Revision as of 03:23, 24 November 2010

This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page

CLICK HERE

Platform: Hardy Heron amd64

https://help.ubuntu.com/community/Squirrelmail

Packages

<pre> Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================================-===================================-============================================

ii courier-authdaemon 0.60.1-1ubuntu2 Courier authentication daemon ii courier-authlib 0.60.1-1ubuntu2 Courier authentication library ii courier-authlib-userdb 0.60.1-1ubuntu2 userdb support for the Courier authentication ii courier-base 0.58.0.20080127-1ubuntu1 Courier mail server - base system ii courier-imap 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP server ii courier-imap-ssl 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP over SSL ii courier-ssl 0.58.0.20080127-1ubuntu1 Courier mail server - SSL/TLS Support

Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================-==========================-==================================================================== ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts un squirrelmail-decode <none> (no description available) un squirrelmail-locales <none> (no description available) </pre>

Test output

<pre> root@weasel:/etc/default# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'.

OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.

a login myuserid mypassword a OK LOGIN Ok. q logout

BYE Courier-IMAP server shutting down

q OK LOGOUT completed Connection closed by foreign host. </pre>

Testing imap over ssl seems a little more difficult:

<pre> [root@snapper downloads]# telnet finninday.net 993 Trying 24.21.185.50... Connected to finninday.net. Escape character is '^]'. </pre> I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log: <pre> May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol </pre> So I'm getting past the firewall and talking to the imapd-ssl process.

This might be helpful information: <pre> rday@weasel:~$ couriertls -host=finninday.net -port=993 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </pre>

That's odd because I can verify the cert like this: <pre> root@weasel:/etc/courier# openssl verify imapd.pem imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net error 18 at 0 depth lookup:self signed certificate OK </pre> The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...

Thunderbird imap logging

I turned on Thunderbird's logging of imap transactions like this:

<pre> export NSPR_LOG_MODULES=imap:5 export NSPR_LOG_FILE=/tmp/filename thunderbird </pre>

This is what appears in the log when I try to connect via imap SSL port 993: <pre> 2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX: = currentUrl -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments. -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0] </pre>

Not particularly helpful. For the same transaction, I see nothing in mail.log.

This is what I see when I switch to using imap without ssl, which is denied at my firewall: <pre> 2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk: = currentUrl -1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0] </pre> In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.

Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this: <pre>

1. NAME: DEBUG_LOGIN:0
Dump additional diagnostics to syslog
DEBUG_LOGIN=0 - turn off debugging
DEBUG_LOGIN=1 - turn on debugging
DEBUG_LOGIN=2 - turn on debugging + log passwords too
** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
Note that most information is sent to syslog at level 'debug', so
you may need to modify your /etc/syslog.conf to be able to see it.

DEBUG_LOGIN=1 </pre>

But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...

Packet sniffer

Using a packet sniffer on the client side I can see the conversation looks like this:

client says syn
server says syn ack
client says ack
client says "Client Hello" in TLSv1
server says ack
server says "Server Hello, Certificate, Server Hello Done" in TLSv1
client says ack
client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
server says "Application Data, Encrypted Alert" in TLSv1
client says ack
client says fin, ack
server says ack

It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.

According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".

Maybe there is nothing wrong with the imap-ssl server.

Remove and reinstall

I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine.

Difference between revisions of "Imap"

