Re: [Dovecot] SSL with startssl.com certificates

[Dan Langille]

On 2013-09-17 09:08, Jerry wrote:
On Tue, 17 Sep 2013 09:01:49 -0400
Dan Langille articulated:
On 2013-09-17 08:43, Reindl Harald wrote:
> Am 17.09.2013 14:39, schrieb Dan Langille:
> On 2013-09-16 20:28, Noel Butler wrote:
> Since we just ruled this one out, might I suggest you grab the
> source and build it, install it all under /opt/dovecot  that way it
> wont interfere with your ports installation and try that, the one
> you successfully just tested uses dovecot 2.1 not 2.2, so maybe try
> source of 2.1 and see if it works.
>
> I just tried 2.1.16.  The iPhone has no trouble on 143 but on 993,
> it's just like 2.2
>
> But, if it does work on port 143 with TLS I wouldnt worry too much
> about it
>
> tcpdump is showing me raw text going past, so I know I'm not
> getting TLS on either Dovecot 2.1 or 2.2
>
> It seems that TLS is not supported by my client.  Pity.
>
> iPhone is the worst mail client on this planet but for sure
> supports TLS
>
> Apple is here the same as Microsoft
>
> * remove the account completly
> * add it again and it will detect that encryption is available

Done. But tcpdump is still showing me plain text.

# dovecot -n
# 2.1.16: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
disable_plaintext_auth = no
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=BLF-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
address = 199.233.228.197
}
inet_listener imaps {
address = 199.233.228.197
port = 0
}
}
ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt
ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}

Show the entire dump from when you first attempt to make a connection 
to
the start of message transmission.

13:22:17.985508 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [S], 
seq 2703590158, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 
773682446 ecr 0,sackOK,eol], length 0
EH.@?.@.3._...U2.........%.................Z.......
..u.........
13:22:17.985579 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[S.], seq 2030926149, ack 2703590159, win 65535, options [mss 
1370,nop,wscale 6,sackOK,TS val 2484342793 ecr 773682446], length 0
yE.%......w......Z.......
...     ..u.
13:22:18.066507 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 1, win 8232, options [nop,nop,TS val 773682522 ecr 2484342793], 
length 0
yF.. (........U2.........%..y
..uZ...
13:22:18.093983 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[P.], seq 1:113, ack 1, win 1039, options [nop,nop,TS val 2484342901 ecr 
773682522], length 112
yF.%......R.......U2....y
...u..uZ* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
13:22:18.224227 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 113, win 8225, options [nop,nop,TS val 773682659 ecr 2484342901], 
length 0
y... !.9......U2.........%..y
..u....u

It was after this that the login details were passsed. That was in plain 
text, and omitted from this paste.

13:22:18.245486 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[P.], seq 113:432, ack 32, win 1039, options [nop,nop,TS val 2484343053 
ecr 773682667], length 319
y..%..............U2....y
..u.1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS 
THREAD=ORDEREDSUBJECT MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS 
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES 
WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in

13:22:18.311309 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 432, win 8205, options [nop,nop,TS val 773682774 ecr 2484343053], 
length 0
........3.s...U2.........%..y
..vV...
13:22:18.384236 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags 
[P.], seq 32:121, ack 432, win 8205, options [nop,nop,TS val 773682824 
ecr 2484343053], length 89
.!......3.6...U2.........%..y
2 ID ("name" "iPhone Mail" "version" "10B350" "os" "iOS" "os-version" 
"6.1.4 (10B350)")

13:22:18.384634 IP 199.233.228.197.143 > 166.137.85.50.51685: Flags 
[P.], seq 432:462, ack 121, win 1039, options [nop,nop,TS val 2484343192 
ecr 773682824], length 30
z..%..............U2....y
......v.* ID NIL
2 OK ID completed.

13:22:18.455096 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags [.], 
ack 462, win 8204, options [nop,nop,TS val 773682899 ecr 2484343192], 
length 0
{... ..f......U2.........%..y
..v.....
13:22:18.464945 IP 166.137.85.50.51685 > 199.233.228.197.143: Flags 
[P.], seq 121:136, ack 462, win 8204, options [nop,nop,TS val 773682901 
ecr 2484343192], length 15
{... .........U2.........%..y
..v.....3 LIST "" "*"



--
Dan Langille - http://langille.org/