The following issue has been RESOLVED. ====================================================================== http://www.dbmail.org/mantis/view.php?id=941 ====================================================================== Reported By: Bobbnz Assigned To: paul ====================================================================== Project: DBMail Issue ID: 941 Category: IMAP daemon Reproducibility: always Severity: crash Priority: normal Status: resolved target: Resolution: fixed Fixed in Version: 3.0.0-final ====================================================================== Date Submitted: 12-Nov-11 03:31 CET Last Modified: 13-Nov-11 14:14 CET ====================================================================== Summary: IMAP Daemon hang on STARTTLS Description: SSL connections working fine on port 995 issue STARTTLS and server hangs ======================================================================
---------------------------------------------------------------------- (0003331) Bobbnz (reporter) - 12-Nov-11 04:26 http://www.dbmail.org/mantis/view.php?id=941#c3331 ---------------------------------------------------------------------- Sorry, should read port 993 (set as tls port in dbmail.conf) Update - You dont have to issue STARTTLS, just connecting with non-ssl client will hang it - eg 'telnet server.domain 993' - SSL connections are working OK (until it hangs) so I'm guessing I have chained certs done right ---------------------------------------------------------------------- (0003332) paul (administrator) - 12-Nov-11 20:44 http://www.dbmail.org/mantis/view.php?id=941#c3332 ---------------------------------------------------------------------- Bob, This report is way too thin on details. Since I use STARTTLS all the time using both thunderbird and k9-mail, your steps to reproduce must be missing something. A command-line test of STARTTLS can be done using openssl: openssl s_client -connect mymailserver:143 -starttls imap If you can reproduce this reliably, please upload detailed level 511 (anonimized) logs - only the relevant parts - plus dbmail.conf into this issue. ---------------------------------------------------------------------- (0003335) Bobbnz (reporter) - 13-Nov-11 00:19 http://www.dbmail.org/mantis/view.php?id=941#c3335 ---------------------------------------------------------------------- Hi Paul To reproduce the problem you need to specify tls port (in this case 993) in dbmail.conf. Then just connect to port 993 with standard telnet client and issue anything at all and imapd will hang. Without tls_port specified, TLS is working fine on port 143 so not a showstopper unless you need ssl on 993 Bob ---------------------------------------------------------------------- (0003337) paul (administrator) - 13-Nov-11 12:45 http://www.dbmail.org/mantis/view.php?id=941#c3337 ---------------------------------------------------------------------- The ssl socket is blocking, and you are doing a denial-of-service attach on it. Doing a plain telnet on a SSL socket is invalid, and should be dealt with by dropping the connection if a ssl negotiation is not started on it. Also, SSL sockets must be made non-blocking. ---------------------------------------------------------------------- (0003338) paul (administrator) - 13-Nov-11 12:46 http://www.dbmail.org/mantis/view.php?id=941#c3338 ---------------------------------------------------------------------- Correction: only the listening socket must be made non-blocking. Active connections already are non-blocking. ---------------------------------------------------------------------- (0003339) Bobbnz (reporter) - 13-Nov-11 13:01 http://www.dbmail.org/mantis/view.php?id=941#c3339 ---------------------------------------------------------------------- It was Outlook trying to do tls that started the problem, I just used telnet for easy illustration. It's a dos vulnerabilty that can be triggered too easily by accident.Fwiw - Pop3 ssl on 995 seems ok :) ---------------------------------------------------------------------- (0003340) paul (administrator) - 13-Nov-11 14:14 http://www.dbmail.org/mantis/view.php?id=941#c3340 ---------------------------------------------------------------------- pls try http://git.dbmail.eu/paul/dbmail/commit/?id=9efbf4ee05760a4b964fac4a3ef048c0347ed60f which I believe fixes this behaviour: - ssl sockets are non-blocking on accept - handle SSL_ERROR_WANT_READ/WRITE errors during accept Issue History Date Modified Username Field Change ====================================================================== 12-Nov-11 03:31 Bobbnz New Issue 12-Nov-11 03:40 Bobbnz Note Added: 0003331 12-Nov-11 04:26 Bobbnz Note Edited: 0003331 12-Nov-11 20:44 paul Note Added: 0003332 13-Nov-11 00:07 Bobbnz File Added: dbmail.err.bob 13-Nov-11 00:07 Bobbnz File Added: dbmail.conf 13-Nov-11 00:13 Bobbnz Note Added: 0003335 13-Nov-11 00:18 Bobbnz Note Added: 0003336 13-Nov-11 00:18 Bobbnz Note Deleted: 0003336 13-Nov-11 00:19 Bobbnz Note Edited: 0003335 13-Nov-11 12:45 paul Note Added: 0003337 13-Nov-11 12:46 paul Note Added: 0003338 13-Nov-11 13:01 Bobbnz Note Added: 0003339 13-Nov-11 14:14 paul Note Added: 0003340 13-Nov-11 14:14 paul Assigned To => paul 13-Nov-11 14:14 paul Status new => resolved 13-Nov-11 14:14 paul Resolution open => fixed 13-Nov-11 14:14 paul Fixed in Version => 3.0.0-final ====================================================================== _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
