[Courier-imap] How to get back STARTTLS on IMAP with Courier?

Discussion:

t***@txbweb.de

2016-07-31 13:13:30 UTC

Hello,

I have a mailserver with Debian/Postfix/Courier/MySQL/Spamassassin, and
I need to disable STARTTLS in Thunderbird to get access on my mailserver
again, but I dont have to disable it for smtp!

***@ubuntu14:~$ openssl s_client -starttls imap -connect
mail.txbweb.de:143
CONNECTED(00000003)
3074164412:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 444 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

SSL23_GET_SERVER_HELLO:unknown protocol ???

On port 25 I get information about my certificate (openssl s_client
-starttls smtp -connect mail.txbweb.de:25)

And when I enter

***@ubuntu14:~$ openssl s_client -starttls imap -connect
mail.txbweb.de:143 -tls1_2
CONNECTED(00000003)
3073910460:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 442 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1469968236
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

I get a wrong version number message.

I ve created the certificate for IMAP like this:

# cat /etc/ssl/private/mail.txbweb.de.key
/etc/ssl/certs/mail.txbweb.de.20160719.crt
/etc/ssl/certs/startcom_intermediate_sca.server1.crt >
/etc/courier/imapd_startcom_20160719.crt

nano /etc/courier/imapd-ssl

TLS_CERTFILE=/etc/courier/imapd_startcom_20160719.crt

TLS_TRUSTCERTS=/etc/ssl/certs

and DH Params like this

# DH_BITS=1024 or 2048 mkdhparams

nano /etc/courier/imapd-ssl

TLS_DHPARAMS=/etc/courier/dhparams.pem

I have no idea, why I get this error for IMAP. Can anybody give me a hint?

Sam Varshavchik

2016-07-31 13:53:30 UTC

Permalink

Post by t***@txbweb.de
143
CONNECTED(00000003)
3074164412:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown

This indicates a protocol mismatch. Check the TLS_PROTOCOL setting.
Additionally, check the version of Courier that you're running, and update
to the current version, if necessary.

t***@txbweb.de

2016-07-31 14:43:08 UTC

Permalink

Post by Sam Varshavchik

mail.txbweb.de: 143
CONNECTED(00000003)
3074164412:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown

This indicates a protocol mismatch. Check the TLS_PROTOCOL setting.
Additionally, check the version of Courier that you're running, and
update to the current version, if necessary.

The variable TLS_PROTOCOL was unset. So I tried to set it to TLS1.2, but
I get the same error.

##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - all protocols (including TLS 1.x protocols)
# TLS1 - TLS1
# TLSv1.1 - TLS1.1
# TLSv1.2 - TLS1.2
#
# Leave it unset to use any protocol except SSL 2.

TLS_PROTOCOL=TLS1.2

My Debian is "uptodate". Yesterday I already checked it with aptitude
update && aptitude safe-upgrade. The version of courier-imap-ssl is
4.15-1.6. I ve already reinstalled courier*. I dont know what is broken.
Two weeks ago I just had to renew my certificates, same procedure as
every year. But this time I get the error.

------------------------------------------------------------------------------

Sam Varshavchik

2016-07-31 15:04:56 UTC

Permalink

Post by t***@txbweb.de
The variable TLS_PROTOCOL was unset. So I tried to set it to TLS1.2, but
I get the same error.

No, leave the setting at the default value. Before attempting to restrict
the configuration to a specific protocol, get it working for the generic
default case.

Also check TLS_STARTTLS_PROTOCOL too. TLS_PROTOCOL is for imapd-ssl,
TLS_STARTTLS_PROTOCOL is for imap with STARTTLS.

Post by t***@txbweb.de
My Debian is "uptodate". Yesterday I already checked it with aptitude
update && aptitude safe-upgrade. The version of courier-imap-ssl is
4.15-1.6. I ve already reinstalled courier*. I dont know what is broken.

That version is almost two years old. The current version is 4.17.1

Post by t***@txbweb.de
Two weeks ago I just had to renew my certificates, same procedure as
every year. But this time I get the error.

t***@txbweb.de

2016-07-31 15:48:27 UTC

Permalink

I use the default config file of imapd-ssl. I just defined the path to
the certificate. The other variables you mentioned aren't set and I
already generated a stronger dhparam.pem. Last year I already was
affected by a "bug"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1183650#c27) and a
stronger dhparam.pem was the solution. I repeated it with

***@txbweb /etc/ssl/certs # rm /etc/courier/dhparams.pem
***@txbweb /etc/ssl/certs # DH_BITS=2048 mkdhparams

This time, it doesnt help. The output of "openssl s_client -starttls
imap -connect mail.txbweb.de:143" should be the same as "openssl
s_client -starttls smtp -connect mail.txbweb.de:25", right? Very
confusing.

