|

Courier Mail Server

»

TLS errors after upgrade to 0.63

View: New views

5 Messages — Rating Filter: Alert me

	TLS errors after upgrade to 0.63 by Bowie Bailey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I upgraded one of my Courier servers from 0.62.1 to 0.63.0 this morning. After the upgrade, my Thunderbird client (WinXP, Thunderbird 2.0.0.23) started giving SSL errors for the IMAP account. So far, I have not been able to find any SSL settings in imap-ssl that will work. With TLS_PROTOCOL commented out or set to SSL23, I get this: Thunderbird error: Thunderbird can't connect securely to bucmail.buc.com because the site uses a security protocol which isn't enabled. Courier error: imapd-ssl: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Setting TLS_PROTOCOL to SSL3 or TLS1, I can get the list of messages and Thunderbird does not report any errors, but I cannot view the messages. Courier error: imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Changing TLS_CIPHER_LIST does not seem to have any effect (I set it to ALL with the same results). I am using OpenSSL as far as I know. I searched Google, and found several similar questions, but either there was no answer, or the answer given did not work for me. Any suggestions? -- Bowie ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: TLS errors after upgrade to 0.63 by Bowie Bailey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Bowie Bailey wrote: > I upgraded one of my Courier servers from 0.62.1 to 0.63.0 this > morning. After the upgrade, my Thunderbird client (WinXP, Thunderbird > 2.0.0.23) started giving SSL errors for the IMAP account. So far, I > have not been able to find any SSL settings in imap-ssl that will work. > > With TLS_PROTOCOL commented out or set to SSL23, I get this: > Thunderbird error: > Thunderbird can't connect securely to bucmail.buc.com because the > site uses a security protocol which isn't enabled. > Courier error: > imapd-ssl: couriertls: connect: error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher > > Setting TLS_PROTOCOL to SSL3 or TLS1, I can get the list of messages and > Thunderbird does not report any errors, but I cannot view the messages. > Courier error: > imapd-ssl: couriertls: connect: error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number > > Changing TLS_CIPHER_LIST does not seem to have any effect (I set it to > ALL with the same results). I am using OpenSSL as far as I know. > > I searched Google, and found several similar questions, but either there > was no answer, or the answer given did not work for me. > > Any suggestions? > I figured it out. Apparently, the upgrade removed the reference to my certificate in the config file. I replaced the TLS_CERTFILE line and everything is back to normal. The auto-generated certificate was in the default location, but didn't work for some reason. The real question is why did the rpm install change the config file without creating an rpmsave file? The rpm was built on the local machine from the provided spec file. Checking the other files reveals that my TLS_CERTFILE line was removed from esmtpd-ssl and pop3d-ssl as well. What happened? -- Bowie ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: TLS errors after upgrade to 0.63 by Sam Varshavchik :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Bowie Bailey writes: > I figured it out. Apparently, the upgrade removed the reference to my > certificate in the config file. I replaced the TLS_CERTFILE line and > everything is back to normal. The auto-generated certificate was in the > default location, but didn't work for some reason. That depends on how you specified the certificate file in the configuration file. The configuration files are not exactly free-form; their contents need to follow a specific structure, in order for them to be properly updated by an upgrade. > The real question is why did the rpm install change the config file > without creating an rpmsave file? My spec files don't work that way. If the config files are properly structured, only the relevant bits of the configuration files should get updated, rather than getting summarily replaced and backed up with .rpmsave. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users attachment0 (204 bytes) Download Attachment
	Re: TLS errors after upgrade to 0.63 by Bowie Bailey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Sam Varshavchik wrote: > Bowie Bailey writes: > >> I figured it out. Apparently, the upgrade removed the reference to my >> certificate in the config file. I replaced the TLS_CERTFILE line and >> everything is back to normal. The auto-generated certificate was in the >> default location, but didn't work for some reason. > > That depends on how you specified the certificate file in the > configuration file. The configuration files are not exactly free-form; > their contents need to follow a specific structure, in order for them > to be properly updated by an upgrade. What I generally do is leave the commented default line as a reference and add my config line directly beneath it. Should that cause problems? For example, here is a section from the current config file: ##NAME: TLS_CERTFILE:0 # <lots more comments go here> # # DEFAULT SETTING from /etc/courier/imapd-ssl.dist: # #TLS_CERTFILE=/usr/lib/courier/share/imapd.pem # TLS_CERTFILE=/etc/certs/bucmail.pem I just added the last line at the end of the comments for the section. Will that get squashed on the next update? What is the correct way to do it? -- Bowie ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
	Re: TLS errors after upgrade to 0.63 by Sam Varshavchik :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Bowie Bailey writes: > Sam Varshavchik wrote: >> Bowie Bailey writes: >> >>> I figured it out. Apparently, the upgrade removed the reference to my >>> certificate in the config file. I replaced the TLS_CERTFILE line and >>> everything is back to normal. The auto-generated certificate was in the >>> default location, but didn't work for some reason. >> >> That depends on how you specified the certificate file in the >> configuration file. The configuration files are not exactly free-form; >> their contents need to follow a specific structure, in order for them >> to be properly updated by an upgrade. > > What I generally do is leave the commented default line as a reference > and add my config line directly beneath it. Should that cause problems? > > For example, here is a section from the current config file: > > ##NAME: TLS_CERTFILE:0 > # > <lots more comments go here> > # > # DEFAULT SETTING from /etc/courier/imapd-ssl.dist: > # > #TLS_CERTFILE=/usr/lib/courier/share/imapd.pem > # > TLS_CERTFILE=/etc/certs/bucmail.pem > > I just added the last line at the end of the comments for the section. > Will that get squashed on the next update? What is the correct way to > do it? That should be fine. One thing to watch out for are stray blank lines in the entire comment section. They'll mess this up. Also, the very first line in the configuration file. If it's missing or gets altered, the entire configuration file may get reset. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users attachment0 (204 bytes) Download Attachment