Imap
Platform: Hardy Heron amd64
https://help.ubuntu.com/community/Squirrelmail
http://flurdy.com/docs/postfix/
Packages
<pre> Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==========================================-===================================-============================================
ii courier-authdaemon 0.60.1-1ubuntu2 Courier authentication daemon ii courier-authlib 0.60.1-1ubuntu2 Courier authentication library ii courier-authlib-userdb 0.60.1-1ubuntu2 userdb support for the Courier authentication ii courier-base 0.58.0.20080127-1ubuntu1 Courier mail server - base system ii courier-imap 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP server ii courier-imap-ssl 4.3.0.20081027-1ubuntu1 Courier mail server - IMAP over SSL ii courier-ssl 0.58.0.20080127-1ubuntu1 Courier mail server - SSL/TLS Support
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==========================-==========================-====================================================================
ii squirrelmail 2:1.4.13-2ubuntu1 Webmail for nuts
un squirrelmail-decode <none> (no description available)
un squirrelmail-locales <none> (no description available)
</pre>
Test output
<pre> root@weasel:/etc/default# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.
a login myuserid mypassword a OK LOGIN Ok. q logout
- BYE Courier-IMAP server shutting down
q OK LOGOUT completed Connection closed by foreign host. </pre>
Testing imap over ssl seems a little more difficult:
<pre> [root@snapper downloads]# telnet finninday.net 993 Trying 24.21.185.50... Connected to finninday.net. Escape character is '^]'. </pre> I'm not sure how to construct a transaction by hand, but when I quit, I got this in the log: <pre> May 15 10:43:46 weasel imapd-ssl: Unexpected SSL connection shutdown. May 15 10:44:50 weasel imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol </pre> So I'm getting past the firewall and talking to the imapd-ssl process.
This might be helpful information: <pre> rday@weasel:~$ couriertls -host=finninday.net -port=993 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </pre>
That's odd because I can verify the cert like this: <pre> root@weasel:/etc/courier# openssl verify imapd.pem imapd.pem: /C=US/ST=Oregon/L=Portland/O=finninday.net/CN=weasel.finninday.net/emailAddress=rday@finninday.net error 18 at 0 depth lookup:self signed certificate OK </pre> The fact that it is self-signed never was a problem before... but maybe things have changed. Maybe imapd isn't presenting the right cert...
Thunderbird imap logging
I turned on Thunderbird's logging of imap transactions like this:
<pre> export NSPR_LOG_MODULES=imap:5 export NSPR_LOG_FILE=/tmp/filename thunderbird </pre>
This is what appears in the log when I try to connect via imap SSL port 993: <pre> 2131264[9699eb0]: afa69b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1264583792[ab44f10]: ImapThreadMainLoop entering [this=afa69b0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:993/select%3E%5EINBOX: = currentUrl -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=49 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: * BYE imaplogin expected exactly two arguments. -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:SendData: 1 capability -1264583792[ab44f10]: ReadNextLine [stream=b15e250 nb=4294967295 needmore=0] -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1264583792[ab44f10]: afa69b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1264583792[ab44f10]: ImapThreadMainLoop leaving [this=afa69b0] </pre>
Not particularly helpful. For the same transaction, I see nothing in mail.log.
This is what I see when I switch to using imap without ssl, which is denied at my firewall: <pre> 2131264[9699eb0]: b15a8b0:weasel.finninday.net:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN -1252017264[b2936b8]: ImapThreadMainLoop entering [this=b15a8b0] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: entering -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL:imap://rday@weasel.finninday.net:143/ensureExists%3E%5EINBOX%5EJunk: = currentUrl -1252017264[b2936b8]: ReadNextLine [stream=adb8bc0 nb=0 needmore=1] -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000d -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:TellThreadToDie: close socket connection -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:CreateNewLineFromSocket: (null) -1252017264[b2936b8]: b15a8b0:weasel.finninday.net:NA:ProcessCurrentURL: aborting queued urls -1252017264[b2936b8]: ImapThreadMainLoop leaving [this=b15a8b0] </pre> In this case, I know the problem is that the firewall is denying the connection, but there is nary a clue about that from this log.
Trying to get more information, I turn to courier's logging. /etc/courier/authdaemonrc has a setting like this: <pre>
- NAME: DEBUG_LOGIN:0
- Dump additional diagnostics to syslog
- DEBUG_LOGIN=0 - turn off debugging
- DEBUG_LOGIN=1 - turn on debugging
- DEBUG_LOGIN=2 - turn on debugging + log passwords too
- ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
- Note that most information is sent to syslog at level 'debug', so
- you may need to modify your /etc/syslog.conf to be able to see it.
DEBUG_LOGIN=1 </pre>
But where is the output? I've verified that syslog.conf is correct and restarted authdaemon and syslog. Still nothing shows up in debug.log or syslog. Odd...
Packet sniffer
Using a packet sniffer on the client side I can see the conversation looks like this:
- client says syn
- server says syn ack
- client says ack
- client says "Client Hello" in TLSv1
- server says ack
- server says "Server Hello, Certificate, Server Hello Done" in TLSv1
- client says ack
- client says "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" in TLSv1
- server says "Change Cipher Spec, Encrypted Handshake Message" in TLSv1
- server says "Application Data, Encrypted Alert" in TLSv1
- client says ack
- client says fin, ack
- server says ack
It looks perfectly reasonable and civilized, so why does it result in Thunderbird saying: "not an IMAP4 server"? Something in that "Application Data, Encrypted Alert" message convinced the client that it should give up.
According to wikipedia (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail) my handshake appears to be completely or nearly valid. The part I am unsure about is the step where the client tries to decrypt a test message from the server. The last message I see in TLS is the server's test message. The client responds with an ack, but does that mean "Ack, I got the message and could decrypt it" or "Ack, I got the message and couldn't decrypt it".
Maybe there is nothing wrong with the imap-ssl server.
Remove and reinstall
I tried "apt-get remove courier-ssl", "apt-get purge courier-ssl", and "apt-get install courier-ssl courier-imapd-ssl". Still I'm unable to connect via SSL in thunderbird and get the "not an imapd4 server" error message. But now I can connect via TLS, which might be just fine.