[Dovecot] RESOLVED Re: Unsuccessful POP sessions on dovecot-1.0.3-13_60

Patrick Ben Koetter p at state-of-mind.de
Tue Jun 3 00:16:52 EEST 2008 

* Patrick Ben Koetter <p at state-of-mind.de>:
> * Timo Sirainen <dovecot at dovecot.org>:
> > On Thu, 2008-05-29 at 16:16 +0200, Patrick Ben Koetter wrote:
> > > What I see is that the client seems to try to retrieve the same mails
> > > (retr=5/448621) over and over again.
> > > 
> > > If they login using IMAP they don't experience any problems.
> > > 
> > > Any idea what this could be?
> > > Rumor has it it's a know problem with Outlook Express and its POP
> > > implementation. Is that rumor or a fact?
> > 
> > Have you already enabled all the pop3 workarounds? If yes, enable rawlog
> > (http://wiki.dovecot.org/Debugging/Rawlog) and see if there's anything
> > special.
> 
> Yes, I have enabled the workarounds.
> 
> New report indicates there's something wrong with ports. The had 110 closed
> (to force usage of 995). Once they reopened 110 things went back to normal.
> 
> I haven't had time yet to examine this, but as soon as I know news I will post
> them here too.

The short answer is a classic: MTU

The long answer is: MTU, but not as one (I) would usually suspect ...

Turns out, they have been using POP3s for a long time without problems.
Problems started, when the CA had to be renewed and all the certificates too.
The new certificates are valid.

If it was an MTU problem it should have shown up also when using TLS with the
old CA, right?

So what's the difference?

The difference between the old and new certificates is the cipher length. Is
used to be 512 and it is 4096 now. This seems (I didn't measure) to have such
an impact on packets that they got (too) fragmented and the MTU asynchronity,
which had always been there before - began to have a significant effect.

        If someone has a better explanation for this, please feel free to
        elaborate. All difference I can tell is the cipher length and that I
        thing it has an effect on IP packet sizes.

We called up the ISP, asked for their MTU, adjusted that on the client side
and things went back to normal.

p at rick

More information about the dovecot mailing list