[Dovecot] compressed IMAP traffic

Patrick Domack patrickdk at patrickdk.com
Tue Sep 29 07:56:47 EEST 2009 

More testing, seems all my imap clients attempt to use ssl2 first, and  
from the openssl mailing list:

   Oops, should've made this clearer. It is only clients than need to avoid the
   old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs to be
   done to a server.
   http://www.mail-archive.com/openssl-users@openssl.org/msg49926.html

This is confirmed using openssl s_client -connect host:993 (-ssl3|-tls1|-ssl2)

I don't see any way around this globally, unless each program has a  
config option to disable ssl2.

Quoting Patrick Domack <patrickdk at patrickdk.com>:

> Ok last info.
>
> using OpenSSL 0.9.8g
> openssl s_client -connect host:993
>
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
>     Protocol  : SSLv3
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> 1E5412EC32463E66FC75D761A4D48CF6ED416187F32A81F6DAC3DA4E9028E2DE
>     Session-ID-ctx:
>     Master-Key:
> B0E15199867D8B48F31F8776C7E439542F4D1A7B33239814CE0C5FF564CB007DE431E9357DF120E7AF347CD1E934CE83
>     Key-Arg   : None
>    Compression: 1 (zlib compression)
>     Start Time: 1254198546
>     Timeout   : 7200 (sec)
>
>
> Quoting Patrick Domack <patrickdk at patrickdk.com>:
>
>> Just playing some more and noticed using:
>> gnutls-cli (GnuTLS) 2.4.2
>>
>> always says compression isn't supported, even when version 2.0.4   
>> says it was.
>>
>> gnutls-cli 2.4.2 from ubuntu 9.04 x64, Compression: DEFLATE, NULL
>>
>> gnutls-cli 2.0.4 from ubuntu 8.04 x64, Compression: LZO, DEFLATE, NULL
>>
>> I also noticed 2.4.2 would connect using aes-128, whereas 2.0.4 would
>> connect using aes-256
>>
>>
>> Quoting Patrick Domack <patrickdk at patrickdk.com>:
>>
>>> The command I used was:
>>>
>>> gnutls-cli --protocols NORMAL:+COMP-DEFLATE --insecure -p 993
>>>
>>> I have tried the --comp option, but it always fails for me (ubuntu 8.04)
>>>
>>> gnutls-cli (GnuTLS) 2.0.4
>>>
>>> Redhat is 5.3
>>> Freebsd is 6.3
>>>
>>>
>>> Quoting Leonardo Rodrigues <leolistas at solutti.com.br>:
>>>
>>>> Timo Sirainen escreveu:
>>>>>
>>>>> And DEFLATE gives the exact same error? LZO isn't supported by OpenSSL.
>>>>>
>>>>>
>>>> yes ... error from DEFLATE and LZO are exactly the same on
>>>> gnutls-cli output and maillog on the CentOS 5.3 box.
>>>>
>>>>> Well, not the same server but looks like this one works too:
>>>>>
>>>>> gnutls-cli --priority NORMAL:+COMP-DEFLATE -p 993 secure.emailsrvr.com
>>>>>
>>>>> And just for fun I tried imap.gmail.com, that didn't support
>>>>> compression.
>>>>>
>>>>
>>>> i had tried imap.gmail.com too :)
>>>>
>>>> interesting findings ..... from CentOS 5.3, i cant get any
>>>> compression method to work:
>>>>
>>>> [root at correio dovecot]# gnutls-cli --insecure -p 993 -p 993
>>>> secure.emailsrvr.com --comp LZO DEFLATE NULL [ ......]
>>>> - Version: TLS 1.0
>>>> - Key Exchange: DHE RSA
>>>> - Cipher: AES 256 CBC
>>>> - MAC: SHA
>>>> - Compression: NULL
>>>>
>>>> but from a Fedora 8 box:
>>>>
>>>> [root at correio ~]# gnutls-cli --insecure -p 993 -p 993
>>>> secure.emailsrvr.com --comp LZO DEFLATE NULL
>>>> [ ......]
>>>> - Version: TLS 1.0
>>>> - Key Exchange: DHE RSA
>>>> - Cipher: AES 256 CBC
>>>> - MAC: SHA
>>>> - Compression: DEFLATE
>>>>
>>>>
>>>> and Fedora 8 OpenSSL is even older than CentOS 5.3 one:
>>>>
>>>> CentOS 5.3:
>>>> [root at correio dovecot]# rpm -qi openssl
>>>> Name        : openssl                      Relocations: (not relocatable)
>>>> Version     : 0.9.8e                            Vendor: CentOS
>>>> Release     : 12.el5                        Build Date: Fri 04 Sep 2009
>>>> 09:33:56 AM BRT
>>>>
>>>> Fedora 8:
>>>> [root at correio ~]# rpm -qi openssl
>>>> Name        : openssl                      Relocations: (not relocatable)
>>>> Version     : 0.9.8b                            Vendor: Fedora Project
>>>> Release     : 17.fc8                        Build Date: Mon 15 Oct 2007
>>>> 07:56:22 PM BRST
>>>>
>>>> probably there's some build option on CentOS that is disabling
>>>> compression. If 0.9.8b on Fedora8 built in October/2007 can do it, so
>>>> 0.9.8e on CentOS 5.3 built on September/2009 should be able to do it
>>>> too ....... oh boy, i really hate those weirds compilation options from
>>>> Redhat  .... :\
>>>>
>>>> -- 
>>>>
>>>>
>>>> 	Atenciosamente / Sincerily,
>>>> 	Leonardo Rodrigues
>>>> 	Solutti Tecnologia
>>>> 	http://www.solutti.com.br
>>>>
>>>> 	Minha armadilha de SPAM, NÃO mandem email
>>>> 	gertrudes at solutti.com.br
>>>> 	My SPAMTRAP, do not email it

More information about the dovecot mailing list