Courier likes 995/SSL, doesn't like 110/TLS.

Discussion in 'HOWTO-Related Questions' started by torg, Jan 18, 2010.

  1. torg

    torg New Member

    So, everything is working, the birds are singing, there's a spring in my step.

    Almost.

    I can login and collect mail fine if I configure Thunderbird to use SSL on port 995, but if I switch to TLS on port 110, all I get in maillog is
    Code:
    postfix/master[23325]: daemon started -- version 2.6.5, configuration /etc/postfix
    pop3d: Connection, ip=[::ffff:192.168.1.2]
    pop3d: Disconnected, ip=[::ffff:192.168.1.2]
    
    Thunderbird reports 'Unable to establish a TLS connection to POP3 server. [...]'.

    (How can I control the log-levels of pop3d and pop3d-ssl? I don't have much to go on.)

    So, what's going on here? How can I tell Courier to listen to TLS on 110?

    Thanks,
     
  2. Mark_NL

    Mark_NL Member

    What's the content of your main.cf?
     
  3. torg

    torg New Member

    main.cf? Doesn't that control PostFix?

    Anyway,
    Code:
    [root@torg ~]# postconf -n
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    debug_peer_level = 7
    debug_peer_list = $myhostname $mydomain
    home_mailbox = Maildir/
    html_directory = no
    inet_interfaces = all
    inet_protocols = all
    mail_owner = postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    mydestination = localhost, localhost.localdomain
    mydomain = $myhostname
    myhostname = mydomain.com
    mynetworks = 192.168.1.0/24
    mynetworks_style = subnet
    newaliases_path = /usr/bin/newaliases.postfix
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.6.5/README_FILES
    relay_domains =
    relayhost = smtp1.bethere.co.uk:25
    sample_directory = /usr/share/doc/postfix-2.6.5/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_loglevel = 3
    smtpd_tls_security_level = encrypt
    smtpd_use_tls = yes
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    unknown_local_recipient_reject_code = 550
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /home/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_uid_maps = static:5000
    
     
  4. Mark_NL

    Mark_NL Member

    aw crap .. i mean courier :)

    /etc/courier/pop3d

    there's a setting called POP3AUTH_TLS= ""
     
  5. torg

    torg New Member

    Code:
    [root@torg ~]# sed '/^\#/d' /etc/courier/pop3d | sed '/^$/d'
    PIDFILE=/var/spool/courier/tmp/pop3d.pid
    MAXDAEMONS=40
    MAXPERIP=4
    POP3AUTH=""
    POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
    POP3AUTH_TLS=""
    POP3AUTH_TLS_ORIG="LOGIN PLAIN"
    POP3_PROXY=0
    PORT=110
    ADDRESS=0
    TCPDOPTS="-nodnslookup -noidentlookup"
    LOGGEROPTS="-name=pop3d"
    POP3DSTART=YES
    MAILDIRPATH=Maildir
    
    and
    Code:
    [root@torg ~]# sed '/^\#/d' /etc/courier/pop3d-ssl | sed '/^$/d'
    SSLPORT=995
    SSLADDRESS=0
    SSLPIDFILE=/var/spool/courier/tmp/pop3d-ssl.pid
    SSLLOGGEROPTS="-name=pop3d-ssl"
    POP3DSSLSTART=YES
    POP3_STARTTLS=YES
    POP3_TLS_REQUIRED=1
    COURIERTLS=/usr/lib/courier/bin/couriertls
    TLS_STARTTLS_PROTOCOL=TLS1
    TLS_KX_LIST=ALL
    TLS_COMPRESSION=ALL
    TLS_CERTS=X509
    TLS_CERTFILE=/usr/lib/courier/share/pop3d.pem
    TLS_TRUSTCERTS=/etc/pki/tls/cert.pem
    TLS_VERIFYPEER=NONE
    TLS_CACHEFILE=/var/spool/courier/couriersslcache
    TLS_CACHESIZE=524288
    MAILDIRPATH=Maildir
    
    I tried setting POP3AUTH_TLS="LOGIN", but that had no effect. I don't want to fiddle, 'cos I'll only break things.

    Where should I be looking, exactly?
     
  6. esmiz

    esmiz Member

    Hi Torg

    Did you finally fix it?
    I'm having the exact same issue on a server runing debian. Tls doesn't want to work. Thundebird says:

    An error occurred during a connection to mail.server1.com:110.
    SSL received a record that exceeded the maximum permissible length.
    (Error code: ssl_error_rx_record_too_long)

    Config files pop3d and pop3d-ssl are default from ispconfig 3

    Regards
     
  7. esmiz

    esmiz Member

    Courier pop tls problem

    Hi there

    Apparently courier is not sending a valid certificate. Doing from outside:

    openssl s_client -connect mail.larawines.com:pop3s -starttls pop3

    I get

    CONNECTED(00000003)
    21206:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    Running the same command within the server, I get:

    CONNECTED(00000003)
    write:errno=32

    This is what I see in syslog:

    Feb 11 03:36:04 ks363572 pop3d-ssl: couriertls: /etc/ssl/certs/70cdada4.0: No such file or directory


    It's quite weird because I have another server running also a debian lenny 64bit with the same settings that works well.
    It's a self-signed certificate and I have recreate it many times, but that shouldn 't matter, isn't it?

    Does anyone have any clue?

    Regards
     
    Last edited: Feb 11, 2010
  8. esmiz

    esmiz Member

    Good afternoon

    Well, finally problem seem to be solved. And it had an easy solution just,

    aptitude purge ca-certificates ssl-cert courier-ssl courier-imap-ssl courier-pop-ssl

    and after that

    aptitude install ca-certificates ssl-cert courier-ssl courier-imap-ssl courier-pop-ssl

    That was the las thing I wanted to do because I thought that uninstalling things could have nasty effects with the rest of the ispconfig 3 setup, but everything seems to be still working.

    It looks like the default certificates that courier makes during reinstallation works, but not the ones I do myself. I'd like to understand why, but thinking twice I'm happy and just hope problem is really fixed.

    Regards
     
  9. alexlehm

    alexlehm New Member

    Sorry for warming up an old thread, but I have the problem with the same symptoms but a different cause, so I am writing this solution as well.

    STLS was missing in the CAPA reply on pop3/110
    Code:
    +OK Hello there.
    capa
    +OK Here's what I can do:
    SASL PLAIN LOGIN CRAM-MD5
    TOP
    USER
    LOGIN-DELAY 10
    PIPELINING
    UIDL
    IMPLEMENTATION Courier Mail Server
    .
    quit
    
    after adding the line to pop3d
    Code:
    POP3_STARTTLS=YES
    it works.
     

Share This Page