[Dovecot] SSL errors for just one client after updaing both dovecot and openssl

Charles Marcus CMarcus at Media-Brokers.com
Mon Feb 25 13:36:58 EET 2013


On 2013-02-23 11:32 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 23.02.2013 17:03, schrieb Charles Marcus:
>> OpenSSL was 1.0.0j, now updated to 1.0.1c
>> Dovecot was 2.1.13, now updated to 2.1.15

> on which distribtuion can you update openssl with a ABI-bump
> without re-compile half of the system?

Gentoo... been using it for over 8 years, and been through LOTS of major 
changes like this with only the occasional problem.

> 1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x

When something like this does happen, gentoo automatically rebuilds any 
affected packages - or at least it is supposed to (mistakes happen, 
things get left out/missed)...

>
>> I'm getting a bunch of lines like the following:
>>
>> Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=<>, rip=#.#.#.#,
>> lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<In+cO2bWngCthJz2>
>>
>> where only the session id (and number of seconds for no auth attempts) is different...
> how looks your "ssl_cipher_list"?
> ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH
Using the defaults:

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Looks like they are slowly disappearing though... the last one was 12:35 
yesterday. Also, looks like there were two other users/clients affected. 
I called the first one and had him check and he said he wasn't seeing 
any errors or problems on his end. I then had him restart all of his 
mail clients (restarted his phone just to be sure), and after he did 
this these errors disappeared (for his IP).

On 2013-02-24 9:55 AM, Timo Sirainen <tss at iki.fi> wrote:
> Most likely related to the OpenSSL upgrade. Dovecot at least didn't 
> change anything SSL related. You could see if verbose_ssl=yes logs 
> anything interesting. And like Reindi mentioned, ssl_cipher_list is 
> pretty much the only thing in Dovecot's configuration that may be 
> related to this. 

Yeah, I expected it to be related to the openssl upgrade, I was just 
seeing if anyone else had been through it before and whether or not I 
needed to do anything proactively to fix it.

Thanks for the responses,

-- 

Best regards,

*/Charles
/*



More information about the dovecot mailing list