So, everything is working, the birds are singing, there's a spring in my step.

Almost.

I can login and collect mail fine if I configure Thunderbird to use SSL on port 995, but if I switch to TLS on port 110, all I get in maillog is
postfix/master[23325]: daemon started -- version 2.6.5, configuration /etc/postfix
pop3d: Connection, ip=[::ffff:192.168.1.2]
pop3d: Disconnected, ip=[::ffff:192.168.1.2]


Thunderbird reports 'Unable to establish a TLS connection to POP3 server. [...]'.

(How can I control the log-levels of pop3d and pop3d-ssl? I don't have much to go on.)

So, what's going on here? How can I tell Courier to listen to TLS on 110?

Thanks,

What's the content of your main.cf?

What's the content of your main.cf?

main.cf? Doesn't that control PostFix?

Anyway,[root@torg ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 7
debug_peer_list = $myhostname $mydomain
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost, localhost.localdomain
mydomain = $myhostname
myhostname = mydomain.com
mynetworks = 192.168.1.0/24
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.5/README_FILES
relay_domains =
relayhost = smtp1.bethere.co.uk:25
sample_directory = /usr/share/doc/postfix-2.6.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 3
smtpd_tls_security_level = encrypt
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_uid_maps = static:5000

aw crap .. i mean courier :)

/etc/courier/pop3d

there's a setting called POP3AUTH_TLS= ""

[root@torg ~]# sed '/^\#/d' /etc/courier/pop3d | sed '/^$/d'
PIDFILE=/var/spool/courier/tmp/pop3d.pid
MAXDAEMONS=40
MAXPERIP=4
POP3AUTH=""
POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
POP3AUTH_TLS=""
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
POP3_PROXY=0
PORT=110
ADDRESS=0
TCPDOPTS="-nodnslookup -noidentlookup"
LOGGEROPTS="-name=pop3d"
POP3DSTART=YES
MAILDIRPATH=Maildir

and
[root@torg ~]# sed '/^\#/d' /etc/courier/pop3d-ssl | sed '/^$/d'
SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/var/spool/courier/tmp/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=YES
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=1
COURIERTLS=/usr/lib/courier/bin/couriertls
TLS_STARTTLS_PROTOCOL=TLS1
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/usr/lib/courier/share/pop3d.pem
TLS_TRUSTCERTS=/etc/pki/tls/cert.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/spool/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir


I tried setting POP3AUTH_TLS="LOGIN", but that had no effect. I don't want to fiddle, 'cos I'll only break things.

Where should I be looking, exactly?

Hi Torg

Did you finally fix it?
I'm having the exact same issue on a server runing debian. Tls doesn't want to work. Thundebird says:

An error occurred during a connection to mail.server1.com:110.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

Config files pop3d and pop3d-ssl are default from ispconfig 3

Regards

Hi there

Apparently courier is not sending a valid certificate. Doing from outside:

openssl s_client -connect mail.larawines.com:pop3s -starttls pop3

I get

CONNECTED(00000003)
21206:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Running the same command within the server, I get:

CONNECTED(00000003)
write:errno=32

This is what I see in syslog:

Feb 11 03:36:04 ks363572 pop3d-ssl: couriertls: /etc/ssl/certs/70cdada4.0: No such file or directory


It's quite weird because I have another server running also a debian lenny 64bit with the same settings that works well.
It's a self-signed certificate and I have recreate it many times, but that shouldn 't matter, isn't it?

Does anyone have any clue?

Regards

Good afternoon

Well, finally problem seem to be solved. And it had an easy solution just,

aptitude purge ca-certificates ssl-cert courier-ssl courier-imap-ssl courier-pop-ssl

and after that

aptitude install ca-certificates ssl-cert courier-ssl courier-imap-ssl courier-pop-ssl

That was the las thing I wanted to do because I thought that uninstalling things could have nasty effects with the rest of the ispconfig 3 setup, but everything seems to be still working.

It looks like the default certificates that courier makes during reinstallation works, but not the ones I do myself. I'd like to understand why, but thinking twice I'm happy and just hope problem is really fixed.

Regards