[Dovecot] help debugging TLS

[Thorbjorn Axelsson]

On Aug 16, 2006, at 9:29 AM, Richard wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> hi,
>
> i've built dovecot latest cvs on OSX 10.4.7.  i'm making a 1st  
> attempt @
> trying/failing to get TLS operation up-n-running ...
>
<snip>
> i've config'd for ssl/tls w/:
>
> 	...
> 	listen =     10.0.0.6
> 	ssl_listen = 10.0.0.6
> 	ssl_disable = no
>
> 	verbose_ssl = yes
> 	auth_verbose = yes
> 	auth_debug = yes
>
> 	disable_plaintext_auth = no
>
> 	ssl_cert_file =
> /var/MailServer/Data/CERTS/mail.testdomain.com.cert.rsa.pem
> 	ssl_key_file =
> /var/MailServer/Data/CERTS/mail.testdomain.com.privkey.rsa.pem
> 	ssl_ca_file =    /var/MailServer/Data/CERTS/main.CA.cert.rsa.pem
>
> 	ssl_verify_client_cert = no
> 	ssl_parameters_regenerate = 24
> 	ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> 17	...
>
>
>

> on test via telnet, i see:
>
>
> 	% telnet 10.0.0.6 143
> 		Trying 10.0.0.6...
> 		Connected to mail.testdomain.com.
> 		Escape character is '^]'.
> 		* OK mail.testdomain.com Dovecot IMAP4 v1.0cvs server ready
> 	1 capability
> 		* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND
> UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS
> AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5
> 		1 OK Capability completed.
> 		...
>
>
> but, a test with:
>
> 	% openssl s_client -connect 10.0.0.6:143

On port 143 you have an imap with starttls, i.e. plaintext until  
STARTTLS has been issued. Unfortunately openssl s_client (not mine at  
least) support imap (only smtp and pop3), but for smtp I would use  
something like this

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

You should have an imap with ssl/tls on port 993, however.

/Thorbjorn