Courier stopped working on SSL

[bbbenji]

I am unable to connect to IMAP on port 993 anymore. I am not sure what changes I have made to cause this. In order to even get access to IMAP i have to edit /etc/courier/imapd-ssl and change IMAP_TLS_REQUIRED to 0 and restart Courier. This change is reverted once any mail settings are touched in Ajenti.

Port 993 is not currently in use by any process and logs are not showing any issues.

[Xefir]

It's not a bug, it's a result to this PR : https://github.com/Eugeny/ajenti-v/pull/193

To avoid POODLE, SSL has been disabled. You have to use STARTTLS on the port 143.

This question come back often (3rd time), do we have to revert this only for courier @Eugeny @sawanoboly ? Or maybe a faq entry ?

[bbbenji]

Unfortunately STARTTLS does not work on port 143. The port only works without encryption and only when changing the variable as stated above.

[Xefir]

If you keep IMAP_TLS_REQUIRED at 1, it'll accept STARTTLS on 143, otherwise, yes, it won't allow it.

[sawanoboly]

Hmm... I can't recomend to enabling SSLv3. I think that we should change settings of MUA to using TLS or use STARTTLS.

[bbbenji]

Xefir, what I meant was even with IMAP_TLS_REQUIERED set to 1, it still will not allow me to connect using STARTTLS. The only way I am able to connect, with encryption or not, is disabling that option and using port 143 after restarting Courier.

[Xefir]

Really weird. Have you something interesting on /var/log/mail.err or /var/log/mail.log when you log on STARTTLS on 143 with IMAP_TLS_REQUIRED=1 ?

[bbbenji]

Looks like I am getting 2 errors. I will be doing some Googling around for some answers in a few hours.

Nov  3 17:43:12 serv019059 imapd-ssl: couriertls: /etc/courier/mail.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
Nov  3 17:43:12 serv019059 imapd-ssl: couriertls: /etc/ssl/certs/50f658f9.0: No such file or directory

Edit: actually this error is a mistake as I was trying to connect on 993. When using 143, no errors print in the log.

[bbbenji]

I noticed that /etc/courier/imapd-ssl was missing a few lines that are in the vh-mail template.py file.

For example:

IMAPDSTARTTLS=YES
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

I have added them manually but the issue has not been resolved. I also noticed that I have /etc/courier/courier/ which has a list of duplicate files such as

imapd
imapd.cnf
imapd.pem
imapd-ssl
and more...

Is something wrong with my install?

[Xefir]

If you have some missing lines, you definitively have problem with you install.

This is the a list of file in the /etc/courier folder :

xefir@crystalyx ~> ls /etc/courier/
authdaemonrc  imapd      imapd.pem  mail.pem  userdb      userdb.lock
dhparams.pem  imapd.cnf  imapd-ssl  shared/   userdb.dat  userdbshadow.dat

Witch don't have the subfolder courier in there.

And this is the /etc/courier/imap-ssl file you should have :

SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
COURIERTLS=/usr/bin/couriertls
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/etc/courier/mail.pem
TLS_TRUSTCERTS=/etc/ssl/certs
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
TLS_DHPARAMS=/etc/courier/dhparams.pem
MAILDIRPATH=Maildir

To force to regen file on this state, simply go to Ajenti, Mail > Advenced configuration and click on Save.

It usually rewrite all exim and courier files to his initial state.

[bbbenji]

Even after conforming to your setup, I am still unable to connect using any method unless IMAP_TLS_REQUIRED = 0, and then only without STARTTLS of course.

Perhaps it's a permissions error? Perhaps not...

netstat shows couriertcpd on port 143. Error logs show nothing useful.

Is it possible to return to a stock Courier and vh-mail install without losing other configurations? I am on Debian.

[sawanoboly]

Sorry, https://github.com/Xefir/ajenti-v/commit/ef39903cca60e2d87dec15fef737e352418d3688 is collect to work. :scream:

[bbbenji]

The update caused no changes to my configuration. Could this be a permissions problem? How should they look for the /etc/courier/ directory?

[Xefir]

Ajenti touch the configuration when you save the corresponding module. If you want to update your courier config's file, go to Mail entry and hit Save.

[bbbenji]

Ok thank you, forgot about that.

For some reason Courier is looking for /etc/ssl/certs/50f658f9.0. which is a symlink to /etc/mail/tls/sendmail-server.crt. This file does not exist, after creating it, I am able to connect via SSL on 993 but then get imapd-ssl: Unexpected SSL connection shutdown.

STARTTLS shows no errors and does not work yet.

I feel I am close to resolving my issues but still haven't gotten there. Something must be wrong with my install... I am starting to get frustrated.

[Xefir]

Courier looks into /etc/certs folder to get all the certificate he can trust.

The /etc/mail/tls/sendmail-server.crt is a file created by another sendmail program, witch is apparently, badly uninstalled, leaving a symlink to nowhere.

Courier search a certificate and don't find one (or invalid one) and show the error you got.

Delete this symlink (and only this particular file) from this folder (and the sendmail-server.crt file you've created), restart courier and it'll be fine ... Maybe ? =/

[bbbenji]

I wish I could say it worked but it still gives me the error below. Although it is not longer complaining about the missing cert.

imapd-ssl: Unexpected SSL connection shutdown.

[Xefir]

Okay, last bits of thing I remember that can cause this.

You have normally two pem file in /etc/courier Try to regenerate them. For that, do this two commands :

sudo /usr/sbin/mkdhparams sudo /usr/sbin/mkimapdcert

This should regen the two certs. Restart ALL courier's service (authdeamon, imapd and imapd-ssl) and test again.

[bbbenji]

Thank you for sticking with me through this Xefir.

Unfortunately it never ends... I am able to connect to IMAP on 993 SSL and 143 STARTTLS and it seems to be working well on the existing email account, perhaps it's a little slow, but that doesn't matter currently. And imapd-ssl: Unexpected SSL connection shutdown. still shows up. But it does seem to be working.

My issue now is when adding new email accounts, the logs say LOGIN FAILED. Even after updating the password. /etc/courier/userdb seems to be updating correctly. I am unable to login with new accounts.