[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Tue Sep 17 16:53:12 EEST 2013 

On 2013-09-17 09:08, Jerry wrote:
> On Tue, 17 Sep 2013 09:01:49 -0400
> Dan Langille articulated:
> 
> On 2013-09-17 08:43, Reindl Harald wrote:
> > Am 17.09.2013 14:39, schrieb Dan Langille:
> > On 2013-09-16 20:28, Noel Butler wrote:
> > Since we just ruled this one out, might I suggest you grab the
> > source and build it, install it all under /opt/dovecot  that way it
> > wont interfere with your ports installation and try that, the one
> > you successfully just tested uses dovecot 2.1 not 2.2, so maybe try
> > source of 2.1 and see if it works.
> >
> > I just tried 2.1.16.  The iPhone has no trouble on 143 but on 993,
> > it's just like 2.2
> >
> > But, if it does work on port 143 with TLS I wouldnt worry too much
> > about it
> >
> > tcpdump is showing me raw text going past, so I know I'm not
> > getting TLS on either Dovecot 2.1 or 2.2
> >
> > It seems that TLS is not supported by my client.  Pity.
> >
> > iPhone is the worst mail client on this planet but for sure
> > supports TLS
> >
> > Apple is here the same as Microsoft
> >
> > * remove the account completly
> > * add it again and it will detect that encryption is available
> 
> Done. But tcpdump is still showing me plain text.
> 
> # dovecot -n
> # 2.1.16: /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 9.1-RELEASE-p6 amd64
> auth_debug = yes
> auth_verbose = yes
> disable_plaintext_auth = no
> first_valid_gid = 1001
> first_valid_uid = 1001
> mail_debug = yes
> mail_location = maildir:~/Maildir
> mail_privileged_group = mail
> passdb {
> args = scheme=BLF-CRYPT /var/db/dovecot.users
> driver = passwd-file
> }
> protocols = imap
> service imap-login {
> inet_listener imap {
> address = 199.233.228.197
> }
> inet_listener imaps {
> address = 199.233.228.197
> port = 0
> }
> }
> ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt
> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
> userdb {
> args = /var/db/dovecot.users
> driver = passwd-file
> }
> verbose_proctitle = yes
> verbose_ssl = yes
> protocol imap {
> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> }
> 
> Show the entire dump from when you first attempt to make a connection 
> to
> the start of message transmission.

13:22:17.985508 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [S], 
seq 2703590158, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 
773682446 ecr 0,sackOK,eol], length 0
EH.@?. at .3._...U2.........%.................Z.......
..u.........
13:22:17.985579 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[S.], seq 2030926149, ack 2703590159, win 65535, options [mss 
1370,nop,wscale 6,sackOK,TS val 2484342793 ecr 773682446], length 0
yE.%......w......Z.......
...     ..u.
13:22:18.066507 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 1, win 8232, options [nop,nop,TS val 773682522 ecr 2484342793], 
length 0
yF.. (........U2.........%..y
..uZ...
13:22:18.093983 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[P.], seq 1:113, ack 1, win 1039, options [nop,nop,TS val 2484342901 ecr 
773682522], length 112
yF.%......R.......U2....y
...u..uZ* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
13:22:18.224227 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 113, win 8225, options [nop,nop,TS val 773682659 ecr 2484342901], 
length 0
y... !.9......U2.........%..y
..u....u

It was after this that the login details were passsed. That was in plain 
text, and omitted from this paste.

13:22:18.245486 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[P.], seq 113:432, ack 32, win 1039, options [nop,nop,TS val 2484343053 
ecr 773682667], length 319
y..%..............U2....y
..u.1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS 
THREAD=ORDEREDSUBJECT MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS 
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES 
WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in

13:22:18.311309 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 432, win 8205, options [nop,nop,TS val 773682774 ecr 2484343053], 
length 0
........3.s...U2.........%..y
..vV...
13:22:18.384236 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags 
[P.], seq 32:121, ack 432, win 8205, options [nop,nop,TS val 773682824 
ecr 2484343053], length 89
.!......3.6...U2.........%..y
2 ID ("name" "iPhone Mail" "version" "10B350" "os" "iOS" "os-version" 
"6.1.4 (10B350)")

13:22:18.384634 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[P.], seq 432:462, ack 121, win 1039, options [nop,nop,TS val 2484343192 
ecr 773682824], length 30
z..%..............U2....y
......v.* ID NIL
2 OK ID completed.

13:22:18.455096 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 462, win 8204, options [nop,nop,TS val 773682899 ecr 2484343192], 
length 0
{... ..f......U2.........%..y
..v.....
13:22:18.464945 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags 
[P.], seq 121:136, ack 462, win 8204, options [nop,nop,TS val 773682901 
ecr 2484343192], length 15
{... .........U2.........%..y
..v.....3 LIST "" "*"



-- 
Dan Langille - http://langille.org/

More information about the dovecot mailing list