techsneeze / dmarcts-report-parser

A Perl based tool to parse DMARC reports from an IMAP mailbox or from the filesystem, and insert the information into a database. ( Formerly known as imap-dmarcts )
http://www.techsneeze.com/how-parse-dmarc-reports-imap/
GNU General Public License v3.0
224 stars 65 forks source link

SSL issue #47

Closed SeLLeRoNe closed 6 years ago

SeLLeRoNe commented 6 years ago

Hi there, I am using this Parser for a few months now and it works perfectly, today I wanted to switch on the SSL but I am having some issue with it, once I enable SSL and change the IMAP Server port to 993 the script doesn't work and return this error:

connection to mail.myserver.tld:993 with Ssl => 1, User => dmarc@myserver.tld, Ignoresizeerrors => 1 Started at Fri Feb 2 13:33:53 2018 Using Mail::IMAPClient version 3.37 on perl 5.016003 Connecting with IO::Socket::SSL PeerAddr mail.myserver.tld:993 PeerPort 993 Proto tcp Timeout 600 Debug 1


Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.


at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 361. ERROR: Unable to connect to mail.myserver.tld:993: at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 370. Mail::IMAPClient::connect('Mail::IMAPClient=HASH(0x1c993f8)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 313 Mail::IMAPClient::new('Mail::IMAPClient', 'Server', 'mail.myserver.tld:993', 'Ssl', 1, 'Starttls', undef, 'User', 'dmarc@myserver.tld', ...) called at /home/dmarc/DMARC-Parser/dmarcts-report-parser.pl line 234 IMAP Failure: Unable to connect to mail.myserver.tld:993: at /home/dmarc/DMARC-Parser/dmarcts-report-parser.pl line 234.

While if I use TLS on port 993 It just hangs on the connection: use tls with verify servercert. connection to mail.myserver.tld:993 with Ssl => 0, User => dmarc@myserver.tld, Ignoresizeerrors => 1 Started at Fri Feb 2 13:36:45 2018 Using Mail::IMAPClient version 3.37 on perl 5.016003 Connecting with IO::Socket::INET PeerAddr mail.myserver.tld:993 PeerPort 143 Proto tcp Timeout 600 Debug 1 Connected to mail.myserver.tld:993

Disabling TLS and SSL while using port 143 works perfectly.

Any suggestion?

Thanks

Best regards Andrea

techsneeze commented 6 years ago

If you enable SSL, you need to disable TLS: $imapssl = '1'; $imaptls = '0';

I'm guessing you are already doing that, but I didn't see you explicitly mention it. Otherwise, it tries to do TLS over SSL, which won't work. Since it works fine without SSL or TLS, it seems to be somewhere in that are of the code.

SeLLeRoNe commented 6 years ago

Hi, well yes, I didn't menthion that but I did it and the error I reported is with TLS 0 SSL 1

techsneeze commented 6 years ago

Hmm, it sounded a lot like issue #45 .

Are you able to see any errors on the server side, when trying to connect?

SeLLeRoNe commented 6 years ago

Mmmh, don't think so, that Issue is clearly related to having both TLS and SSL set to 1, I am having error using the SSL and it does like the SSL Certificate is not properly check. The SSL it is working fine, I am using webmails and mail clients to connect in IMAP and SMTP with SSL to that server without a problem.

It may be perl version issue (maybe), but it is the version coming from yum (CentOS 7), I think that the focus would have to go on this part: Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.

lwt-pressy commented 6 years ago

Here is a mix, the "SSL_VERIFY_NONE" is a different error and we need an debug log (console log from running with -d set).

Your other tries look like using TLS on Port 993 which makes no sense, since 993 is for SSL and not TLS or using both SSL and TLS enabled both which also won't work.

SeLLeRoNe commented 6 years ago

Ok, I paste it again, because apparently it wasn't that clear on the first post where I was already using -d

