Dovecot 2.2.27 & windows 10 outlook (no auth attempts in 0 secs) error.

Mart Pirita sysadmin at e-positive.ee
Mon Dec 12 18:05:50 UTC 2016


Edit: Maybe it's the DH file issue (like
https://i-mscp.net/index.php/Thread/10005-Notice-SSL-for-services-with-Courier-Windows-10-issue/),
so added to the conf:

ssl_dh_parameters_length = 2048

removed old file /usr/var/lib/dovecot/ssl-parameters.dat and dovecot
generated new file. Still same error.

Stared to look files timestaps and found the reason. I have a RH based
custom disto and I'm using self compiled openssl, simple make, without
any special options:

./config --prefix=/usr/local/ssl &&
make &&
make install


And at some point, after building dovecot 2.2.24, I built new openssl,
openssl-1.0.1t and with this and also with latest openssl-1.0.2j dovecot
builds fine but doesn't work with windows 10. So finally I built latest
openssl-0.9.8zh and dovecot 2.2.27 against it and windows 10 works like
a charm.

But I'm still curios, why latest openssl and latest dovecot doesn't work
for windows 10. As new openssl should even provide more options, than older.

/usr/local/ssl/bin/openssl version -a
OpenSSL 0.9.8za 5 Jun 2014
built on: Wed Aug  6 15:45:46 EEST 2014
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM
-DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/local/ssl/ssl"

/usr/local/ssl/bin/openssl version -o
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
idea(int) blowfish(idx)

##################

/usr/local/ssl/bin/openssl version -a
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
platform: linux-elf
options:  bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
-DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM
-DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl/ssl"

/usr/local/ssl/bin/openssl version -o
options:  bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int)
blowfish(idx)


###############


Edit: When using win8, then logs started appear in dovecot.rawlog. But
as win10 gives error in ssl level, before user authentication, then no
debug logs will be written into user dovecot.rawlog folder.

So how to debug this ssl issue?


Aki Tuomi wrote:
> https://wiki2.dovecot.org/Debugging/Rawlog
>
> can you try this to get rawlogs to find out what happens?
>
> Aki
I'm bit confused, how this rawlog works. I did:

doveadm user -u kaka
userdb: kaka
  user      : kaka
  system_groups_user: kaka
  uid       : 566
  gid       : 566
  home      : /home/kaka

ls -al /home/kaka
total 16
drwx------    4 kaka     kaka         4096 Dec 12 15:36 .
drwxr-xr-x   12 root     root         4096 Dec 12 12:41 ..
drwx------    2 kaka     kaka         4096 Dec 12 12:41 dovecot.rawlog
drwx------    2 kaka     kaka         4096 Dec 12 12:41 Maildir

Added into dovecot.conf:

protocol imap {
  rawlog_dir = /tmp/rawlog/%u
}

service imap {
  executable = imap postlogin
}

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {
  }
}

But /tmp/rawlog/kaka/ and /home/kaka/dovecot.rawlog/ are empty. What did
I miss?


The whole conf:

listen = *
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
mail_log_group_events = no
mail_log_fields = uid box msgid size from subject vsize
}
login_log_format_elements = %u %r %m %c
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
   port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
  }
}
service imap {
  executable = imap postlogin
}
service pop3 {
}
service postlogin {
  executable = script-login -d rawlog
    unix_listener postlogin {
  }
}
service auth {
  unix_listener auth-userdb {
  }
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}
service auth-worker {
}
service dict {
  unix_listener dict {
  }
}
disable_plaintext_auth = no
auth_cache_size = 1024
auth_cache_ttl = 1 hour
auth_cache_negative_ttl = 1 hour
auth_failure_delay = 60 secs
auth_mechanisms = plain login
passdb {
  driver = pam
args = cache_key=%u%r%s *
}
userdb {
 driver = passwd
}
mail_location = maildir:~/Maildir
mail_plugin_dir = /usr/lib/dovecot
mail_plugins = $mail_plugins mail_log notify
maildir_very_dirty_syncs = yes
protocol imap {
  mail_max_userip_connections = 90
  imap_logout_format = bytes=%i/%o
  imap_client_workarounds = tb-extra-mailbox-sep delay-newmail
    rawlog_dir = /tmp/rawlog/%u
}
protocol pop3 {
  pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s
  mail_max_userip_connections = 9
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
ssl_parameters_regenerate = 0
ssl_protocols = !SSLv2 !SSLv3
plugin {
}
plugin {
}
plugin {
}
plugin {
}
plugin {
}
plugin {
}
plugin {
}


-- 
Mart




More information about the dovecot mailing list