[Dovecot] Managesieve connection hangs with TLS
Hello,
I've got dovecot 1.2.11 running on Fedora 12 (x86_64) with the managesieve protocol and sieve plugins enabled, with deliver handling local delivery. I've set
disable_plaintext_auth = yes ssl = yes ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem mail_debug = yes
protocol managesieve { listen = *:2000 login_executable = /usr/libexec/dovecot/managesieve-login mail_executable = /usr/libexec/dovecot/managesieve }
and generated local SSL certificates; everything is going fine on the IMAP end of things (clients ask if I trust the certificate the first time, etc). I've open the appropriate ports, etc. No problems with mail delivery.
However, I can't connect to the managesieve daemon. I've tried the Emacs client[1], and it just hangs. I tried manual login to port 2000 and here's what happened:
joel@chondestes: /etc/mail > gnutls-cli --starttls -p 2000 localhost Resolving 'localhost'... Connecting to '127.0.0.1:2000'...
- Simple Client Mode:
"IMPLEMENTATION" "dovecot" "SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date" "SASL" "PLAIN" "STARTTLS" "NOTIFY" "mailto" "VERSION" "1.0" OK "Dovecot ready." *** Starting TLS handshake C-c C-c
That last line is me hanging up in Emacs' shell buffer because nothing was happening.
Sorry to sound like such a newbie, but what do I need on the client end to complete the TLS transaction? What else do I need to set up to get managesieve to connect?
Thanks,
Joel
Footnotes: [1] http://josefsson.org/sieve/
-- Joel J. Adamson Servedio Lab University of North Carolina at Chapel Hill
FSF Member #8164 http://www.unc.edu/~adamsonj
On to, 2010-06-03 at 12:51 -0400, Joel James Adamson wrote:
However, I can't connect to the managesieve daemon. I've tried the Emacs client[1], and it just hangs.
Cyrus version of managesieve was implemented differently than spec, and since it was pretty much the only implementation, many clients just made it work the Cyrus way. Cyrus was somewhat recently fixed, but there are still clients that work the old way. Maybe emacs is one of them.
"IMPLEMENTATION" "dovecot" "SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date" "SASL" "PLAIN" "STARTTLS" "NOTIFY" "mailto" "VERSION" "1.0" OK "Dovecot ready." *** Starting TLS handshake C-c C-c
You didn't give STARTTLS command. http://tools.ietf.org/html/draft-martin-managesieve-12
Hi Timo, thanks for getting back to me.
Timo Sirainen tss@iki.fi writes:
On to, 2010-06-03 at 12:51 -0400, Joel James Adamson wrote:
However, I can't connect to the managesieve daemon. I've tried the Emacs client[1], and it just hangs.
Cyrus version of managesieve was implemented differently than spec, and since it was pretty much the only implementation, many clients just made it work the Cyrus way. Cyrus was somewhat recently fixed, but there are still clients that work the old way. Maybe emacs is one of them.
Yes, I believe that's the case, but my real point was that this problem isn't client-specific.
"IMPLEMENTATION" "dovecot" "SIEVE" "comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date" "SASL" "PLAIN" "STARTTLS" "NOTIFY" "mailto" "VERSION" "1.0" OK "Dovecot ready." *** Starting TLS handshake C-c C-c
You didn't give STARTTLS command. http://tools.ietf.org/html/draft-martin-managesieve-12
Thanks: now that I did that, I get that the hostname doesn't match the one in the certificate, since I was using "localhost" in the gnutls-cli command, and the certificate has the FQDN.
Now that I use my FQDN, I get this:
Resolving 'host.name.in.question.edu'... Connecting to '::1:2000'... Cannot connect to host.name.in.question.edu:2000: Connection refused
I thought this might be the problem:
joel@hostname: ~ > nmap localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-04 15:16 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.00075s latency). rDNS record for 127.0.0.1: hostname Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 631/tcp open ipp 993/tcp open imaps =>2000/tcp open cisco-sccp<= 3306/tcp open mysql 5900/tcp open vnc 6000/tcp open X11
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
But when I use a different port, enabled in dovecot.conf and opened from the firewall, I still get connection refused from gnutls-cli. This could be from our campus firewall.
Just how safe is it to create a certificate that says "localhost?" I could just use Squirrelmail's Avelsieve to manipulate my Sieve scripts.
Joel
-- Joel J. Adamson Servedio Lab University of North Carolina at Chapel Hill
FSF Member #8164 http://www.unc.edu/~adamsonj
participants (2)
-
Joel James Adamson
-
Timo Sirainen