Emerging to courier-imap-5.0.7 results in non-SSL or Use TLS accounts connecting to pop3d to simply 'connect' but no credentials are passed. No errors are reported and mail client will either end the transaction or report errors connecting to server. pop3-ssl connections are fine. imapd connections are fine. Rolling back to courier-imap-4.18.2 and connections work again. Services were restarted prior to any testing.
I think the issue is with STARTTLS. My mail client is showing - "Socket error after the SSL/TLS negotiation" Again, rolling back, the problem goes away.
can you check the value of TLS_DHPARAMS under /etc/courier-map The value should be changed to /etc/courier-map/dhparams.pem (maybe previously was set to /usr/share/dhparams.pem) check also that /etc/courier-map/dhparams.pem exists. The cron job should update it every month Report here if something is still wrong after these checks
This is what I see for the TLS_DHPARAMS var in imapd-ssl and pop3d-ssl imapd-ssl:TLS_DHPARAMS=/etc/courier-imap/dhparams.pem pop3d-ssl:TLS_DHPARAMS=/etc/courier-imap/dhparams.pem Verified that dhparams.pem is where it's suppose to be ls -al /etc/courier-imap/dhparams.pem -rw-r--r-- 1 root root 424 Oct 27 12:57 /etc/courier-imap/dhparams.pem restarted all services (imapd, imapd-ssl, pop3d, pop3d-ssl) and socket errors still happens. Rolled back to 4.18.2 and all is working again.
Can you analyze the ooutput of openssl s_client -debug -starttls pop3 -connect 127.0.0.1:110 and see if you see something strange?
Okay... I think we're getting closer. openssl s_client -debug -starttls pop3 -connect 127.0.0.1:110 CONNECTED(00000004) read from 0x7f456ebd1f60 [0x7f456eb280e0] (8192 bytes => 18 (0x12)) 0000 - 2b 4f 4b 20 48 65 6c 6c-6f 20 74 68 65 72 65 2e +OK Hello there. 0010 - 0d 0a .. write to 0x7f456ebd1f60 [0x7fff35366830] (6 bytes => 6 (0x6)) 0000 - 53 54 4c 53 0d 0a STLS.. read from 0x7f456ebd1f60 [0x7f456eb260d0] (8192 bytes => 36 (0x24)) 0000 - 2b 4f 4b 20 42 65 67 69-6e 20 53 53 4c 2f 54 4c +OK Begin SSL/TL 0010 - 53 20 6e 65 67 6f 74 69-61 74 69 6f 6e 20 6e 6f S negotiation no 0020 - 77 2e 0d 0a w... write to 0x7f456ebd1f60 [0x7f456ebfa1f0] (293 bytes => 293 (0x125)) 0000 - 16 03 01 01 20 01 00 01-1c 03 03 83 c4 3e da 22 .... ........>." 0010 - ec 28 e2 ce d4 00 09 59-2f 80 9f cc 16 55 e1 9a .(.....Y/....U.. 0020 - 60 e9 13 de 17 53 2c 51-f1 86 2b 20 ad b4 34 b0 `....S,Q..+ ..4. 0030 - 9d 40 33 3c 92 8f 61 82-32 8e 43 14 40 91 b7 14 .@3<..a.2.C.@... 0040 - d6 49 5e 68 3b 7c 16 a3-8d 98 7e 0b 00 3e 13 02 .I^h;|....~..>.. 0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........ 0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 95 ...=.<.5./...... 0090 - 13 0b 00 04 03 00 01 02-00 0a 00 0c 00 0a 00 1d ................ 00a0 - 00 17 00 1e 00 19 00 18-00 23 00 00 00 16 00 00 .........#...... 00b0 - 00 17 00 00 00 0d 00 30-00 2e 04 03 05 03 06 03 .......0........ 00c0 - 08 07 08 08 08 09 08 0a-08 0b 08 04 08 05 08 06 ................ 00d0 - 13 01 05 01 06 01 03 03-02 03 03 01 02 01 03 02 ................ 00e0 - 02 02 04 02 05 02 06 02-00 2b 00 09 08 03 04 03 .........+...... 00f0 - 03 03 02 03 01 00 2d 00-02 01 01 00 33 00 26 00 ......-.....3.&. 