Your message dated Thu, 28 Apr 2016 10:39:07 +0200
with message-id <[email protected]>
and subject line Re: Bug#808989: icedove doesn't properly connect to IMAPS
server after upgrade to 38.
has caused the Debian Bug report #808989,
regarding icedove doesn't properly connect to IMAPS server after upgrade to 38.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
808989: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808989
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: icedove
Version: 38.4.0-1~deb8u1
Severity: normal
Since the security upgrade to icedove 38.4 (this machine hasn't been on for 6
months), I cannot login to a particular IMAP server (imap.xel.nl:993) via
SSL/TLS
anymore. I used to before and I can still login to another IMAP/SSL account
(mail.a-eskwadraat.nl:993), and I also login to imap.xel.nl:993 from another
machine of mine, running Debian Jessie amd64 with icedove 38.4.0-1~deb8u1 too.
When I downgrade to icedove 34.0~b1-2 or 36.0~b1-2 things work again, but
reverting
to current it fails again, so it does not seem to be a account/configuration
issue.
Also, I tried setting security.ssl3.*dhe* to false as suggested in bug report
#787505, but that didn't help. Note that
openssl s_client -connect imap.xel.nl:993
didn't report any (too short) DH keys.
Finally, I tried starting icedove with -safe-mode to no avail.
Attached a debug log of running
NSPR_LOG_MODULES=imap:5,imapoffline:5 NSPR_LOG_FILE=icedove-imap-debug-38.log
icedove
Best,
Jaap
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages icedove depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u1
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.20-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3+deb8u1
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u4
ii libglib2.0-0 2.42.1-1
ii libgtk2.0-0 2.24.25-3
ii libhunspell-1.3-0 1.3.3-3
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii libpixman-1-0 0.32.6-3
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii psmisc 22.21-2
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages icedove recommends:
pn iceowl-extension <none>
ii myspell-en-gb [myspell-dictionary] 1:3.3.0-4
ii myspell-en-us [myspell-dictionary] 1:3.3.0-4
ii myspell-nl [myspell-dictionary] 1:2.10-2
Versions of packages icedove suggests:
ii fonts-lyx 2.1.2-2
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u1
-- Configuration Files:
/etc/icedove/global-config.js 656b799cbfce9ebb589ac4effaf7a61e [Errno 2] No
such file or directory: u'/etc/icedove/global-config.js
656b799cbfce9ebb589ac4effaf7a61e'
-- debconf information:
* icedove/browser: Debian
-423625920[e01a8f00]: ImapThreadMainLoop entering [this=df391000]
-146721024[f722f240]: df391000:imap.xel.nl:NA:SetupWithUrl: clearing
IMAP_CONNECTION_IS_OPEN
-423625920[e01a8f00]: df391000:imap.xel.nl:NA:ProcessCurrentURL: entering
-423625920[e01a8f00]:
df391000:imap.xel.nl:NA:ProcessCurrentURL:imap://[email protected]:993/select%3E%5EINBOX:
= currentUrl
-577766592[e01a9680]: ImapThreadMainLoop entering [this=df39a000]
-146721024[f722f240]: df39a000:imap.a-eskwadraat.nl:NA:SetupWithUrl: clearing
IMAP_CONNECTION_IS_OPEN
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:NA:ProcessCurrentURL:
entering
-577766592[e01a9680]:
df39a000:imap.a-eskwadraat.nl:NA:ProcessCurrentURL:imap://[email protected]:993/select%3E%5EINBOX:
= currentUrl
-577766592[e01a9680]: ReadNextLine [stream=df124100 nb=115 needmore=0]
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:NA:CreateNewLineFromSocket:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
-577766592[e01a9680]: try to log in
-577766592[e01a9680]: IMAP auth: server caps 0x5085425, pref 0x1006, failed
0x0, avail caps 0x1004
-577766592[e01a9680]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN
= 0x200000, PLAIN = 0x1000,
LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login =
0x20000000, OAUTH2 = 0x800000000)
-577766592[e01a9680]: trying auth method 0x1000
-423625920[e01a8f00]: ReadNextLine [stream=df101240 nb=0 needmore=1]
-423625920[e01a8f00]: df391000:imap.xel.nl:NA:CreateNewLineFromSocket: clearing
IMAP_CONNECTION_IS_OPEN - rv = 80004005
-423625920[e01a8f00]: df391000:imap.xel.nl:NA:TellThreadToDie: close socket
connection
-423625920[e01a8f00]: df391000:imap.xel.nl:NA:CreateNewLineFromSocket: (null)
-423625920[e01a8f00]: df391000:imap.xel.nl:NA:ProcessCurrentURL: aborting
queued urls
-423625920[e01a8f00]: ImapThreadMainLoop leaving [this=df391000]
-577766592[e01a9680]: got new password
-577766592[e01a9680]: IMAP: trying auth method 0x1000
-577766592[e01a9680]: PLAIN auth
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:NA:SendData: 1 authenticate
plain
-577766592[e01a9680]: ReadNextLine [stream=df124100 nb=4 needmore=0]
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:NA:CreateNewLineFromSocket:
+
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:NA:SendData: Logging
suppressed for this command (it probably contained authentication information)
