Imap

From Finninday
Revision as of 03:23, 24 November 2010 by Ezekypy (Talk | contribs)

Jump to: navigation, search

Platform: Hardy Heron amd64

https://help.ubuntu.com/community/Squirrelmail

http://flurdy.com/docs/postfix/

Packages

<pre> Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================================-===================================-============================================

ii courier-authdaemon 0.60.1-1ubuntu2 Courier authentication daemon ii courier-authlib 0.60.1-1ubuntu2 Courier authentication library ii courier-authlib-userdb 0.60.1-1ubuntu2 userdb support for the Courier authentication ii courier-base 0.58.0.20080127-1ubuntu1 Courier mail server - base system ii courier-imap 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP server ii courier-imap-ssl 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP over SSL ii courier-ssl 0.58.0.20080127-1ubuntu1 Courier mail server - SSL/TLS Support


Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================-==========================-==================================================================== ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts un squirrelmail-decode <none> (no description available) un squirrelmail-locales <none> (no description available) </pre>

Test output

<pre> root@weasel:/etc/default# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'.

  • OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.

a login myuserid mypassword a OK LOGIN Ok. q logout

  • BYE Courier-IMAP server shutting down

q OK LOGOUT completed Connection closed by foreign host. </pre>


Testing imap over ssl seems a little more difficult:

<pre> [root@snapper downloads]# telnet finninday.net 993 Trying 24.21.185.50... Connected to finninday.net. Escape character is '^]'. </pre> I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log: <pre> May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol </pre> So I'm getting past the firewall and talking to the imapd-ssl process.

This might be helpful information: <pre> rday@weasel:~$ couriertls -host=finninday.net -port=993 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </pre>

That's odd because I can verify the cert like this: <pre> root@weasel:/etc/courier# openssl verify imapd.pem imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net error 18 at 0 depth lookup:self signed certificate OK </pre> The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...

Thunderbird imap logging

I turned on Thunderbird's logging of imap transactions like this:

<pre> export NSPR_LOG_MODULES=imap:5 export NSPR_LOG_FILE=/tmp/filename thunderbird </pre>

This is what appears in the log when I try to connect via imap SSL port 993: <pre> 2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX: = currentUrl -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments. -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0] </pre>

Not particularly helpful. For the same transaction, I see nothing in mail.log.

This is what I see when I switch to using imap without ssl, which is denied at my firewall: <pre> 2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk: = currentUrl -1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0] </pre> In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.

Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this: <pre>

    1. NAME: DEBUG_LOGIN:0
  3. Dump additional diagnostics to syslog
  5. DEBUG_LOGIN=0 - turn off debugging
  6. DEBUG_LOGIN=1 - turn on debugging
  7. DEBUG_LOGIN=2 - turn on debugging + log passwords too
  9. ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
  11. Note that most information is sent to syslog at level 'debug', so
  12. you may need to modify your /etc/syslog.conf to be able to see it.

DEBUG_LOGIN=1 </pre>

But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...

Packet sniffer

Using a packet sniffer on the client side I can see the conversation looks like this:

  • client says syn
  • server says syn ack
  • client says ack
  • client says "Client Hello" in TLSv1
  • server says ack
  • server says "Server Hello, Certificate, Server Hello Done" in TLSv1
  • client says ack
  • client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
  • server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
  • server says "Application Data, Encrypted Alert" in TLSv1
  • client says ack
  • client says fin, ack
  • server says ack

It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.

According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".

Maybe there is nothing wrong with the imap-ssl server.

Remove and reinstall

I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine.

Retrieved from "https://finninday.net/wiki/index.php?title=Imap&oldid=3188"