0100 - 24 00 1d 00 20 e4 c0 10-72 be 0d 8e 04 fa 7f 0c $... ...r....... 0110 - 13 bb c0 5e 01 48 56 f7-82 2a bd c6 04 54 25 fc %..^.HV..*...T%. 0120 - 20 dc 88 e6 1d .... read from 0x7f456ebd1f60 [0x7f456ebf0fd3] (5 bytes => 5 (0x5)) 0000 - 2d 45 52 52 20 -ERR 139936157857600:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 59 bytes and written 299 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x7f456ebd1f60 [0x7f456eb260d0] (8192 bytes => 145 (0x91)) 0000 - 53 54 41 52 54 54 4c 53-20 66 61 69 6c 65 64 3a STARTTLS failed: 0010 - 20 69 70 3d 5b 31 32 37-2e 30 2e 30 2e 31 5d 2c ip=[127.0.0.1], 0020 - 20 63 6f 75 72 69 65 72-74 6c 73 3a 20 2f 76 61 couriertls: /va 0030 - 72 2f 6c 69 62 2f 63 6f-75 72 69 65 72 2d 69 6d r/lib/courier-im 0040 - 61 70 2f 63 6f 75 72 69-65 72 73 73 6c 69 6d 61 ap/couriersslima 0050 - 70 63 61 63 68 65 3a 20-50 65 72 6d 69 73 73 69 pcache: Permissi 0060 - 6f 6e 20 64 65 6e 69 65-64 0a 69 70 3d 5b 31 32 on denied.ip=[12 0070 - 37 2e 30 2e 30 2e 31 5d-2c 20 63 6f 75 72 69 65 7.0.0.1], courie 0080 - 72 74 6c 73 3a 20 2f 65-74 63 2f 63 6f 75 72 0d rtls: /etc/cour. 0090 - 0a . read from 0x7f456ebd1f60 [0x7f456eb260d0] (8192 bytes => 69 (0x45)) 0000 - 2d 45 52 52 20 49 6e 76-61 6c 69 64 20 63 6f 6d -ERR Invalid com 0010 - 6d 61 6e 64 2e 0d 0a 2d-45 52 52 20 49 6e 76 61 mand...-ERR Inva 0020 - 6c 69 64 20 63 6f 6d 6d-61 6e 64 2e 0d 0a 2d 45 lid command...-E 0030 - 52 52 20 49 6e 76 61 6c-69 64 20 63 6f 6d 6d 61 RR Invalid comma 0040 - 6e 64 2e 0d 0a nd... read from 0x7f456ebd1f60 [0x7f456eb260d0] (8192 bytes => 0 (0x0)) So it looks like it can't access /var/lib/courier-imap/couriersslimapcache Not sure who the 'user' is, but it's owned by root. ls -al /var/lib/courier-imap drwxr-xr-x 2 root root 4096 Oct 28 18:38 . drwxr-xr-x 26 root root 4096 Jan 18 2018 .. -rw-r--r-- 1 root root 0 Oct 28 18:30 .keep_net-mail_courier-imap-0 -rw------- 1 root root 524288 Oct 28 03:00 couriersslcache -rw------- 1 root root 524288 Oct 28 04:10 couriersslimapcache Changing permissions to 644 on couriersslimapcache, returns the same error - permission denied. Directory is 755
TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache I have this line on both /etc/courier-imap/imapd-ssl and /etc/courier-imap/pop3d-ssl and is owned by root -rw-------
Me too.... cat /etc/courier-imap/imapd-ssl | grep TLS_CACHEFILE # that open multiple SSL sessions to the server. TLS_CACHEFILE will be TLS_CACHEFILE=/var/lib/courier-imap/couriersslpop3cache cat /etc/courier-imap/pop3d-ssl | grep TLS_CACHEFILE # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE TLS_CACHEFILE=/var/lib/courier-imap/couriersslimapcache ls -al /var/lib/courier-imap/couriersslimapcache -rw-r--r-- 1 root root 524288 Oct 28 04:10 /var/lib/courier-imap/couriersslimapcache I changed to 644 to test. I also created a new pop3d.pem thinking that might be a problem the dhparams bit. I made it with 4096 bits, and problem persists. I think the problem might be before the TLS_CACHEFILE error, because of this info... 139936157857600:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 59 bytes and written 299 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) Which led me to recreate the pop3d.pem. I