dbmail-imapd TLS error when connecting with Mozilla Thunderbird

[owldance]

Hi

I'm no security expert, so I'm not sure whether it's Mozilla Thunderbird client, dbmail-imapd or me who is at fault here:

In dbmail.conf I have set file_logging_levels = 128 and tls_ciphers = HIGH. Then I connect with Thunderbird with security STARTTLS and authentication Normal password:

Debug:[clientbase] ci_starttls(+228): [0x7feb00775500] ssl_state [-1]
Debug:[imap] dbmail_imap_session_new(+159): imap session [0x7feb066afd80] created
Debug:[clientbase] ci_cork(+203): [0x7feb00775500] [17] [17]
Debug:[clientbase] ci_write(+335): ssl write error SSL_ERROR_WANT_READ
Debug:[clientbase] ci_write(+338): SSL Retry [1/4000] t[-1]
... then 3999 more retries

However connecting with:

openssl s_client -connect my-imap-server:993

I'm able to complete a successful IMAP session.

DBMail 3.4.1 as systemd service on ubuntu 22.04.1 with PostgreSQL 14.11. Mozilla Thunderbird 115.8.1

[CozC]

Salve,Most problably is related to openssl on server, which is dependent on openssl capabilities. Might be a mismatch between the high setting which is lower then the thunderbird tls available ciphers(being related on mozila foundation which contantly is using the higher setting according to curent standards). An up to the on openssl might be required. So you have requested tls ciphers on high but the systems settings are set to something as default, lower or legacy. I would recomend using a tls proxy such as haproxy or nginx which are more efficient on ssl communication than dbmail(especially on high load).In your case please check if your using the correct key file and lower tls ciphers.Hope it helps.CC @ gmail -------- Original message --------From: owldance @.> Date: 3/24/24 15:43 (GMT+02:00) To: dbmail/dbmail @.> Cc: Subscribed @.***> Subject: [dbmail/dbmail] dbmail-imapd TLS error when connecting with Mozilla Thunderbird (Issue #270) Hi I'm no security expert, so I'm not sure whether it's Mozilla Thunderbird client, dbmail-imapd or me who is at fault here: In dbmail.conf I have set file_logging_levels = 128 and tls_ciphers = HIGH. Then I connect with Thunderbird with security STARTTLS and authentication Normal password: Debug:[clientbase] ci_starttls(+228): [0x7feb00775500] ssl_state [-1] Debug:[imap] dbmail_imap_session_new(+159): imap session [0x7feb066afd80] created Debug:[clientbase] ci_cork(+203): [0x7feb00775500] [17] [17] Debug:[clientbase] ci_write(+335): ssl write error SSL_ERROR_WANT_READ Debug:[clientbase] ci_write(+338): SSL Retry [1/4000] t[-1] ... then 3999 more retries

However connecting with: openssl s_client -connect my-imap-server:993

I'm able to complete a successful IMAP session. DBMail 3.4.1 as systemd service on ubuntu 22.04.1 with PostgreSQL 14.11. Mozilla Thunderbird 115.8.1

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>

[owldance]

Hi CozC

Thank you for your reply, which I don´t understand in full. Except that it's probably a problem with openssl, and I should use a proxy which can handle the request.

Both client and server are ubuntu 22.04.1. the default openssl only supports ciphers 128 bit or higher, so I can't lower the cipher requirement.

[alan-hicks]

STARTTLS is for port 143. Port 993 is already encrypted for SSL/TLS.

[owldance]

Hi alan-hicks

Thank you.

dbmail-imapd announces STARTTLS on both port 143 and 993, so that's probably what's been confusing Thunderbird and me.

* OK [CAPABILITY IMAP4rev1 STARTTLS ID LOGINDISABLED LITERAL+] dbmail 3.4.1 ready.

I assume that means if I want SSL/TLS on 993 I can't have have STARTTLS on 143, and would have to override the default capability string in dmail.conf.

[owldance]

Uncommenting the supplied capability string in dbmail.conf, Thunderbird can now connect with both STARTTLS on 143 and SSL/TLS on 993. Problem solved, thank you.

capability = IMAP4 IMAP4rev1 AUTH=LOGIN ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE

[alan-hicks]

It's normal to run DBMail on ports 143 and 993 at the same time. It's the MUA that should be configured to use the right one, changing TLS/STARTTLS does the right thing and changes the port on Thunderbird.