SSL = 0 TLS = 0 TLS Verify = 0 Port = 143 Works fine

SSL = 0 TLS = 1 TLS Verify = 0 Port = 143 Works fine

SSL = 0 TLS = 1 TLS Verify = 1 Port = 143 ./dmarcts-report-parser.pl -i -d use tls with verify servercert. connection to mail.crazynetwork.it:143 with Ssl => 0, User => dmarc@crazynetwork.it, Ignoresizeerrors => 1 Started at Sat Feb 3 14:16:41 2018 Using Mail::IMAPClient version 3.37 on perl 5.016003 Connecting with IO::Socket::INET PeerAddr mail.crazynetwork.it:143 PeerPort 143 Proto tcp Timeout 600 Debug 1 Connected to mail.crazynetwork.it:143 Read: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot DA ready. Sending: 1 STARTTLS Sent 12 bytes Read: 1 OK Begin TLS negotiation now. ERROR: Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 455. Mail::IMAPClient::starttls('Mail::IMAPClient=HASH(0x35d3038)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 412 Mail::IMAPClient::Socket('Mail::IMAPClient=HASH(0x35d3038)', 'IO::Socket::INET=GLOB(0x35bc0c8)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 366 Mail::IMAPClient::connect('Mail::IMAPClient=HASH(0x35d3038)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 313 Mail::IMAPClient::new('Mail::IMAPClient', 'Server', 'mail.crazynetwork.it:143', 'Ssl', 0, 'Starttls', 'ARRAY(0x35d30e0)', 'User', 'dmarc@crazynetwork.it', ...) called at ./dmarcts-report-parser.pl line 234 IMAP Failure: Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at ./dmarcts-report-parser.pl line 234.

SSL = 1 TLS = 0 TLS Verify = 0 Port = 993 ./dmarcts-report-parser.pl -i -d connection to mail.crazynetwork.it:993 with Ssl => 1, User => dmarc@crazynetwork.it, Ignoresizeerrors => 1 Started at Sat Feb 3 14:20:20 2018 Using Mail::IMAPClient version 3.37 on perl 5.016003 Connecting with IO::Socket::SSL PeerAddr mail.crazynetwork.it:993 PeerPort 993 Proto tcp Timeout 600 Debug 1


Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.


at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 361. ERROR: Unable to connect to mail.crazynetwork.it:993: at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 370. Mail::IMAPClient::connect('Mail::IMAPClient=HASH(0x2104a38)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 313 Mail::IMAPClient::new('Mail::IMAPClient', 'Server', 'mail.crazynetwork.it:993', 'Ssl', 1, 'Starttls', undef, 'User', 'dmarc@crazynetwork.it', ...) called at ./dmarcts-report-parser.pl line 234 IMAP Failure: Unable to connect to mail.crazynetwork.it:993: at ./dmarcts-report-parser.pl line 234.

I hope this gives you a better idea. TLS Works unless the Verify is enabled, in that case, it doesn't. SSL Doesn't work (which is the protocol I would like to use)

lwt-pressy commented 6 years ago

SSL = 0 TLS = 1 TLS Verify = 1 Port = 143

TLS_VERIFY fails because you don't have the correspending ca cert installed (see also [https://github.com/techsneeze/dmarcts-report-parser/issues/47#issuecomment-362805661] ). Should be "Let's Encrypt Authority X3" by the test below.

SSL = 1 TLS = 0 TLS Verify = 0 Port = 993

I can't see the cause. If I telnet I find a valid imap server with ssl under mail.crazynetwork.it:993 (test protocol below). Could you try also the telnet/openssl-connect comand (openssl s_client -crlf -connect mail.crazynetwork.it:993). Could it be an firewall issue, so that no connections can be established?

openssl s_client -crlf -connect mail.crazynetwork.it:993
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = orange01.crazynetwork.it verify return:1

...

SSL handshake has read 3928 bytes and written 302 bytes Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: D92F6720E3EC79F60FC50D3F218E0BB0CDE253BB4024879DD088DD2A51594FBB Session-ID-ctx: Master-Key: EB2A7DA552F5B64D7077F308553F1365EF1F1DA3E3955FD9E35FE9CC10219DBE18DD4754274D673D59175B9333E1B3D1 PSK identity: None PSK identity hint: None SRP username: None

...

Start Time: 1517936084
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

  • OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot DA ready.
SeLLeRoNe commented 6 years ago

Hi, thanks for your response, Regarding TLS I will check how to install the CA on Dovecot, but it doesn't really matter as long as I can work with SSL.