Post by Sam Varshavchik

Post by t***@txbweb.de
The variable TLS_PROTOCOL was unset. So I tried to set it to TLS1.2, but
I get the same error.

No, leave the setting at the default value. Before attempting to
restrict the configuration to a specific protocol, get it working for
the generic default case.
Also check TLS_STARTTLS_PROTOCOL too. TLS_PROTOCOL is for imapd-ssl,
TLS_STARTTLS_PROTOCOL is for imap with STARTTLS.

That version is almost two years old. The current version is 4.17.1

Post by t***@txbweb.de
Two weeks ago I just had to renew my certificates, same procedure as
every year. But this time I get the error.

I don't know offhand if a certificate can restrict the list of allowed
ciphers and/or cipher strength. In 4.16 the default length of DH
parameters was changed from 512 to 2048 bits; perhaps current certs
require strong ciphers, and 2048 bit DH parameters.
Try regenerating DH parameters by rerunning the mkdhparams script,
setting the DH_BITS environment variable to 2048, before running the
script.
------------------------------------------------------------------------------
_______________________________________________
Courier-imap mailing list
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

------------------------------------------------------------------------------

Sam Varshavchik

2016-07-31 16:32:48 UTC

Permalink

Post by t***@txbweb.de
I use the default config file of imapd-ssl. I just defined the path to
the certificate. The other variables you mentioned aren't set and I
already generated a stronger dhparam.pem. Last year I already was
affected by a "bug"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1183650#c27) and a
stronger dhparam.pem was the solution. I repeated it with
This time, it doesnt help. The output of "openssl s_client -starttls
imap -connect mail.txbweb.de:143" should be the same as "openssl
s_client -starttls smtp -connect mail.txbweb.de:25", right? Very
confusing.

They use different configuration files: imapd-ssl versus esmtpd-ssl.

There must be some different config settings between them. In the end, it's
the same SSL wrapper binary, couriertls, that negotiates the SSL connection
based on the settings in each environment. Each configuration file is a
slightly disguised shell script whose only purpose is to set the environment
variables, which are read by couriertls to configure an SSL connection.

If the settings are identical, the end result should be the same. couriertls
does not know and does not care whether the connection is for SMTP or IMAP.

t***@txbweb.de

2016-07-31 17:08:06 UTC

Permalink

For testing I ve set the two variable TLS_CERTFILE and TLS_DHPARAMS to
non existing files (last char deleted), but I dont get any error
messages when restarting imap-ssl.

TLS_CERTFILE=/etc/courier/imapd_startcom_20160719.cr
TLS_DHPARAMS=/etc/courier/dhparams.pe

And when I set the variable smtpd_tls_cert_file in main.cf of Postfix to
a non existing cert file (last char deleted),

smtpd_tls_cert_file = /etc/ssl/certs/mail.txbweb.de.20160719.cr

I get the same unknown protocol error message!

openssl s_client -starttls smtp -connect mail.txbweb.de:25
CONNECTED(00000003)
3074377404:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 285 bytes and written 330 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

This means that courier doesnt read my certificate even when it is set
correctly? Is

"cat /etc/ssl/private/mail.txbweb.de.key
/etc/ssl/certs/mail.txbweb.de.20160719.crt
/etc/ssl/certs/startcom.sca.server2.crt >
/etc/courier/imapd_startcom_20160719.crt"

still the correct method to create the cert file for courier-imap-ssl?

Post by Sam Varshavchik

They use different configuration files: imapd-ssl versus esmtpd-ssl.
There must be some different config settings between them. In the end,
it's the same SSL wrapper binary, couriertls, that negotiates the SSL
connection based on the settings in each environment. Each
configuration file is a slightly disguised shell script whose only
purpose is to set the environment variables, which are read by
couriertls to configure an SSL connection.
If the settings are identical, the end result should be the same.
couriertls does not know and does not care whether the connection is
for SMTP or IMAP.
------------------------------------------------------------------------------
_______________________________________________
Courier-imap mailing list
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

------------------------------------------------------------------------------

Sam Varshavchik

2016-07-31 17:18:52 UTC

Permalink

Post by t***@txbweb.de
For testing I ve set the two variable TLS_CERTFILE and TLS_DHPARAMS to
non existing files (last char deleted), but I dont get any error
messages when restarting imap-ssl.
TLS_CERTFILE=/etc/courier/imapd_startcom_20160719.cr
TLS_DHPARAMS=/etc/courier/dhparams.pe
And when I set the variable smtpd_tls_cert_file in main.cf of Postfix to
a non existing cert file (last char deleted),
smtpd_tls_cert_file = /etc/ssl/certs/mail.txbweb.de.20160719.cr
This means that courier doesnt read my certificate even when it is set
correctly? Is

courier doesn't read the certificate until an actual SSL connection gets
established.

