Discussion:
[Courier-imap] Debugging SSL connection shutdowns
Roger B.A. Klorese
22 years ago
Permalink
How do I debug this:

Nov 18 18:36:33 mailbox imapd-ssl: Connection, ip=[12.208.155.174]
Nov 18 18:36:33 mailbox imapd-ssl: Unexpected SSL connection shutdown.
Sam Varshavchik
22 years ago
Permalink
Post by Roger B.A. Klorese
Nov 18 18:36:33 mailbox imapd-ssl: Connection, ip=[12.208.155.174]
Nov 18 18:36:33 mailbox imapd-ssl: Unexpected SSL connection shutdown.
There's nothing to debug. The connecting client changed its mind.
Brian Candler
22 years ago
Permalink
Post by Roger B.A. Klorese
Nov 18 18:36:33 mailbox imapd-ssl: Connection, ip=[12.208.155.174]
Nov 18 18:36:33 mailbox imapd-ssl: Unexpected SSL connection shutdown.
My guess is it's either a network monitoring box, a load-balancing box, or
someone portscanning; they connect on port 993 to test that it's OK and then
disconnect immediately afterwards.
Nai`a
22 years ago
Permalink
Post by Brian Candler
Post by Roger B.A. Klorese
Nov 18 18:36:33 mailbox imapd-ssl: Connection, ip=[12.208.155.174]
Nov 18 18:36:33 mailbox imapd-ssl: Unexpected SSL connection shutdown.
My guess is it's either a network monitoring box, a load-balancing box, or
someone portscanning; they connect on port 993 to test that it's OK and then
disconnect immediately afterwards.
Or someone got spooked by an "Invalid Certificate" warning and bailed.
Some mail clients don't even give you the option.
Is this a self-signed cert?
Or possibly an expired one?

Any other details you can provide us?

Aloha mai Nai`a!
--
"Micro$oft Delenda Est." http://www.lava.net/~mjwise/
Drew Tomlinson
22 years ago
Permalink
----- Original Message -----
From: "Brian Candler" <***@pobox.com>
Sent: Wednesday, November 19, 2003 9:14 AM
Post by Brian Candler
Post by Roger B.A. Klorese
Nov 18 18:36:33 mailbox imapd-ssl: Connection, ip=[12.208.155.174]
Nov 18 18:36:33 mailbox imapd-ssl: Unexpected SSL connection
shutdown.
Post by Brian Candler
My guess is it's either a network monitoring box, a load-balancing box, or
someone portscanning; they connect on port 993 to test that it's OK and then
disconnect immediately afterwards.
Sorry, I missed the original message. However I get entries like this
with MS Outlook client connections. I don't know why.

Cheers,

Drew
Roger B.A. Klorese
22 years ago
Permalink
Post by Nai`a
Or someone got spooked by an "Invalid Certificate" warning and bailed.
Some mail clients don't even give you the option.
Is this a self-signed cert?
Or possibly an expired one?
Yes, it's definitely a self-signed cert, and being used with Eudora.
Matt Hyclak
22 years ago
Permalink
Post by Roger B.A. Klorese
Post by Nai`a
Or someone got spooked by an "Invalid Certificate" warning and bailed.
Some mail clients don't even give you the option.
Is this a self-signed cert?
Or possibly an expired one?
Yes, it's definitely a self-signed cert, and being used with Eudora.
If you have gotten Eudora to use IMAP with SSL to Courier, please let me
know how you did it. I've tried for quite some time now, and ran into a
roadblock with their tech support who couldn't open a tcpdump from ethereal
showing where the SSL negotiation failed. Eudora+POP3S works just fine, but
it chokes on IMAPS.

I don't know how many others have Eudora as an IMAP client, but if you do
have it working, at least I would be interested in knowing how.

Matt
--
Matt Hyclak
Department of Mathematics
Department of Social Work
Ohio University
(740) 593-1263
Chris Shenton
22 years ago
Permalink
Post by Matt Hyclak
Post by Roger B.A. Klorese
Yes, it's definitely a self-signed cert, and being used with Eudora.
If you have gotten Eudora to use IMAP with SSL to Courier, please let me
know how you did it.
Which version of Eudora? One of our techs had no end of trouble doing
some form of SSL/TLS or STARTTLS with SMTP auth with the 5.x version
but said the 6.x version worked. This is with his ISP which is
running courier-imap and qmail+vpopmail.

At HQ we're currently testing courier-imap with forced SSL on port 993
(using nrg4u.com's TLS patches to tcpserver), as well as IMAP on 143
with mandatory STARTTLS.

Similarly with qmail-smtp (nrg4u's qmail-ldap patch suite): SMTPS on
port 465 with mandatory SMTP AUTH, and SMTP+STARTTLS on port 25 with
SMTP AUTH only needed for relaying.


I'd appreciate other's experiences with Eudora in any of these modes;
old Eudora is our current MUA and we need to make sure a modern
version actually works well with various TLS/SSL modes.

Thanks.

PS: I'm not a Eudora user myself, just UNIX, so I can't help with
hands-on, just reporting what our techs and users say. I'm testing
services with Mozilla Mail.
Matt Hyclak
22 years ago
Permalink
...
5.1 worked with POP3+SSL but would choke after downloading a random number
of messages. You could stop the download and restart it serveral times and
finally get all of your mail. 5.2 and 6.0 both worked fine with POP3+SSL.
None of the above work at all with IMAP+SSL.
Roger B.A. Klorese
22 years ago
Permalink
Post by Matt Hyclak
If you have gotten Eudora to use IMAP with SSL to Courier,
please let me
know how you did it.
No, it's POP3S. Sorry.
Roger B.A. Klorese
22 years ago
Permalink
Of Roger B.A. Klorese
Sent: Tuesday, November 18, 2003 7:12 PM
Subject: [Courier-imap] Debugging SSL connection shutdowns
Nov 18 18:36:33 mailbox imapd-ssl: Connection, ip=[12.208.155.174]
Nov 18 18:36:33 mailbox imapd-ssl: Unexpected SSL connection shutdown.
And it turns out that:
- Eudora copes poorly with an unfamiliar root cert
- 5.x craps out silently
- 6.x gives decent error messages but the cure (via "Last SSL Info" button)
doesn't work if it has never negotiated with the site completely
- Eudora's certs can be updated using OpenSSL -- see
http://nic.phys.ethz.ch/readme/52

Manual addition of my cert makes 6.0.1 work properly -- I'll try 5.x when I
get home.

Loading...