I have tried the connection using OpenSSL and it works just fine:

openssl s_client -crlf -connect mail.crazynetwork.it:993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = orange01.crazynetwork.it
verify return:1

SSL handshake has read 3933 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BF99123734C27F98B1338B8FBB23107C6DFBD959146ACC8ABC9D2250717DAE2A
    Session-ID-ctx:
    Master-Key: 20A4ECC6ABAD407D4855C66C62A218A0F7921ACEB71DF304AC009F2FD1A88D62C470C26DA6C8953911C7564F85BB5F6C
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 01 37 f5 fd d9 20 28 c0-38 db 85 9d 1c 5e e2 12   .7... (.8....^..
    0010 - 46 94 f2 93 95 4f 07 c3-0a e5 ae 2d 02 85 80 ab   F....O.....-....
    0020 - bf 97 cd e5 14 a1 18 56-6c 3d 18 3e 2f 55 0b a1   .......Vl=.>/U..
    0030 - 89 34 02 93 a2 8f df d3-ad fb 89 32 9e de 0c 59   .4.........2...Y
    0040 - d8 aa bd bb b3 00 86 0b-17 40 39 25 63 b6 76 a8   .........@9%c.v.
    0050 - 35 17 de 01 2b 5e 8e cc-80 ea b9 55 76 4b e8 10   5...+^.....UvK..
    0060 - 86 0b 01 f3 29 11 ac 94-9d 53 66 d7 46 35 35 5e   ....)....Sf.F55^
    0070 - 3c 9e a7 ff 04 44 d5 2c-a3 d3 ab ea c1 54 0e 05   <....D.,.....T..
    0080 - 25 05 27 4d ae 16 67 cc-58 b3 fa 5f 24 2c 51 92   %.'M..g.X.._$,Q.
    0090 - ca b3 b5 04 fb 07 0f 25-d6 5f 48 d8 e9 c1 f7      .......%._H....
    00a0 - <SPACES/NULS>

    Start Time: 1517937227
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot DA ready.
* BYE Disconnected for inactivity.
closed

I doubt a firewall issue because the webmail (for example) connect using SSL to the same server without problem (on the same server using same host/port)

SeLLeRoNe commented 6 years ago

I have just checked with a client and with OpenSSL also the STARTLS connection on port 143 and it actually does work properly in my opinion, here the output:

openssl s_client -connect mail.crazynetwork.it:143 -starttls imap
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = orange01.crazynetwork.it
verify return:1
---
Certificate chain
 0 s:/CN=orange01.crazynetwork.it
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
subject=/CN=orange01.crazynetwork.it
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4245 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 40EB025274FFA002535BD22969A9A8493C8D16CF11F1B8DDDDD4FE0C617A3F3B
    Session-ID-ctx:
    Master-Key: B9BD2567DE80B3ABEC62CB88AC8FEFAC8393ABC5FCCC73B91509D29329A8965C6468076D529131C0576F6BC3222542B7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a3 45 c0 6e 49 54 b8 99-0c 9a f3 76 e6 21 37 b7   .E.nIT.....v.!7.
    0010 - ab 98 a8 bb 30 06 6b 5f-88 22 1a ca e1 e9 33 c9   ....0.k_."....3.
    0020 - 85 36 d7 57 d1 85 5b 70-ab c0 d5 61 2a 6a 7b 04   .6.W..[p...a*j{.
    0030 - 0e ad e6 32 fa 6c 0b c3-5a 0d af c1 d1 08 d8 fc   ...2.l..Z.......
    0040 - 09 c1 47 18 a5 f5 fc 67-79 88 bc ea 64 4a 1f 65   ..G....gy...dJ.e
    0050 - a5 62 4e 44 98 8e 17 49-af 89 7d f0 57 87 a2 48   .bND...I..}.W..H
    0060 - c3 b9 87 da e3 50 a3 b5-bd 63 d6 b6 1c a3 af 92   .....P...c......
    0070 - 7e ca 72 1a d6 d2 39 9b-ec 42 19 49 9d a6 88 18   ~.r...9..B.I....
    0080 - 68 02 14 cb 2e 41 ff 69-f0 b4 fa 0e c4 c2 59 af   h....A.i......Y.
    0090 - 6c 48 5a 11 c9 ff 0a cc-98 5b 6c b9 b1 22 6a ca   lHZ......[l.."j.

    Start Time: 1517939083
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
. OK Pre-login capabilities listed, post-login capabilities have more.

I actually don't see any reason why it should fail, Okay I can use TLS without verification, but it is not like the certificate is not there...

SeLLeRoNe commented 6 years ago

I am sorry, there is nothing more you can do to help me debug this issue? I had to format the server and now I am using CentOS 7 but the problem persist, would it help if I provide an account to connect to? Can it be that it is related to the Certification Authority as you menthioned for TLS?

Thanks Best regards

techsneeze commented 6 years ago

Oh, sorry about that. I understood your previous reply as having found a work-around that would work.

My main machine is running the script from a CentOS 7 host as well. It is connecting to a Dovecot instance, like yours.

