Difference between revisions of "Imap"

From Finninday
Jump to: navigation, search
(Thunderbird imap logging)
(Thunderbird imap logging)
Line 142: Line 142:
 
But where is the output?  I've verified that syslog.conf is correct and restarted authdaemon and syslog.  Still nothing shows up in debug.log or syslog.  Odd...
 
But where is the output?  I've verified that syslog.conf is correct and restarted authdaemon and syslog.  Still nothing shows up in debug.log or syslog.  Odd...
  
 +
===Packet sniffer===
 
Using a packet sniffer on the client side I can see the conversation looks like this:
 
Using a packet sniffer on the client side I can see the conversation looks like this:
  
Line 159: Line 160:
  
 
It looks perfectly reasonable and civilized, so why doesn't it result in Thunderbird saying: "not an IMAP4 server"?
 
It looks perfectly reasonable and civilized, so why doesn't it result in Thunderbird saying: "not an IMAP4 server"?
 +
Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.
 +
 +
According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid.  The part I am unsure about is the step where the client tries to decrypt a  test message from the server.  The last message I see in TLS is the server's test message.  The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".
 +
 +
Maybe there is nothing wrong with the imap-ssl server.

Revision as of 21:45, 15 May 2008

Platform: Hardy Heron amd64

https://help.ubuntu.com/community/Squirrelmail

http://flurdy.com/docs/postfix/

Packages

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                                       Version                             Description
+++-==========================================-===================================-============================================

ii  courier-authdaemon                         0.60.1-1ubuntu2                     Courier authentication daemon
ii  courier-authlib                            0.60.1-1ubuntu2                     Courier authentication library
ii  courier-authlib-userdb                     0.60.1-1ubuntu2                     userdb support for the Courier authentication
ii  courier-base                               0.58.0.20080127-1ubuntu1            Courier mail server - base system
ii  courier-imap                               4.3.0.20081027-1ubuntu1             Courier mail server - IMAP server
ii  courier-imap-ssl                           4.3.0.20081027-1ubuntu1             Courier mail server - IMAP over SSL
ii  courier-ssl                                0.58.0.20080127-1ubuntu1            Courier mail server - SSL/TLS Support


Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                       Version                    Description
+++-==========================-==========================-====================================================================
ii  squirrelmail               2:1.4.13-2ubuntu1          Webmail for nuts
un  squirrelmail-decode        <none>                     (no description available)
un  squirrelmail-locales       <none>                     (no description available)

Test output

root@weasel:/etc/default# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.
a login myuserid mypassword
a OK LOGIN Ok.
q logout
* BYE Courier-IMAP server shutting down
q OK LOGOUT completed
Connection closed by foreign host.


Testing imap over ssl seems a little more difficult: 

[root@snapper downloads]# telnet finninday.net 993
Trying 24.21.185.50...
Connected to finninday.net.
Escape character is '^]'.

I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log: 

May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown.
May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

So I'm getting past the firewall and talking to the imapd-ssl process.

This might be helpful information: 

rday@weasel:~$ couriertls -host=finninday.net -port=993
couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

That's odd because I can verify the cert like this: 

root@weasel:/etc/courier# openssl verify imapd.pem
imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net
error 18 at 0 depth lookup:self signed certificate
OK

The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...

Thunderbird imap logging

I turned on Thunderbird's logging of imap transactions like this: 

export NSPR_LOG_MODULES=imap:5
export NSPR_LOG_FILE=/tmp/filename
thunderbird

This is what appears in the log when I try to connect via imap SSL port 993: 

2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
-1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0]
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX:  = currentUrl
-1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0]
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments.
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability
-1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0]
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null)
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls
-1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0]

Not particularly helpful. For the same transaction, I see nothing in mail.log.

This is what I see when I switch to using imap without ssl, which is denied at my firewall: 

2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
-1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0]
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk:  = currentUrl
-1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1]
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null)
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls
-1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0]

In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.

Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this: 

##NAME: DEBUG_LOGIN:0
#
# Dump additional diagnostics to syslog
#
# DEBUG_LOGIN=0   - turn off debugging
# DEBUG_LOGIN=1   - turn on debugging
# DEBUG_LOGIN=2   - turn on debugging + log passwords too
#
# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
#
# Note that most information is sent to syslog at level 'debug', so
# you may need to modify your /etc/syslog.conf to be able to see it.

DEBUG_LOGIN=1

But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...

Packet sniffer

Using a packet sniffer on the client side I can see the conversation looks like this:

  • client says syn
  • server says syn ack
  • client says ack
  • client says "Client Hello" in TLSv1
  • server says ack
  • server says "Server Hello, Certificate, Server Hello Done" in TLSv1
  • client says ack
  • client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
  • server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
  • server says "Application Data, Encrypted Alert" in TLSv1
  • client says ack
  • client says fin, ack
  • server says ack

It looks perfectly reasonable and civilized, so why doesn't it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.

According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".

Maybe there is nothing wrong with the imap-ssl server.

Retrieved from "https://finninday.net/wiki/index.php?title=Imap&oldid=2478"