Imap
Platform: Hardy Heron amd64[edit]
https://help.ubuntu.com/community/Squirrelmail
http://flurdy.com/docs/postfix/
Packages[edit]
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================================-===================================-============================================ ii courier-authdaemon 0.60.1-1ubuntu2 Courier authentication daemon ii courier-authlib 0.60.1-1ubuntu2 Courier authentication library ii courier-authlib-userdb 0.60.1-1ubuntu2 userdb support for the Courier authentication ii courier-base 0.58.0.20080127-1ubuntu1 Courier mail server - base system ii courier-imap 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP server ii courier-imap-ssl 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP over SSL ii courier-ssl 0.58.0.20080127-1ubuntu1 Courier mail server - SSL/TLS Support Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================-==========================-==================================================================== ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts un squirrelmail-decode <none> (no description available) un squirrelmail-locales <none> (no description available)
Test output[edit]
root@weasel:/etc/default# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. a login myuserid mypassword a OK LOGIN Ok. q logout * BYE Courier-IMAP server shutting down q OK LOGOUT completed Connection closed by foreign host.
After just installing the packages and doing no configuration, I tried a conversation:
root@ferret:~# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc. See COPYING for distribution information. a login a NO Error in IMAP command received by server. a login mylogin a NO Error in IMAP command received by server. a login mylogin wrongpassword a NO Login failed. a login mylogin rightpassword * BYE [ALERT] Fatal error: No such file or directory: No such file or directory Connection closed by foreign host.
That error indicates that the user doesn't have a Maildir directory. After I created /home/mylogin/Maildir, it worked.
Testing imap over ssl seems a little more difficult:
[root@snapper downloads]# telnet finninday.net 993 Trying 24.21.185.50... Connected to finninday.net. Escape character is '^]'.
I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log:
May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
So I'm getting past the firewall and talking to the imapd-ssl process.
This might be helpful information:
rday@weasel:~$ couriertls -host=finninday.net -port=993 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
That's odd because I can verify the cert like this:
root@weasel:/etc/courier# openssl verify imapd.pem imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net error 18 at 0 depth lookup:self signed certificate OK
The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...
Thunderbird imap logging[edit]
I turned on Thunderbird's logging of imap transactions like this:
export NSPR_LOG_MODULES=imap:5 export NSPR_LOG_FILE=/tmp/filename thunderbird
This is what appears in the log when I try to connect via imap SSL port 993:
2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX: = currentUrl -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments. -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0]
Not particularly helpful. For the same transaction, I see nothing in mail.log.
This is what I see when I switch to using imap without ssl, which is denied at my firewall:
2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk: = currentUrl -1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0]
In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.
Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this:
##NAME: DEBUG_LOGIN:0 # # Dump additional diagnostics to syslog # # DEBUG_LOGIN=0 - turn off debugging # DEBUG_LOGIN=1 - turn on debugging # DEBUG_LOGIN=2 - turn on debugging + log passwords too # # ** YES ** - DEBUG_LOGIN=2 places passwords into syslog. # # Note that most information is sent to syslog at level 'debug', so # you may need to modify your /etc/syslog.conf to be able to see it. DEBUG_LOGIN=1
But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...
Packet sniffer[edit]
Using a packet sniffer on the client side I can see the conversation looks like this:
- client says syn
- server says syn ack
- client says ack
- client says "Client Hello" in TLSv1
- server says ack
- server says "Server Hello, Certificate, Server Hello Done" in TLSv1
- client says ack
- client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
- server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
- server says "Application Data, Encrypted Alert" in TLSv1
- client says ack
- client says fin, ack
- server says ack
It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.
According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".
Maybe there is nothing wrong with the imap-ssl server.
Remove and reinstall[edit]
I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine.