Difference between revisions of "Imap"
From Finninday
(→Test output) |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
[[Category: Installation notes]] | [[Category: Installation notes]] | ||
===Platform: Hardy Heron amd64=== | ===Platform: Hardy Heron amd64=== | ||
| Line 14: | Line 6: | ||
===Packages=== | ===Packages=== | ||
| − | + | <pre> | |
Desired=Unknown/Install/Remove/Purge/Hold | Desired=Unknown/Install/Remove/Purge/Hold | ||
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend | | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend | ||
| Line 36: | Line 28: | ||
+++-==========================-==========================-==================================================================== | +++-==========================-==========================-==================================================================== | ||
ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts | ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts | ||
| − | un squirrelmail-decode | + | un squirrelmail-decode <none> (no description available) |
| − | un squirrelmail-locales | + | un squirrelmail-locales <none> (no description available) |
| − | + | </pre> | |
===Test output=== | ===Test output=== | ||
| − | + | <pre> | |
root@weasel:/etc/default# telnet localhost 143 | root@weasel:/etc/default# telnet localhost 143 | ||
Trying 127.0.0.1... | Trying 127.0.0.1... | ||
| Line 53: | Line 45: | ||
q OK LOGOUT completed | q OK LOGOUT completed | ||
Connection closed by foreign host. | Connection closed by foreign host. | ||
| − | + | </pre> | |
| + | After just installing the packages and doing no configuration, I tried a conversation: | ||
| + | <pre> | ||
| + | root@ferret:~# telnet localhost 143 | ||
| + | Trying 127.0.0.1... | ||
| + | Connected to localhost.localdomain. | ||
| + | Escape character is '^]'. | ||
| + | * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc. See COPYING for distribution information. | ||
| + | a login | ||
| + | a NO Error in IMAP command received by server. | ||
| + | a login mylogin | ||
| + | a NO Error in IMAP command received by server. | ||
| + | a login mylogin wrongpassword | ||
| + | a NO Login failed. | ||
| + | a login mylogin rightpassword | ||
| + | * BYE [ALERT] Fatal error: No such file or directory: No such file or directory | ||
| + | Connection closed by foreign host. | ||
| + | </pre> | ||
| + | |||
| + | That error indicates that the user doesn't have a Maildir directory. After I created /home/mylogin/Maildir, it worked. | ||
Testing imap over ssl seems a little more difficult: | Testing imap over ssl seems a little more difficult: | ||
| − | + | <pre> | |
[root@snapper downloads]# telnet finninday.net 993 | [root@snapper downloads]# telnet finninday.net 993 | ||
Trying 24.21.185.50... | Trying 24.21.185.50... | ||
Connected to finninday.net. | Connected to finninday.net. | ||
Escape character is '^]'. | Escape character is '^]'. | ||
| − | + | </pre> | |
I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log: | I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log: | ||
| − | + | <pre> | |
May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. | May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. | ||
May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol | May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol | ||
| − | + | </pre> | |
So I'm getting past the firewall and talking to the imapd-ssl process. | So I'm getting past the firewall and talking to the imapd-ssl process. | ||
This might be helpful information: | This might be helpful information: | ||
| − | + | <pre> | |
rday@weasel:~$ couriertls -host=finninday.net -port=993 | rday@weasel:~$ couriertls -host=finninday.net -port=993 | ||
couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed | couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed | ||
| − | + | </pre> | |
That's odd because I can verify the cert like this: | That's odd because I can verify the cert like this: | ||
| − | + | <pre> | |
root@weasel:/etc/courier# openssl verify imapd.pem | root@weasel:/etc/courier# openssl verify imapd.pem | ||
imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net | imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net | ||
error 18 at 0 depth lookup:self signed certificate | error 18 at 0 depth lookup:self signed certificate | ||
OK | OK | ||
| − | + | </pre> | |
The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert... | The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert... | ||
| Line 89: | Line 100: | ||
I turned on Thunderbird's logging of imap transactions like this: | I turned on Thunderbird's logging of imap transactions like this: | ||
| − | + | <pre> | |
export NSPR_LOG_MODULES=imap:5 | export NSPR_LOG_MODULES=imap:5 | ||
export NSPR_LOG_FILE=/tmp/filename | export NSPR_LOG_FILE=/tmp/filename | ||
thunderbird | thunderbird | ||
| − | + | </pre> | |
This is what appears in the log when I try to connect via imap SSL port 993: | This is what appears in the log when I try to connect via imap SSL port 993: | ||
| − | + | <pre> | |
2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN | 2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN | ||
-1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] | -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] | ||
| Line 110: | Line 121: | ||
-1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls | -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls | ||
-1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0] | -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0] | ||
| − | + | </pre> | |
Not particularly helpful. | Not particularly helpful. | ||
| Line 116: | Line 127: | ||
This is what I see when I switch to using imap without ssl, which is denied at my firewall: | This is what I see when I switch to using imap without ssl, which is denied at my firewall: | ||
| − | + | <pre> | |
2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN | 2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN | ||
-1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] | -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] | ||
| Line 127: | Line 138: | ||
-1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls | -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls | ||
-1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0] | -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0] | ||
| − | + | </pre> | |
In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log. | In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log. | ||
Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this: | Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this: | ||
