[Dovecot] IMAP STARTTLS Problem
Hello,
I have this problem: May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth attempts): rip=84.150.52.31, lip=78.46.216.126
Connecting via Thunderbird to STARTTLS won't work, but with a website
from the same server it works for tls://opsys.de.
So why is the port closed for external ip's?
IPTABLES entry for imap is this:
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere
multiport dports pop3,pop3s,imap2,imaps
Key files are correct TLS is working from localhost.
System is Debian squeeze
-- Markus Fritz Administration
opsys.de
Hi,
STARTTTLS refers to a client connecting on the normal. plaintext IMAP port, 143, and then issuing a STARTTLS command, starting a TLS session. I am able to connect from my computer to your IMAP server using STARTTLS using this command: openssl s_client -starttls imap -connect 78.46.216.126:143
Your server seems to not be listening on ports 993 and 995 for imaps and pop3s, respectively, where a TLS session is started immediately when the connection is initiated.
If you are using dovecot 2, you need to have something like the following in your config
service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { #port = 993 #ssl = yes } }
service pop3-login { inet_listener pop3 { #port = 110 } inet_listener pop3s { #port = 995 #ssl = yes } }
(The commented out lines represent the defaults, you uncomment them only if you want to change them)
For dovecot 1.2, you need a line like this: protocols = imap imaps pop3 pop3s
On 5/5/2012 3:06 PM, Markus Fritz wrote:
Hello,
I have this problem: May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth attempts): rip=84.150.52.31, lip=78.46.216.126
Connecting via Thunderbird to STARTTLS won't work, but with a website from the same server it works for tls://opsys.de. So why is the port closed for external ip's? IPTABLES entry for imap is this: fail2ban-dovecot-pop3imap tcp -- anywhere
anywhere multiport dports pop3,pop3s,imap2,imapsKey files are correct TLS is working from localhost.
System is Debian squeeze
Am 05.05.2012 21:06, schrieb Markus Fritz:
Hello,
I have this problem: May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth attempts): rip=84.150.52.31, lip=78.46.216.126
Connecting via Thunderbird to STARTTLS won't work, but with a website from the same server it works for tls://opsys.de. So why is the port closed for external ip's? IPTABLES entry for imap is this: fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
Key files are correct TLS is working from localhost.
System is Debian squeeze
Thunderbird says 'tls not available due temporary reason' now.
Dovecot.conf: http://pastie.org/private/64sbirlohqnflz74isf4a
-- Markus Fritz Administration
opsys.de
On 5/5/2012 3:49 PM, Markus Fritz wrote:
Thunderbird says 'tls not available due temporary reason' now. Let's take a more detailed look at this. Are you telling Thunderbird to connect on STARTTLS on port 143, or SSL/TLS on port 993? From here I still see no difference. I'm able to connect to you on port 143 and do STARTTLS, port 993 says connection refused. If you don't have a firewall causing this, it means your server is not listening on this port.
- Markus Fritz markus.fritz@opsys.de:
Am 05.05.2012 21:06, schrieb Markus Fritz:
Hello,
I have this problem: May 5 21:02:35 opsys dovecot: imap-login: Disconnected (no auth attempts): rip=84.150.52.31, lip=78.46.216.126
Connecting via Thunderbird to STARTTLS won't work, but with a website from the same server it works for tls://opsys.de. So why is the port closed for external ip's? IPTABLES entry for imap is this: fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
Key files are correct TLS is working from localhost.
System is Debian squeeze
Thunderbird says 'tls not available due temporary reason' now.
Assuming your server cert is located in /etc/ssl/certs/ca-certificates.crt try this on your server:
openssl s_client -starttls imap -CAfile /etc/ssl/certs/ca-certificates.crt -connect localhost:143
Use "2 logout" to get out of the session.
If it works, try the same from your client host.
Does it work both times?
p@rick
-- state of mind ()
Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
participants (3)
-
Gedalya
-
Markus Fritz
-
Patrick Ben Koetter