PDA

View Full Version : imapd-ssl: Unexpected SSL connection shutdown.


noahlau
14th March 2006, 07:04
Hello all.

My email server is postfix + courier imap + courier imap ssl + amavis + clamav + spamassassin.

I am fine when i am using IMAP ( port 143 ) to receive my emails. I also can receive emails with IMAP-SSL ( port 993 ).

However, I receive error that is Unexpected SSL connection shutdown when i am using IMAP-SSL to receive emails:

Mar 14 12:56:32 server1 imapd-ssl: Connection, ip=[::ffff:219.79.136.253]
Mar 14 12:56:32 server1 imapd-ssl: LOGIN, user=noahlau, ip=[::ffff:219.79.136.253], protocol=IMAP
Mar 14 12:56:33 server1 imapd-ssl: Unexpected SSL connection shutdown.
Mar 14 12:56:33 server1 imapd-ssl: DISCONNECTED, user=noahlau, ip=[::ffff:219.79.136.253], headers=0, body=0, time=1, starttls=1
Mar 14 12:56:33 server1 imapd-ssl: Connection, ip=[::ffff:219.79.136.253]
Mar 14 12:56:33 server1 imapd-ssl: LOGIN, user=noahlau, ip=[::ffff:219.79.136.253], protocol=IMAP
Mar 14 12:56:33 server1 imapd-ssl: Unexpected SSL connection shutdown.
Mar 14 12:56:33 server1 imapd-ssl: DISCONNECTED, user=noahlau, ip=[::ffff:219.79.136.253], headers=0, body=2180, time=0, starttls=1

Any Idea ??? thank you so much !!!!

Regards
noahlau

till
14th March 2006, 10:18
Did you get this error with other email clients too?

noahlau
14th March 2006, 11:39
Did you get this error with other email clients too?

yes,i also get this error from other clients too.

dont know what is the reason.

i use Outlook Express 2000 in the client Computer

noahlau
14th March 2006, 17:14
ok, i think it is outlook express issue, because i got no error after i switch to use Thunderbird email client application.

falko
14th March 2006, 18:49
Can you run telnet localhost 25 and then issue ehlo localhost? What's the output?

Which distribution do you use?

noahlau
15th March 2006, 04:22
Can you run telnet localhost 25 and then issue ehlo localhost? What's the output?

Which distribution do you use?

thank you for your reply

i am using Debian 3.1,

ehlo localhost
250-server1.faithfulnet.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME


1.the config in /etc/courier/imapd-ssl:

SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CERTFILE=/etc/courier/imapd.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

2. main.cf

biff = no
append_dot_mydomain = no
myhostname = server1.faithfulnet.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = faithfulnet.com, server1.faithfulnet.com, localhost.faithfulnet.
com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec
t_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
content_filter = amavis:[127.0.0.1]:10024

falko
15th March 2006, 13:59
Hm, looks ok... :confused:

airstrip
2nd June 2009, 16:56
This solution may help someone out there with a similar server setup:

I have an isp config installation on my debian sarge machine, running with courier-ssl and postfix, following instructions from:
http://www.howtoforge.com/perfect_setup_debian_sarge_p4

I also had imapd-ssl: Unexpected SSL connection shutdown messages appearing in /var/log/mail.log

The problem I found was with smtpd.pem file in /etc/postfix/ssl
If you check the file with this command.

openssl x509 -noout -text -in smtpd.pem
It will report an error about expecting a TRUSTED certificate.

The solution is to create a .pem file from your .key and .crt files:
cat smtpd.key smtpd.key > smtpd.pem
openssl gendh >> smtpd.pem

Then check the file with:
openssl x509 -noout -text -in smtpd.pem

This will replace the .pem file that was generated in the perfect setup, and create one that is properly formed and worked on my setup. Hopefully it helps yours.

Thanks to this ssl cheat sheet, by David Mcnugget:
http://macnugget.org/projects/sslcheatsheet/

I've also posted on this issue when installing a RapidSSL cert.
http://www.howtoforge.com/forums/showthread.php?p=71572#post71572

Have fun!

Ovidiu
21st June 2012, 02:10
Same problem here as noahlau but I can't apply the solution airstrip posted because I don't have a smtpd.pem file and neither does noahlau.

Any more info?

airstrip
21st June 2012, 02:37
I had to get into this way back in '09 to install some 'real' ssl certificates. I've forgotten what I was doing then, and maybe my filenames are different to the perfect setup because of my custom work. But the problem with the shutdown was the .pem file, so check it.

I suggest you do have a .pem file somewhere, perhaps it is here:

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

Locate the .pem file and try what I suggested above to check it.

and I note that I made an error in my post above.
To create the .pem file you should use this to combine the .key and .crt:

cat smtpd.key smtpd.crt > smtpd.pem
openssl gendh >> smtpd.pem

I'm not an expert, just persistent, and so that's as far as I can help you. Good luck.

TiTex
21st June 2012, 08:50
isn't it easyer to just get a free certificate from http://cert.startcom.org/ or www.cacert.org ?
however you can allways generate a self signed certificate

this will generate a single file containing your cerificate and private key in a single file cert.pem in your home dir
openssl req -new -x509 -days 1000 -nodes -out ~/cert.pem -keyout ~/cert.pem

or separate cert and key

openssl req -new -x509 -days 1000 -nodes -out ~/cert.pem -keyout ~/key.pem