SSL problem - no banner
Joseph Tam
jtam.home at gmail.com
Tue May 30 23:27:38 EEST 2017
Marcio Merlone <marcio.merlone at a1.ind.br> writes:
> Only openssl s_client -connect localhost:993 works fine and fast, while
> all MUA's and telnet does not. Telnet timeouts waiting for banner after
> a minute or so:
>
> root at netuno:~# openssl s_client -connect localhost:993
> ...
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
> ...
> root at netuno:~# telnet localhost 993
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> (about 1 minute later...)
> Connection closed by foreign host.
You misundertand how SSL (or TLS) vs STARTTLS works.
SSL/TLS (on port 993) starts negotiating a secure session protocol right
after connection, which involves binary exchange of data, certificates,
etc.. This is what "openssl s_client ..." does, but telnet does not.
Only after the SSL handshake completes will you get banners, etc.
STARTTLS starts out as a unencrypted session and thus, you'll get the
initial banner. The client is then expected to initiate a secure session
by issuing a STARTTLS directive, whereupon client and server starts the
secure session negotiation like above. To test this, you would use
openssl s_client -starttls imap -connect localhost:143
So telnet doesn't work because it does not do SSL. Your MUA don't work
because of the same misunderstanding, or there's some network issue
at play.
You need to align your clients to use the security protocol you've
enabled.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list