-577766592[e01a9680]: ReadNextLine [stream=df124100 nb=285 needmore=0]
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:NA:CreateNewLineFromSocket:
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
-577766592[e01a9680]: login succeeded
<removed a-eskwadraat.nl access log line>
-577766592[e01a9680]:
df39a000:imap.a-eskwadraat.nl:S-INBOX:CreateNewLineFromSocket: + idling
-644875456[e10fb4c0]: ImapThreadMainLoop entering [this=d9ab3800]
-146721024[f722f240]: d9ab3800:imap.xel.nl:NA:SetupWithUrl: clearing
IMAP_CONNECTION_IS_OPEN
-644875456[e10fb4c0]: d9ab3800:imap.xel.nl:NA:ProcessCurrentURL: entering
-644875456[e10fb4c0]:
d9ab3800:imap.xel.nl:NA:ProcessCurrentURL:imap://[email protected]:993/select%3E%5EINBOX:
= currentUrl
-644875456[e10fb4c0]: ReadNextLine [stream=d9a80060 nb=0 needmore=1]
-644875456[e10fb4c0]: d9ab3800:imap.xel.nl:NA:CreateNewLineFromSocket: clearing
IMAP_CONNECTION_IS_OPEN - rv = 80004005
-644875456[e10fb4c0]: d9ab3800:imap.xel.nl:NA:TellThreadToDie: close socket
connection
-644875456[e10fb4c0]: d9ab3800:imap.xel.nl:NA:CreateNewLineFromSocket: (null)
-644875456[e10fb4c0]: d9ab3800:imap.xel.nl:NA:ProcessCurrentURL: aborting
queued urls
-644875456[e10fb4c0]: ImapThreadMainLoop leaving [this=d9ab3800]
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:S-INBOX:SendData: DONE
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:S-INBOX:SendData: 12 logout
-577766592[e01a9680]: df39a000:imap.a-eskwadraat.nl:S-INBOX:TellThreadToDie:
close socket connection
-577766592[e01a9680]: ImapThreadMainLoop leaving [this=df39a000]
--- End Message ---
--- Begin Message ---
Version: 38.6.0-1~deb8u1
Hello Jaap,
I close this report as there is no issue with Icedove here.
See below.
On Fri, Dec 25, 2015 at 05:17:01PM +0100, Jaap Eldering wrote:
> Since the security upgrade to icedove 38.4 (this machine hasn't been on for 6
> months), I cannot login to a particular IMAP server (imap.xel.nl:993) via
> SSL/TLS
> anymore. I used to before and I can still login to another IMAP/SSL account
> (mail.a-eskwadraat.nl:993), and I also login to imap.xel.nl:993 from another
> machine of mine, running Debian Jessie amd64 with icedove 38.4.0-1~deb8u1 too.
The server is providing a weak RC4 cipher suite with md5 or sha and is
accepting SSLv3.
$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 -Pn imap.xel.nl
Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-28 10:28 CEST
Nmap scan report for imap.xel.nl (82.94.246.100)
Host is up (0.075s latency).
rDNS record for 82.94.246.100: mail.xel.nl
PORT STATE SERVICE
443/tcp filtered https
465/tcp open smtps
| ssl-cert: Subject: commonName=*.xel.nl
| Issuer: commonName=RapidSSL SHA256 CA - G3/organizationName=GeoTrust
Inc./countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-09-22T18:34:55
| Not valid after: 2016-11-03T23:09:14
| MD5: f4b7 6e96 0655 6fed d874 7411 6826 578a
|_SHA-1: 45fb 8b1e 60df 01f5 f959 d157 46d7 26a6 1b95 5192
993/tcp open imaps
| ssl-cert: Subject: commonName=*.xel.nl
| Issuer: commonName=RapidSSL SHA256 CA - G3/organizationName=GeoTrust
Inc./countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-09-22T18:34:55
| Not valid after: 2016-11-03T23:09:14
| MD5: f4b7 6e96 0655 6fed d874 7411 6826 578a
|_SHA-1: 45fb 8b1e 60df 01f5 f959 d157 46d7 26a6 1b95 5192
| ssl-enum-ciphers:
| SSLv3: <--- SSLv3 enabled!
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A <--- RC4!
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A <--- RC4!
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A <--- RC4!
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A <--- RC4!
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation
|_ least strength: C
995/tcp open pop3s
| ssl-cert: Subject: commonName=*.xel.nl
| Issuer: commonName=RapidSSL SHA256 CA - G3/organizationName=GeoTrust
Inc./countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-09-22T18:34:55
| Not valid after: 2016-11-03T23:09:14
| MD5: f4b7 6e96 0655 6fed d874 7411 6826 578a
|_SHA-1: 45fb 8b1e 60df 01f5 f959 d157 46d7 26a6 1b95 5192
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds
> When I downgrade to icedove 34.0~b1-2 or 36.0~b1-2 things work again, but
> reverting
> to current it fails again, so it does not seem to be a account/configuration
> issue.
Yes, it's a configuration problem of the used server.
> Also, I tried setting security.ssl3.*dhe* to false as suggested in bug report
> #787505, but that didn't help. Note that
>
> openssl s_client -connect imap.xel.nl:993
>
> didn't report any (too short) DH keys.
>
> Finally, I tried starting icedove with -safe-mode to no avail.
>
> Attached a debug log of running
>
> NSPR_LOG_MODULES=imap:5,imapoffline:5
> NSPR_LOG_FILE=icedove-imap-debug-38.log icedove
The possibility for ssl3 settings are disabled in recent versions so you can't
change anything here (and that's a good thing). It's time contact the server
admins,
the server needed some adjustments.
Some more informations are vissible on
https://de.ssl-tools.net/mailservers/imap.xel.nl
Regards
Carsten
--- End Message ---
