> On 30/09/2020 18:06 Kurt Jaeger <dove...@opsec.eu> wrote: > > > Hi! > > My question is: can dovecot be used to debug/decrypt TLS sessions ? > > The reason I'm asking: > > A custom application wants to speak IMAP with TLS with a dovecot > instance. > > It fails, and the error message is, unfortunatly, not very helpful. > tcpdump shows that the session is established, but fails. The custom > application says error 60000, not much more. > > There is a way to decode TLS sessions in some cases: > > https://wiki.wireshark.org/TLS > > > using firefox and the enviroment variable SSLKEYLOGFILE. > > Basically, the TLS client (firefox), while negotiating keys with the > other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE > and at the same time, wireshark is used to capture / write the pcap > of the session. > > Then wireshark can be used to decode the contents of the TLS-encrypted > session. > > Is something similiar possible with dovecot as the server and > from the server side ? > > Is, by chance, the session=<...> value already such a key so that > a tcpdump pcap file would be able to descrypt that session ? > > Sep 29 08:51:30 imap-login: Info: Login: user=<someuser>, method=PLAIN, > rip=<someip>, lip=<someotherip>, mpid=63667, TLS, > session=<GGF0Nm6wxy0qAQHoAAMAAwAAAAAAAAAB> > > -- > p...@opsec.eu +49 171 3101372 Now what ?
Hi! If rawlogs did not have a bug, you would be able to use that to log what the client is sending/receiving. But, unfortunately that does not work, it's broken with TLS, so you need to workaround this bit: return from passdb proxy_maybe=y host=127.0.0.2 to connect to localhost again, unencrypted. then add protocol imap { rawlog_dir=%h/rawlogs/ } then create rawlogs directory under user home directory, with mode 0777, and it should store input/output transcripts per session. remember to disable these after using them! Aki