| − | + | <pre> | |
##NAME: DEBUG_LOGIN:0 | ##NAME: DEBUG_LOGIN:0 | ||
# | # | ||
| Line 146: | Line 157: | ||
DEBUG_LOGIN=1 | DEBUG_LOGIN=1 | ||
| − | + | </pre> | |
But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd... | But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd... | ||
| Line 156: | Line 167: | ||
* server says syn ack | * server says syn ack | ||
* client says ack | * client says ack | ||
| − | * client says | + | * client says "Client Hello" in TLSv1 |
* server says ack | * server says ack | ||
| − | * server says | + | * server says "Server Hello, Certificate, Server Hello Done" in TLSv1 |
* client says ack | * client says ack | ||
| − | * client says | + | * client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1 |
| − | * server says | + | * server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1 |
| − | * server says | + | * server says "Application Data, Encrypted Alert" in TLSv1 |
* client says ack | * client says ack | ||
* client says fin, ack | * client says fin, ack | ||
* server says ack | * server says ack | ||
| − | It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: | + | It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? |
| − | Something in that | + | Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up. |
| − | According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean | + | According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it". |
Maybe there is nothing wrong with the imap-ssl server. | Maybe there is nothing wrong with the imap-ssl server. | ||
===Remove and reinstall=== | ===Remove and reinstall=== | ||
| − | I tried | + | I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine. |
Latest revision as of 22:33, 26 May 2011
Contents
Platform: Hardy Heron amd64
https://help.ubuntu.com/community/Squirrelmail
http://flurdy.com/docs/postfix/
Packages
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================================-===================================-============================================ ii courier-authdaemon 0.60.1-1ubuntu2 Courier authentication daemon ii courier-authlib 0.60.1-1ubuntu2 Courier authentication library ii courier-authlib-userdb 0.60.1-1ubuntu2 userdb support for the Courier authentication ii courier-base 0.58.0.20080127-1ubuntu1 Courier mail server - base system ii courier-imap 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP server ii courier-imap-ssl 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP over SSL ii courier-ssl 0.58.0.20080127-1ubuntu1 Courier mail server - SSL/TLS Support Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================-==========================-==================================================================== ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts un squirrelmail-decode <none> (no description available) un squirrelmail-locales <none> (no description available)
Test output
root@weasel:/etc/default# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. a login myuserid mypassword a OK LOGIN Ok. q logout * BYE Courier-IMAP server shutting down q OK LOGOUT completed Connection closed by foreign host.
After just installing the packages and doing no configuration, I tried a conversation:
root@ferret:~# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc. See COPYING for distribution information. a login a NO Error in IMAP command received by server. a login mylogin a NO Error in IMAP command received by server. a login mylogin wrongpassword a NO Login failed. a login mylogin rightpassword * BYE [ALERT] Fatal error: No such file or directory: No such file or directory Connection closed by foreign host.
That error indicates that the user doesn't have a Maildir directory. After I created /home/mylogin/Maildir, it worked.
Testing imap over ssl seems a little more difficult:
[root@snapper downloads]# telnet finninday.net 993 Trying 24.21.185.50... Connected to finninday.net. Escape character is '^]'.
I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log:
May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
So I'm getting past the firewall and talking to the imapd-ssl process.
This might be helpful information:
rday@weasel:~$ couriertls -host=finninday.net -port=993 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
That's odd because I can verify the cert like this:
root@weasel:/etc/courier# openssl verify imapd.pem imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net error 18 at 0 depth lookup:self signed certificate OK
The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...
Thunderbird imap logging
I turned on Thunderbird's logging of imap transactions like this:
export NSPR_LOG_MODULES=imap:5 export NSPR_LOG_FILE=/tmp/filename thunderbird
This is what appears in the log when I try to connect via imap SSL port 993:
2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX: = currentUrl -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments. -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0]
Not particularly helpful. For the same transaction, I see nothing in mail.log.
This is what I see when I switch to using imap without ssl, which is denied at my firewall:
2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk: = currentUrl -1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0]
In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.
Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this:
##NAME: DEBUG_LOGIN:0 # # Dump additional diagnostics to syslog # # DEBUG_LOGIN=0 - turn off debugging # DEBUG_LOGIN=1 - turn on debugging # DEBUG_LOGIN=2 - turn on debugging + log passwords too # # ** YES ** - DEBUG_LOGIN=2 places passwords into syslog. # # Note that most information is sent to syslog at level 'debug', so # you may need to modify your /etc/syslog.conf to be able to see it. DEBUG_LOGIN=1
But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...
Packet sniffer
Using a packet sniffer on the client side I can see the conversation looks like this:
- client says syn
- server says syn ack
- client says ack
- client says "Client Hello" in TLSv1
- server says ack
- server says "Server Hello, Certificate, Server Hello Done" in TLSv1
- client says ack
- client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
- server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
- server says "Application Data, Encrypted Alert" in TLSv1
- client says ack
- client says fin, ack
- server says ack
It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.
According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".
Maybe there is nothing wrong with the imap-ssl server.
Remove and reinstall
I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine.