Revision as of 03:23, 24 November 2010

Contents

This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page

CLICK HERE

Platform: Hardy Heron amd64

Packages

Test output

Thunderbird imap logging

Packet sniffer

Remove and reinstall

Navigation menu

Views

Personal tools

Navigation

Search

Tools

@@ Line 1: / Line 1: @@
+----
+<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
+----
+=[http://enececufo.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=
+----
+=[http://enececufo.co.cc CLICK HERE]=
+----
+</div>
 [[Category: Installation notes]]
 ===Platform: Hardy Heron amd64===
@@ Line 6: / Line 14: @@
 ===Packages===
-<pre>
+&lt;pre&gt;
 Desired=Unknown/Install/Remove/Purge/Hold
 | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
@@ Line 28: / Line 36: @@
 +++-==========================-==========================-====================================================================
 ii  squirrelmail               2:1.4.13-2ubuntu1          Webmail for nuts
-un  squirrelmail-decode        <none>                     (no description available)
+un  squirrelmail-decode        &lt;none&gt;                     (no description available)
-un  squirrelmail-locales       <none>                     (no description available)
+un  squirrelmail-locales       &lt;none&gt;                     (no description available)
-</pre>
+&lt;/pre&gt;
 ===Test output===
-<pre>
+&lt;pre&gt;
 root@weasel:/etc/default# telnet localhost 143
 Trying 127.0.0.1...
@@ Line 45: / Line 53: @@
 q OK LOGOUT completed
 Connection closed by foreign host.
-</pre>
+&lt;/pre&gt;
 Testing imap over ssl seems a little more difficult:
-<pre>
+&lt;pre&gt;
 [root@snapper downloads]# telnet finninday.net 993
 Trying 24.21.185.50...
 Connected to finninday.net.
 Escape character is '^]'.
-</pre>
+&lt;/pre&gt;
 I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log:
-<pre>
+&lt;pre&gt;
 May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown.
 May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
-</pre>
+&lt;/pre&gt;
 So I'm getting past the firewall and talking to the imapd-ssl process.
 This might be helpful information:
-<pre>
+&lt;pre&gt;
 rday@weasel:~$ couriertls -host=finninday.net -port=993
 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-</pre>
+&lt;/pre&gt;
 That's odd because I can verify the cert like this:
-<pre>
+&lt;pre&gt;
 root@weasel:/etc/courier# openssl verify imapd.pem
 imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net
 error 18 at 0 depth lookup:self signed certificate
 OK
-</pre>
+&lt;/pre&gt;
 The fact that it is self-signed never was a problem before... but maybe things have changed.  Maybe imapd isn't presenting the right cert...
@@ Line 81: / Line 89: @@
 I turned on Thunderbird's logging of imap transactions like this:
-<pre>
+&lt;pre&gt;
 export NSPR_LOG_MODULES=imap:5
 export NSPR_LOG_FILE=/tmp/filename
 thunderbird
-</pre>
+&lt;/pre&gt;
 This is what appears in the log when I try to connect via imap SSL port 993:
-<pre>
+&lt;pre&gt;
 2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
 -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0]
@@ Line 102: / Line 110: @@
 -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls
 -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0]
-</pre>
+&lt;/pre&gt;
 Not particularly helpful.
@@ Line 108: / Line 116: @@
 This is what I see when I switch to using imap without ssl, which is denied at my firewall:
-<pre>
+&lt;pre&gt;
 2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
 -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0]
@@ Line 119: / Line 127: @@
 -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls
 -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0]
-</pre>
+&lt;/pre&gt;
 In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.
 Trying to get more information, I turn to courier's logging.  /etc/courier/authdaemonrc has a setting like this:
-<pre>
+&lt;pre&gt;
 ##NAME: DEBUG_LOGIN:0
 #
@@ Line 138: / Line 146: @@
 DEBUG_LOGIN=1
-</pre>
+&lt;/pre&gt;
 But where is the output?  I've verified that syslog.conf is correct and restarted authdaemon and syslog.  Still nothing shows up in debug.log or syslog.  Odd...
@@ Line 148: / Line 156: @@
 * server says syn ack
 * client says ack
-* client says "Client Hello" in TLSv1
+* client says &quot;Client Hello&quot; in TLSv1
 * server says ack
-* server says "Server Hello, Certificate, Server Hello Done" in TLSv1
+* server says &quot;Server Hello, Certificate, Server Hello Done&quot; in TLSv1
 * client says ack
-* client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
+* client says &quot;Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message&quot; in TLSv1
-* server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
+* server says &quot;Change Cipher Spec, Encrypted Handshake Message&quot; in TLSv1
-* server says "Application Data, Encrypted Alert" in TLSv1
+* server says &quot;Application Data, Encrypted Alert&quot; in TLSv1
 * client says ack
 * client says fin, ack
 * server says ack
-It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"?
+It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: &quot;not an IMAP4 server&quot;?
-Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.
+Something in that &quot;Application Data, Encrypted Alert&quot; message convinced the client that it should give up.
-According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid.  The part I am unsure about is the step where the client tries to decrypt a  test message from the server.  The last message I see in TLS is the server's test message.  The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".
+According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid.  The part I am unsure about is the step where the client tries to decrypt a  test message from the server.  The last message I see in TLS is the server's test message.  The client responds with an ack, but does that mean &quot;Ack, I got the message and could decrypt it&quot; or &quot;Ack, I got the message and couldn't decrypt it&quot;.
 Maybe there is nothing wrong with the imap-ssl server.
 ===Remove and reinstall===
-I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl".  Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message.  But now I can connect via TLS, which might be just fine.
+I tried &quot;apt-get remove courier-ssl&quot;, &quot;apt-get purge courier-ssl&quot;, and &quot;apt-get install courier-ssl courier-imapd-ssl&quot;.  Still I'm unable to connect via SSL in thunderbird and get the &quot;not an imapd4 server&quot; error message.  But now I can connect via TLS, which might be just fine.