Imap

From finninday
Jump to navigation Jump to search

Platform: Hardy Heron amd64[edit]

https://help.ubuntu.com/community/Squirrelmail

http://flurdy.com/docs/postfix/

Packages[edit]

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                                       Version                             Description
+++-==========================================-===================================-============================================

ii  courier-authdaemon                         0.60.1-1ubuntu2                     Courier authentication daemon
ii  courier-authlib                            0.60.1-1ubuntu2                     Courier authentication library
ii  courier-authlib-userdb                     0.60.1-1ubuntu2                     userdb support for the Courier authentication
ii  courier-base                               0.58.0.20080127-1ubuntu1            Courier mail server - base system
ii  courier-imap                               4.3.0.20081027-1ubuntu1             Courier mail server - IMAP server
ii  courier-imap-ssl                           4.3.0.20081027-1ubuntu1             Courier mail server - IMAP over SSL
ii  courier-ssl                                0.58.0.20080127-1ubuntu1            Courier mail server - SSL/TLS Support


Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                       Version                    Description
+++-==========================-==========================-====================================================================
ii  squirrelmail               2:1.4.13-2ubuntu1          Webmail for nuts
un  squirrelmail-decode        <none>                     (no description available)
un  squirrelmail-locales       <none>                     (no description available)

Test output[edit]

root@weasel:/etc/default# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.
a login myuserid mypassword
a OK LOGIN Ok.
q logout
* BYE Courier-IMAP server shutting down
q OK LOGOUT completed
Connection closed by foreign host.

After just installing the packages and doing no configuration, I tried a conversation:

root@ferret:~# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc.  See COPYING for distribution information.
a login
a NO Error in IMAP command received by server.
a login mylogin
a NO Error in IMAP command received by server.
a login mylogin wrongpassword
a NO Login failed.
a login mylogin rightpassword
* BYE [ALERT] Fatal error: No such file or directory: No such file or directory
Connection closed by foreign host.

That error indicates that the user doesn't have a Maildir directory. After I created /home/mylogin/Maildir, it worked.

Testing imap over ssl seems a little more difficult:

[root@snapper downloads]# telnet finninday.net 993
Trying 24.21.185.50...
Connected to finninday.net.
Escape character is '^]'.

I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log:

May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown.
May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

So I'm getting past the firewall and talking to the imapd-ssl process.

This might be helpful information:

rday@weasel:~$ couriertls -host=finninday.net -port=993
couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

That's odd because I can verify the cert like this:

root@weasel:/etc/courier# openssl verify imapd.pem
imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net
error 18 at 0 depth lookup:self signed certificate
OK

The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...

Thunderbird imap logging[edit]

I turned on Thunderbird's logging of imap transactions like this:

export NSPR_LOG_MODULES=imap:5
export NSPR_LOG_FILE=/tmp/filename
thunderbird

This is what appears in the log when I try to connect via imap SSL port 993:

2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
-1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0]
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX:  = currentUrl
-1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0]
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments.
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability
-1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0]
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null)
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls
-1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0]

Not particularly helpful. For the same transaction, I see nothing in mail.log.

This is what I see when I switch to using imap without ssl, which is denied at my firewall:

2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
-1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0]
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk:  = currentUrl
-1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1]
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null)
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls
-1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0]

In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.

Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this:

##NAME: DEBUG_LOGIN:0
#
# Dump additional diagnostics to syslog
#
# DEBUG_LOGIN=0   - turn off debugging
# DEBUG_LOGIN=1   - turn on debugging
# DEBUG_LOGIN=2   - turn on debugging + log passwords too
#
# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
#
# Note that most information is sent to syslog at level 'debug', so
# you may need to modify your /etc/syslog.conf to be able to see it.

DEBUG_LOGIN=1

But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...

Packet sniffer[edit]

Using a packet sniffer on the client side I can see the conversation looks like this:

  • client says syn
  • server says syn ack
  • client says ack
  • client says "Client Hello" in TLSv1
  • server says ack
  • server says "Server Hello, Certificate, Server Hello Done" in TLSv1
  • client says ack
  • client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
  • server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
  • server says "Application Data, Encrypted Alert" in TLSv1
  • client says ack
  • client says fin, ack
  • server says ack

It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.

According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".

Maybe there is nothing wrong with the imap-ssl server.

Remove and reinstall[edit]

I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine.