thought.)
Any suggestions? - Tim Skirvin (tskirvin@ks.uiuc.edu)
I updated the dovecot wiki a few weeks ago with the details of the problem.
Here's a link: http://wiki.dovecot.org/CompilingSource
- Bart
Bart Smaalders barts@smaalders.net writes:
[...]
I've tried with both Sun's native cc and gcc compilers. I havealso tried building on SPARC Solaris with the native cc compiler, to the same (negative) effect. (I used to have v0.99.14 running just fine on this SPARC machine, so this worries me... but I only checked it just now as an after-thought.)
Here's a link: http://wiki.dovecot.org/CompilingSource
I presume you meant 'ssl_cipher_list' instead of 'ss_cipher_list'.Still, it doesn't work for me, and I'm getting error messages like this:
dovecot: Feb 23 15:00:03 Warning: imap-login: SSL_accept() failed: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [xxx.xxx.xxx.xxx]
At least a different error message on the client end, though: "SSLfailed: unspecified protocol error".
Again, I built with this:CPPFLAGS=-I/usr/local/ssl/include LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib' ./configure --with-ssl=openssl --prefix=/usr/local/encap/dovecot-1.0.rc23_1
Any more suggestions? Or do you have some binaries I could try?
- Tim Skirvin (tskirvin@ks.uiuc.edu)-- Theoretical and Computational http://www.ks.uiuc.edu/~tskirvin/ Biophysics, Beckman Institute, UIUC Senior Systems Administrator
Tim Skirvin wrote:
Bart Smaalders barts@smaalders.net writes:
[...]
I've tried with both Sun's native cc and gcc compilers. I havealso tried building on SPARC Solaris with the native cc compiler, to the same (negative) effect. (I used to have v0.99.14 running just fine on this SPARC machine, so this worries me... but I only checked it just now as an after-thought.)
Here's a link: http://wiki.dovecot.org/CompilingSource
I presume you meant 'ssl_cipher_list' instead of 'ss_cipher_list'.Still, it doesn't work for me, and I'm getting error messages like this:
dovecot: Feb 23 15:00:03 Warning: imap-login: SSL_accept() failed: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [xxx.xxx.xxx.xxx]
At least a different error message on the client end, though: "SSLfailed: unspecified protocol error".
Again, I built with this:CPPFLAGS=-I/usr/local/ssl/include LDFLAGS='-L/usr/local/ssl/lib -R/usr/local/ssl/lib' ./configure --with-ssl=openssl --prefix=/usr/local/encap/dovecot-1.0.rc23_1
Any more suggestions? Or do you have some binaries I could try? - Tim Skirvin (tskirvin@ks.uiuc.edu)
I have binaries built for Solaris Nevada against the system ssl libraries, targeted at /usr/local. I just ran ./configure
Do you have your certificates set up correctly? Are ssl_cert_file and ssl_key_file set correctly in dovecot.conf?
- Bart
Bart Smaalders barts@smaalders.net writes:
Any more suggestions? Or do you have some binaries I could try?
I have binaries built for Solaris Nevada against the system ssl libraries, targeted at /usr/local. I just ran ./configure
Do you have your certificates set up correctly? Are ssl_cert_file and ssl_key_file set correctly in dovecot.conf?
Yes. But the problem was solved by properly finding/installingthe SUNWcry package, as suggested on the wiki, and rebuilding with v1.0rc24. It's actually running now, and my users are testing it out.
Thanks for the help! And I'm glad that I get to curse Sun overthis, and not anybody else.
- Tim Skirvin (tskirvin@ks.uiuc.edu)-- Theoretical and Computational http://www.ks.uiuc.edu/~tskirvin/ Biophysics, Beckman Institute, UIUC Senior Systems Administrator
participants (4)
-
Bart Smaalders
-
Bill Cole
-
Jorgen Lundman
-
Tim Skirvin