imapd-ssl: Unexpected SSL connection shutdown.

Discussion in 'Server Operation' started by noahlau, Mar 14, 2006.

  1. noahlau

    noahlau New Member

    Hello all.

    My email server is postfix + courier imap + courier imap ssl + amavis + clamav + spamassassin.

    I am fine when i am using IMAP ( port 143 ) to receive my emails. I also can receive emails with IMAP-SSL ( port 993 ).

    However, I receive error that is Unexpected SSL connection shutdown when i am using IMAP-SSL to receive emails:

    Mar 14 12:56:32 server1 imapd-ssl: Connection, ip=[::ffff:219.79.136.253]
    Mar 14 12:56:32 server1 imapd-ssl: LOGIN, user=noahlau, ip=[::ffff:219.79.136.253], protocol=IMAP
    Mar 14 12:56:33 server1 imapd-ssl: Unexpected SSL connection shutdown.
    Mar 14 12:56:33 server1 imapd-ssl: DISCONNECTED, user=noahlau, ip=[::ffff:219.79.136.253], headers=0, body=0, time=1, starttls=1
    Mar 14 12:56:33 server1 imapd-ssl: Connection, ip=[::ffff:219.79.136.253]
    Mar 14 12:56:33 server1 imapd-ssl: LOGIN, user=noahlau, ip=[::ffff:219.79.136.253], protocol=IMAP
    Mar 14 12:56:33 server1 imapd-ssl: Unexpected SSL connection shutdown.
    Mar 14 12:56:33 server1 imapd-ssl: DISCONNECTED, user=noahlau, ip=[::ffff:219.79.136.253], headers=0, body=2180, time=0, starttls=1

    Any Idea ??? thank you so much !!!!

    Regards
    noahlau
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you get this error with other email clients too?
     
  3. noahlau

    noahlau New Member

    yes,i also get this error from other clients too.

    dont know what is the reason.

    i use Outlook Express 2000 in the client Computer
     
    Last edited: Mar 14, 2006
  4. noahlau

    noahlau New Member

    ok, i think it is outlook express issue, because i got no error after i switch to use Thunderbird email client application.
     
  5. falko

    falko Super Moderator Howtoforge Staff

    Can you run
    Code:
    telnet localhost 25
    and then issue
    Code:
    ehlo localhost
    ? What's the output?

    Which distribution do you use?
     
  6. noahlau

    noahlau New Member

    thank you for your reply

    i am using Debian 3.1,

    ehlo localhost
    250-server1.faithfulnet.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250 8BITMIME


    1.the config in /etc/courier/imapd-ssl:

    SSLPORT=993
    SSLADDRESS=0
    SSLPIDFILE=/var/run/courier/imapd-ssl.pid
    IMAPDSSLSTART=YES
    IMAPDSTARTTLS=YES
    IMAP_TLS_REQUIRED=0
    COURIERTLS=/usr/bin/couriertls
    TLS_PROTOCOL=SSL3
    TLS_STARTTLS_PROTOCOL=TLS1
    TLS_CERTFILE=/etc/courier/imapd.pem
    TLS_VERIFYPEER=NONE
    TLS_CACHEFILE=/var/lib/courier/couriersslcache
    TLS_CACHESIZE=524288
    MAILDIRPATH=Maildir

    2. main.cf

    biff = no
    append_dot_mydomain = no
    myhostname = server1.faithfulnet.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = faithfulnet.com, server1.faithfulnet.com, localhost.faithfulnet.
    com, localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command = /usr/bin/maildrop
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec
    t_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/
    content_filter = amavis:[127.0.0.1]:10024
     
  7. falko

    falko Super Moderator Howtoforge Staff

    Hm, looks ok... :confused:
     
  8. airstrip

    airstrip New Member

    Solution for IMAP unexpected shutdown

    This solution may help someone out there with a similar server setup:

    I have an isp config installation on my debian sarge machine, running with courier-ssl and postfix, following instructions from:
    http://www.howtoforge.com/perfect_setup_debian_sarge_p4

    I also had imapd-ssl: Unexpected SSL connection shutdown messages appearing in /var/log/mail.log

    The problem I found was with smtpd.pem file in /etc/postfix/ssl
    If you check the file with this command.

    Code:
    openssl x509 -noout -text -in smtpd.pem
    It will report an error about expecting a TRUSTED certificate.

    The solution is to create a .pem file from your .key and .crt files:
    Code:
    cat smtpd.key smtpd.key > smtpd.pem
    openssl gendh >> smtpd.pem
    Then check the file with:
    Code:
    openssl x509 -noout -text -in smtpd.pem
    This will replace the .pem file that was generated in the perfect setup, and create one that is properly formed and worked on my setup. Hopefully it helps yours.

    Thanks to this ssl cheat sheet, by David Mcnugget:
    http://macnugget.org/projects/sslcheatsheet/

    I've also posted on this issue when installing a RapidSSL cert.
    http://www.howtoforge.com/forums/showthread.php?p=71572#post71572

    Have fun!
     
  9. Ovidiu

    Ovidiu Active Member

    Same problem here as noahlau but I can't apply the solution airstrip posted because I don't have a smtpd.pem file and neither does noahlau.

    Any more info?
     
  10. airstrip

    airstrip New Member

    I had to get into this way back in '09 to install some 'real' ssl certificates. I've forgotten what I was doing then, and maybe my filenames are different to the perfect setup because of my custom work. But the problem with the shutdown was the .pem file, so check it.

    I suggest you do have a .pem file somewhere, perhaps it is here:

    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

    Locate the .pem file and try what I suggested above to check it.

    and I note that I made an error in my post above.
    To create the .pem file you should use this to combine the .key and .crt:

    I'm not an expert, just persistent, and so that's as far as I can help you. Good luck.
     
  11. TiTex

    TiTex Member

    isn't it easyer to just get a free certificate from http://cert.startcom.org/ or www.cacert.org ?
    however you can allways generate a self signed certificate

    this will generate a single file containing your cerificate and private key in a single file cert.pem in your home dir
    Code:
    openssl req -new -x509 -days 1000 -nodes -out ~/cert.pem -keyout ~/cert.pem
    or separate cert and key

    Code:
    openssl req -new -x509 -days 1000 -nodes -out ~/cert.pem -keyout ~/key.pem
     
    Last edited: Jun 21, 2012

Share This Page