Proxy problem: "[COMPRESSIONACTIVE] TLS compression already enabled"
We're proxying using 2.2.14~rc1 (on our IMAP Proxy) to two dovecot backend servers running dovecot-2.2.13-r1
When we're using Thundebird to connect to the dovecot proxy, we're getting the message "The mail server for account ACCOUNTNAME responded: [COMPRESSIONACTIVE] TLS compression already enabled"
But why?
Capabilities reported by the proxy:
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE SEARCH=FUZZY COMPRESS=DEFLATE QUOTA] Logged in
Capabilities of the backend servers when connecting directly:
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE SEARCH=FUZZY COMPRESS=DEFLATE QUOTA] Logged in
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 14 Oct 2014, at 15:24, Ralf Hildebrandt r@sys4.de wrote:
We're proxying using 2.2.14~rc1 (on our IMAP Proxy) to two dovecot backend servers running dovecot-2.2.13-r1
When we're using Thundebird to connect to the dovecot proxy, we're getting the message "The mail server for account ACCOUNTNAME responded: [COMPRESSIONACTIVE] TLS compression already enabled"
But why?
Is the connection from proxy to backend using SSL? Did this work in earlier Dovecot version?
- Timo Sirainen schrieb am 15.10.14 um 00:57 Uhr:
On 14 Oct 2014, at 15:24, Ralf Hildebrandt r@sys4.de wrote:
We're proxying using 2.2.14~rc1 (on our IMAP Proxy) to two dovecot backend servers running dovecot-2.2.13-r1
When we're using Thundebird to connect to the dovecot proxy, we're getting the message "The mail server for account ACCOUNTNAME responded: [COMPRESSIONACTIVE] TLS compression already enabled"
But why?
Is the connection from proxy to backend using SSL? Did this work in earlier Dovecot version?
I talked to Ralf about this issue today. Yes, proxy to backend is using ssl. And yes when proxy is talking to a 2.1.17 backend there is no issue.
-Marc
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 14 Oct 2014, at 16:10, Marc Schiffbauer m@sys4.de wrote:
- Timo Sirainen schrieb am 15.10.14 um 00:57 Uhr:
On 14 Oct 2014, at 15:24, Ralf Hildebrandt r@sys4.de wrote:
We're proxying using 2.2.14~rc1 (on our IMAP Proxy) to two dovecot backend servers running dovecot-2.2.13-r1
When we're using Thundebird to connect to the dovecot proxy, we're getting the message "The mail server for account ACCOUNTNAME responded: [COMPRESSIONACTIVE] TLS compression already enabled"
But why?
Is the connection from proxy to backend using SSL? Did this work in earlier Dovecot version?
I talked to Ralf about this issue today. Yes, proxy to backend is using ssl. And yes when proxy is talking to a 2.1.17 backend there is no issue.
Right .. If the TLS connection already has compression enabled, Dovecot will refuse COMPRESS command. But it should be checking this against the original client's TLS connection and not the proxy's. As a workaround you could set in Dovecot backends "ssl_options = no_compression". I'll try to figure out how this should be fixed properly.
On 14 Oct 2014, at 16:39, Timo Sirainen tss@iki.fi wrote:
On 14 Oct 2014, at 16:10, Marc Schiffbauer m@sys4.de wrote:
- Timo Sirainen schrieb am 15.10.14 um 00:57 Uhr:
On 14 Oct 2014, at 15:24, Ralf Hildebrandt r@sys4.de wrote:
We're proxying using 2.2.14~rc1 (on our IMAP Proxy) to two dovecot backend servers running dovecot-2.2.13-r1
When we're using Thundebird to connect to the dovecot proxy, we're getting the message "The mail server for account ACCOUNTNAME responded: [COMPRESSIONACTIVE] TLS compression already enabled"
But why?
Is the connection from proxy to backend using SSL? Did this work in earlier Dovecot version?
I talked to Ralf about this issue today. Yes, proxy to backend is using ssl. And yes when proxy is talking to a 2.1.17 backend there is no issue.
Right .. If the TLS connection already has compression enabled, Dovecot will refuse COMPRESS command. But it should be checking this against the original client's TLS connection and not the proxy's. As a workaround you could set in Dovecot backends "ssl_options = no_compression". I'll try to figure out how this should be fixed properly.
After thinking about this for a while, I decided to simply remove the check: http://hg.dovecot.org/dovecot-2.2/rev/e3b9cd19c33d
Annoyingly it now leaves a bunch of unused code for setting the tls_compression flag. But it's a bit annoying to remove that code also.
- Timo Sirainen schrieb am 15.10.14 um 01:39 Uhr:
On 14 Oct 2014, at 16:10, Marc Schiffbauer m@sys4.de wrote:
- Timo Sirainen schrieb am 15.10.14 um 00:57 Uhr:
On 14 Oct 2014, at 15:24, Ralf Hildebrandt r@sys4.de wrote:
We're proxying using 2.2.14~rc1 (on our IMAP Proxy) to two dovecot backend servers running dovecot-2.2.13-r1
When we're using Thundebird to connect to the dovecot proxy, we're getting the message "The mail server for account ACCOUNTNAME responded: [COMPRESSIONACTIVE] TLS compression already enabled"
But why?
Is the connection from proxy to backend using SSL? Did this work in earlier Dovecot version?
I talked to Ralf about this issue today. Yes, proxy to backend is using ssl. And yes when proxy is talking to a 2.1.17 backend there is no issue.
Right .. If the TLS connection already has compression enabled, Dovecot will refuse COMPRESS command. But it should be checking this against the original client's TLS connection and not the proxy's. As a workaround you could set in Dovecot backends "ssl_options = no_compression". I'll try to figure out how this should be fixed properly.
Timo, thanks for the workaround. After finding out that this requires 2.2.14 too (had 2.2.13 before) it works like a charme now.
-Marc
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
participants (3)
-
Marc Schiffbauer
-
Ralf Hildebrandt
-
Timo Sirainen