Re: SSL problem - no banner
Marcio Merlone <marcio.merlone@a1.ind.br> writes:
Only openssl s_client -connect localhost:993 works fine and fast, while all MUA's and telnet does not. Telnet timeouts waiting for banner after a minute or so:
root@netuno:~# openssl s_client -connect localhost:993 ...
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ... root@netuno:~# telnet localhost 993 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. (about 1 minute later...) Connection closed by foreign host.
You misundertand how SSL (or TLS) vs STARTTLS works.
SSL/TLS (on port 993) starts negotiating a secure session protocol right after connection, which involves binary exchange of data, certificates, etc.. This is what "openssl s_client ..." does, but telnet does not. Only after the SSL handshake completes will you get banners, etc.
STARTTLS starts out as a unencrypted session and thus, you'll get the initial banner. The client is then expected to initiate a secure session by issuing a STARTTLS directive, whereupon client and server starts the secure session negotiation like above. To test this, you would use
openssl s_client -starttls imap -connect localhost:143
So telnet doesn't work because it does not do SSL. Your MUA don't work because of the same misunderstanding, or there's some network issue at play.
You need to align your clients to use the security protocol you've enabled.
Joseph Tam <jtam.home@gmail.com>
participants (1)
-
Joseph Tam