definitely do not get this message 139936157857600:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: When I roll back to the older version. Also, wanted to provide USE flags and version for openssl and courier-imap in case there was a clue there: [ebuild R ] dev-libs/openssl-1.1.1d-r2:0/1.1::gentoo USE="asm zlib -bindist -rfc3779 -sctp -sslv3 -static-libs -test -tls-heartbeat -vanilla" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 8639 KiB [ebuild R ] net-mail/courier-imap-5.0.7::gentoo USE="berkdb gdbm -debug* -fam -gnutls -ipv6 -libressl (-selinux) -trashquota" 0 KiB
Sorry... didn't read that carefully. I changed it couriersslcache cat /etc/courier-imap/imapd-ssl | grep TLS_CACHEFILE # that open multiple SSL sessions to the server. TLS_CACHEFILE will be #TLS_CACHEFILE=/var/lib/courier-imap/couriersslpop3cache TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache cat /etc/courier-imap/pop3d-ssl | grep TLS_CACHEFILE # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE #TLS_CACHEFILE=/var/lib/courier-imap/couriersslimapcache TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache ls -al /var/lib/courier-imap/couriersslcache -rw------- 1 root root 524288 Oct 28 03:00 /var/lib/courier-imap/couriersslcache Restarted courier-authlib and did the openssl test, and same problem. openssl s_client -debug -starttls pop3 -connect 127.0.0.1:110 CONNECTED(00000004) read from 0x7f93893acf60 [0x7f93893030e0] (8192 bytes => 18 (0x12)) 0000 - 2b 4f 4b 20 48 65 6c 6c-6f 20 74 68 65 72 65 2e +OK Hello there. 0010 - 0d 0a .. write to 0x7f93893acf60 [0x7fffdc9eab50] (6 bytes => 6 (0x6)) 0000 - 53 54 4c 53 0d 0a STLS.. read from 0x7f93893acf60 [0x7f93893010d0] (8192 bytes => 36 (0x24)) 0000 - 2b 4f 4b 20 42 65 67 69-6e 20 53 53 4c 2f 54 4c +OK Begin SSL/TL 0010 - 53 20 6e 65 67 6f 74 69-61 74 69 6f 6e 20 6e 6f S negotiation no 0020 - 77 2e 0d 0a w... write to 0x7f93893acf60 [0x7f93893d51f0] (293 bytes => 293 (0x125)) 0000 - 16 03 01 01 20 01 00 01-1c 03 03 5f c1 f0 bc 12 .... ......_.... 0010 - 30 e9 ff 4a e5 dd 09 dd-d6 ca c1 17 04 86 5e 50 0..J..........^P 0020 - 5c eb 22 f3 82 da 6a 66-9b 42 c3 20 db 82 63 74 \."...jf.B. ..ct 0030 - 03 ed 22 07 6d cb dc 8d-dd 86 a9 ba 2f e1 49 62 ..".m......./.Ib 0040 - 50 a0 97 ae 80 02 14 fb-ca d2 c9 88 00 3e 13 02 P............>.. 0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........ 0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 95 ...=.<.5./...... 0090 - 00 0b 00 04 03 00 01 02-00 0a 00 0c 00 0a 00 1d ................ 00a0 - 00 17 00 1e 00 19 00 18-00 23 00 00 00 16 00 00 .........#...... 00b0 - 00 17 00 00 00 0d 00 30-00 2e 04 03 05 03 06 03 .......0........ 00c0 - 08 07 08 08 08 09 08 0a-08 0b 08 04 08 05 08 06 ................ 00d0 - 04 01 05 01 06 01 03 03-02 03 03 01 02 01 03 02 ................ 00e0 - 02 02 04 02 05 02 06 02-00 2b 00 09 08 03 04 03 .........+...... 00f0 - 03 03 02 03 01 00 2d 00-02 01 01 00 33 00 26 00 ......-.....3.&. 0100 - 24 00 1d 00 20 1b 27 74-0f 97 cf e0 52 56 86 c5 $... .'t....RV.. 0110 - a9 b5 ca b7 f2 09 fa 72-10 9c 70 7f 6e b7 12 7e .......r..p.n..