Your suggestion about the CA is interesting. It looks like you are using Let's Encrypt, so the root CA is probably not included in the list of trusted chains provided by the OS packages. I would expect it to show errors when you run the openssl commands as well, if that was the issue... but maybe not. My instance is using a "retail" certificate, which may be why I haven't seen the same issue. Also the fact that it works when you turn verify off, also points to the certificate not being able to be validated.

I just tried a query against your server using : https://www.sslchecker.com/sslchecker It shows that the Root cert is missing from the chain. Might be a Dovecot config missing?

It also looks like mail.crazynetwork.it is not one of the names in the certificate.

Those might also be unrelated, but we might be getting close?

SeLLeRoNe commented 6 years ago

mmmh, the certificate use SNI to allow multiple host in the same cert, even it it says that the hostname doesn't match you will still find the right hostname in the SAN list, so the cert it is actually valid.

Also that test is not reliable, because even if you specify a different port, it say the server is nginx, so that checking system is not really "complete"

I have also tested different ones, like: https://certlogik.com/ssl-checker/ and it say thet everything is fine. The CA Cert should be on the "client" site for trusting purpose, I am wondering if my system is not trusting that Root Cert, but OpenSSL output say it's fine, so it should be trusting that root.

I am gonna try to importo the LE CA Root in my system in the trusted list and I will check again.

Also note that the verify is for TLS and it return an error once enabled more likely related to perl rather than the system itself,, but for SSL the error is completely different.

SeLLeRoNe commented 6 years ago

No luck, I have added the CA Root to the system but it didn't make a difference in TLS nor in SSL. If I attache the CA Root to the specific domain chain the check say the certificate chain is completely missing.

To make a test I tryed to use a Gmail for Business account, imap.gmail.com on SSL the error is exactly the same while if I try to use IMAP TLS it hangs (not even the telnet to imap.gmail.com works on port 143) and on port 993 it return another error

use tls with verify servercert.
connection to imap.gmail.com:993 with Ssl => 0, User =>EMAIL-ADDRESS, Ignoresizeerrors => 1
Started at Mon Feb 19 11:57:11 2018
Using Mail::IMAPClient version 3.37 on perl 5.016003
Connecting with IO::Socket::INET PeerAddr imap.gmail.com:993 PeerPort 143 Proto tcp Timeout 600 Debug 1
Connected to imap.gmail.com:993

ERROR: socket closed while reading data from server at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 1640.
        Mail::IMAPClient::_read_line('Mail::IMAPClient=HASH(0x2430b88)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 1392
        Mail::IMAPClient::_get_response('Mail::IMAPClient=HASH(0x2430b88)', '*', 'PREAUTH') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 401
        Mail::IMAPClient::Socket('Mail::IMAPClient=HASH(0x2430b88)', 'IO::Socket::INET=GLOB(0x24465f8)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 366
        Mail::IMAPClient::connect('Mail::IMAPClient=HASH(0x2430b88)') called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 313
        Mail::IMAPClient::new('Mail::IMAPClient', 'Server', 'imap.gmail.com:993', 'Ssl', 0, 'Starttls', 'ARRAY(0x2430a50)', 'User', 'EMAIL-ADDRESS', ...) called at /home/dmarc/DMARC-Parser/dmarcts-report-parser.pl line 234
IMAP Failure: socket closed while reading data from server at /home/dmarc/DMARC-Parser/dmarcts-report-parser.pl line 234.

Also that SSL test URL you provided give the same CA Root error on imap.gmail.com and I definetely doubt that at gmail they don't know how to configure a server (well, I doubt the same of me after providing hosting for 10 years but you know, never say never :))

wheatstone commented 6 years ago

Hello,

I had a similar issue on centos 7. It seems that perl doesn't require to add the 993 port when using SSL, you should try this : imapserver = 'imap.gmail.com'; $imapuser = 'xxx'; $imappass = 'xxx'; $imapssl = '1'; # If set to 1, remember to change server port to 993 and disable imaptls. $imaptls = '0'; # Enabled as the default and best-practice. $tlsverify = '0'; # Enable verify server cert as the default and best-practice. $imapignoreerror = 0; # set it to 1 if you see an "ERROR: message_string()

expected 119613 bytes but received 81873 you may

                            # need the IgnoreSizeErrors option" because of malfunction
                            # imap server as MS Exchange 2007, ...

By not adding the port onto the imap server address, I had the script to work perfectly fine for ssl.

SeLLeRoNe commented 6 years ago

Hi there, Thank you! That actually fixed my problem!!!

Thank you very much for this!