[Dovecot] SSL errors for just one client after updaing both dovecot and openssl
Charles Marcus
CMarcus at Media-Brokers.com
Mon Feb 25 13:36:58 EET 2013
On 2013-02-23 11:32 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 23.02.2013 17:03, schrieb Charles Marcus:
>> OpenSSL was 1.0.0j, now updated to 1.0.1c
>> Dovecot was 2.1.13, now updated to 2.1.15
> on which distribtuion can you update openssl with a ABI-bump
> without re-compile half of the system?
Gentoo... been using it for over 8 years, and been through LOTS of major
changes like this with only the occasional problem.
> 1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x
When something like this does happen, gentoo automatically rebuilds any
affected packages - or at least it is supposed to (mistakes happen,
things get left out/missed)...
>
>> I'm getting a bunch of lines like the following:
>>
>> Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=<>, rip=#.#.#.#,
>> lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<In+cO2bWngCthJz2>
>>
>> where only the session id (and number of seconds for no auth attempts) is different...
> how looks your "ssl_cipher_list"?
> ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH
Using the defaults:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
Looks like they are slowly disappearing though... the last one was 12:35
yesterday. Also, looks like there were two other users/clients affected.
I called the first one and had him check and he said he wasn't seeing
any errors or problems on his end. I then had him restart all of his
mail clients (restarted his phone just to be sure), and after he did
this these errors disappeared (for his IP).
On 2013-02-24 9:55 AM, Timo Sirainen <tss at iki.fi> wrote:
> Most likely related to the OpenSSL upgrade. Dovecot at least didn't
> change anything SSL related. You could see if verbose_ssl=yes logs
> anything interesting. And like Reindi mentioned, ssl_cipher_list is
> pretty much the only thing in Dovecot's configuration that may be
> related to this.
Yeah, I expected it to be related to the openssl upgrade, I was just
seeing if anyone else had been through it before and whether or not I
needed to do anything proactively to fix it.
Thanks for the responses,
--
Best regards,
*/Charles
/*
More information about the dovecot
mailing list