~ 0120 - 64 88 dd b7 49 d...I read from 0x7f93893acf60 [0x7f93893cbfd3] (5 bytes => 5 (0x5)) 0000 - 2d 45 52 52 20 -ERR 140271606798144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 59 bytes and written 299 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x7f93893acf60 [0x7f93893010d0] (8192 bytes => 145 (0x91)) 0000 - 53 54 41 52 54 54 4c 53-20 66 61 69 6c 65 64 3a STARTTLS failed: 0010 - 20 69 70 3d 5b 31 32 37-2e 30 2e 30 2e 31 5d 2c ip=[127.0.0.1], 0020 - 52 63 6f 75 72 69 65 72-74 6c 73 3a 20 2f 76 61 couriertls: /va 0030 - 72 2f 6c 69 62 2f 63 6f-75 72 69 65 72 2d 69 6d r/lib/courier-im 0040 - 61 70 2f 63 6f 75 72 69-65 72 73 73 6c 63 61 63 ap/couriersslcac 0050 - 68 65 3a 20 50 65 72 6d-69 73 73 69 6f 6e 20 64 he: Permission d 0060 - 65 6e 69 65 64 0a 69 70-3d 5b 31 32 37 2e 30 2e enied.ip=[127.0. 0070 - 30 2e 31 5d 2c 20 63 6f-75 72 69 65 72 74 6c 73 0.1], couriertls 0080 - 3a 20 2f 65 74 63 2f 63-6f 75 72 69 65 72 2d 0d : /etc/courier-. 0090 - 0a . read from 0x7f93893acf60 [0x7f93893010d0] (8192 bytes => 69 (0x45)) 0000 - 2d 45 52 52 20 49 6e 76-61 6c 69 64 20 63 6f 6d -ERR Invalid com 0010 - 23 61 6e 64 2e 0d 0a 2d-45 52 52 20 49 6e 76 61 mand...-ERR Inva 0020 - 6c 69 64 20 63 6f 6d 6d-61 6e 64 2e 0d 0a 2d 45 lid command...-E 0030 - 20 52 20 49 6e 76 61 6c-69 64 20 63 6f 6d 6d 61 RR Invalid comma 0040 - 6e 64 2e 0d 0a nd... read from 0x7f93893acf60 [0x7f93893010d0] (8192 bytes => 0 (0x0))
More information. If I set /var/lib/courier-imap to be 777 and remove the couriersslcache file.. and run openssl, it gets written -rw------- 1 mail mail 524288 Oct 29 17:07 couriersslcache So it wants to written from mail:mail. I'm going to do some digging to see what's why owner is mail vs. root. Next, I get a new error: read from 0x7fa0b8ecbf60 [0x7fa0b8e200d0] (8192 bytes => 129 (0x81)) 0000 - 53 54 41 52 54 54 4c 53-20 66 61 69 6c 65 64 3a STARTTLS failed: 0010 - 20 69 70 3d 5b 31 32 37-2e 30 2e 30 2e 31 5d 2c ip=[127.0.0.1], 0020 - 20 63 6f 75 72 69 65 72-74 6c 73 3a 20 2f 65 74 couriertls: /et 0030 - 63 2f 63 6f 75 72 69 65-72 2d 69 6d 61 70 2f 70 c/courier-imap/p 0040 - 6f 70 33 64 2e 70 65 6d-3a 20 65 72 72 6f 72 3a op3d.pem: error: 0050 - 30 32 30 30 31 30 30 44-3a 73 79 73 74 65 6d 20 0200100D:system 0060 - 6c 69 62 72 61 72 79 3a-66 6f 70 65 6e 3a 50 65 library:fopen:Pe 0070 - 72 6d 69 73 73 69 6f 6e-20 64 65 6e 69 65 64 0d rmission denied. 0080 - 0a . read from 0x7fa0b8ecbf60 [0x7fa0b8e200d0] (8192 bytes => 69 (0x45)) 0000 - 2d 45 52 52 20 49 6e 76-61 6c 69 64 20 63 6f 6d -ERR Invalid com 0010 - 6d 61 6e 64 2e 0d 0a 2d-45 52 52 20 49 6e 76 61 mand...-ERR Inva 0020 - 6c 69 64 20 63 6f 6d 6d-61 6e 64 2e 0d 0a 2d 45 lid command...-E 0030 - 52 52 20 49 6e 76 61 6c-69 64 20 63 6f 6d 6d 61 RR Invalid comma 0040 - 6e 64 2e 0d 0a nd... So now, it looks like additional ownership problem with fopen()
Change log on 5.0.0 2018-06-28 Sam Varshavchik <mrsam@courier-mta.com> * libs/tcpd/starttls.c (main): Add -user option. Additional fixes to startup script to have couriertls drop root privileges. Seems like something.
change ownership to mail:mail to these files and see /var/lib/courier-imap/couriersslcache /etc/courier-imap/pop3d.pem
Okay.. that did it. Do we need to get an update to this build to change ownership of those files?
I will add some note