Post by t***@txbweb.de
"cat /etc/ssl/private/mail.txbweb.de.key
/etc/ssl/certs/mail.txbweb.de.20160719.crt
/etc/ssl/certs/startcom.sca.server2.crt >
/etc/courier/imapd_startcom_20160719.crt"
still the correct method to create the cert file for courier-imap-ssl?

Looks ok to me. I can never remember whether the intermediate cert must come
first, or last. If this worked before, then it should work now.

t***@txbweb.de

2016-07-31 20:14:20 UTC

Permalink

I changed my Debian/Jessie to testing and it is working again:

openssl s_client -starttls imap -connect mail.txbweb.de:143

I can use STARTTLS again in Thunderbird for IMAP. I didnt make a full
dist-upgrade, I just modified the name jessie in /etc/apt/sources.list
and entered apt-get update && apt-get upgrade. So I got only half of the
new packages. And most of the mail concerning packages have been kept
back. LOL?

***@txbweb ~ # apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
apache2 apache2-bin apache2-data apache2-utils apt apt-utils aptitude
aptitude-common bind9-host btrfs-tools build-essential clamav
clamav-base clamav-daemon clamav-freshclam clamdscan
courier-authdaemon courier-authlib courier-authlib-mysql
courier-authlib-userdb courier-base courier-imap courier-imap-ssl
courier-ssl cpp cpp-4.9 curl dbus debugedit dmeventd dmsetup dnsutils

It s still courier version 4.15-1.6

May be the installation of the other packages fixed a broken system? I
will never know. It s only a virtual server and the hoster resets the
servers irregularly for maintenance, and maybe it s not good for a
mailsystem.

Post by Sam Varshavchik

courier doesn't read the certificate until an actual SSL connection
gets established.

Looks ok to me. I can never remember whether the intermediate cert
must come first, or last. If this worked before, then it should work
now.
------------------------------------------------------------------------------
_______________________________________________
Courier-imap mailing list
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

------------------------------------------------------------------------------

Thomas Barth

2016-08-01 10:53:51 UTC

Permalink

Hello Sam,

one short question. I did an dist-upgrade on my Debian system und now I
have got courier-imap-ssl version 4.17.1+0.76.1-3

During the installation I got some hints for Courier

The Courier MTA packaging has been extensively rewritten and
major changes had been done to the default setup of Courier MTA.
The default user and group for Courier MTA has been changed to
courier:courier. The package tries hard to make all files belong
to correct user:group and the permissions on those files are
correct, but if you have a non-default setup, you will have to
make sure that:

+ All file owners and file in /etc/courier and /var/lib/courier
are correctly set.
+ MAILUSER and MAILGROUP settings in /etc/courier/esmtpd is set to
correct user and group, both has to be set to `courier'.

I ve changed the file owners to courier.courier.
/etc/courier/esmtpd doesnt exist because the mailuser and group are
defined in a mysql-db.

There seems to be another difference. I always restarted the mailsystem
with a script:

/root/scripts/mailserver_restart.sh
#!/bin/bash

/etc/init.d/postfix restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap-ssl restart
/etc/init.d/saslauthd restart

But now I dont get an ok-result for courier-imap and courier-imap-ssl

[ ok ] Restarting postfix (via systemctl): postfix.service.
[....] Restarting Courier IMAP server: imapd.
[ ok ] Restarting Courier authentication services: authdaemond.
[....] Restarting Courier IMAP server (TLS): imapd-ssl.
[ ok ] Restarting saslauthd (via systemctl): saslauthd.service.

***@txbweb ~ # /etc/init.d/courier-imap-ssl start
[....] Starting Courier IMAP server (TLS): imapd-ssl.
***@txbweb ~ # /etc/init.d/courier-imap-ssl status
[FAIL] imapd-ssl is not running ... failed!

There is no error message in syslog or messages, but I can see the
running files in /run/courier/

***@txbweb ~ # ls -al /run/courier/
total 8
drwxrwxr-x 3 root courier 140 Aug 1 12:48 .
drwxr-xr-x 24 root root 740 Aug 1 11:40 ..
drwxr-xr-x 2 courier courier 80 Aug 1 12:46 authdaemon
-rw-r--r-- 1 root root 5 Aug 1 12:46 imapd.pid
-rw------- 1 root root 0 Aug 1 12:46 imapd.pid.lock
-rw-r--r-- 1 root root 5 Aug 1 12:48 imapd-ssl.pid
-rw------- 1 root root 0 Aug 1 12:10 imapd-ssl.pid.lock

The mailsystem works normal. So I dont need to extra start
courier-imap-ssl or courier-imap anymore?

Post by Sam Varshavchik

courier doesn't read the certificate until an actual SSL connection
gets established.

Looks ok to me. I can never remember whether the intermediate cert
must come first, or last. If this worked before, then it should work now.
------------------------------------------------------------------------------
_______________________________________________
Courier-imap mailing list
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap

Sam Varshavchik

2016-08-02 10:51:36 UTC

Permalink

The mailsystem works normal. So I dont need to extra start courier-imap-ssl
or courier-imap anymore?

I'm not familiar with Debian's packaging. You should try contacting either
the Debian packager maintainer, or ask on the debian mailing list.

l***@captainnet.net

2017-02-06 21:01:07 UTC

Permalink

Hi
I'm trying to build imap on osx 10.12 (Sierra)
The last version of courier-imap 4.17.3 that I could build is is with
openssl-1.0.2h without any error.
However OpenSSL 1.1.+ gives me a multitude of errors. I wonder if it's
supported?

libcouriertls.c:164:41: error: incomplete definition of type 'struct
stack_st_X509'
if (peer_cert_chain && peer_cert_chain->stack.num > 0)
~~~~~~~~~~~~~~~^

libcouriertls.c:166:36: error: incomplete definition of type 'struct
stack_st_X509'
X509 *xx=(X509 *)peer_cert_chain->stack.data[0];
~~~~~~~~~~~~~~~^

libcouriertls.c:429:39: error: incomplete definition of type 'struct
stack_st_X509_NAME'
for (i=0; client_cas && i<client_cas->stack.num; i++)
~~~~~~~~~~^

libcouriertls.c:431:43: error: incomplete definition of type 'struct
stack_st_X509_NAME'
X509_NAME *cert=(X509_NAME
*)client_cas->stack.data[i];
~~~~~~~~~~^

libcouriertls.c:434:9: error: incomplete definition of type 'struct x509_st'
x->cert_info->issuer) == 0)
~^

libcouriertls.c:438:37: error: incomplete definition of type 'struct
stack_st_X509_NAME'
if (!client_cas || i >= client_cas->stack.num)
~~~~~~~~~~^

libcouriertls.c:858:28: error: incomplete definition of type 'struct
ssl_session_st'
size_t session_id_len=sess->session_id_length;
~~~~^

libcouriertls.c:969:29: error: incomplete definition of type 'struct
ssl_session_st'
wi.id=(unsigned char *)sess->session_id;
~~~~^

libcouriertls.c:970:16: error: incomplete definition of type 'struct
ssl_session_st'
wi.id_len=sess->session_id_length;
~~~~^

libcouriertls.c:1484:49: error: incomplete definition of type 'struct
stack_st_X509'
for (i=0; peer_cert_chain &&
i<peer_cert_chain->stack.num; i++)
~~~~~~~~~~~~~~~^

libcouriertls.c:1485:37: error: incomplete definition of type 'struct
stack_st_X509'
dump_x509((X509 *)peer_cert_chain->stack.data[i],
~~~~~~~~~~~~~~~^

libcouriertls.c:1663:24: error: incomplete definition of type 'struct
x509_st'
p=X509_NAME_oneline(x->cert_info->subject, NULL, 0);
~^
/usr/local/include/openssl/ossl_typ.h:119:16: note: forward declaration
of 'struct x509_st'
typedef struct x509_st X509;
^
6 warnings and 13 errors generated.
make[3]: *** [libcouriertls.lo] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
107-135-124-10:courier-imap-4.17.3 courier$

--
Best,

George

Captainnet.net
--------------
1.818.396.7878

Sam Varshavchik

2017-02-07 02:30:47 UTC

Permalink

Post by l***@captainnet.net
Hi
I'm trying to build imap on osx 10.12 (Sierra)
The last version of courier-imap 4.17.3 that I could build is is with
openssl-1.0.2h without any error.
However OpenSSL 1.1.+ gives me a multitude of errors. I wonder if it's
supported?

I have not yet built with openssl 1.1.

Looking over the list of the compilation errors, and after pouring over the
skimpy openssl documentation, the fixes appear to be fairly simple. I can
still build successfully with 1.0, so I can test them with 1.0, at least.