HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)

- - Courier can't authenticate over SSL (http://www.howtoforge.com/forums/showthread.php?t=59876)

Courier can't authenticate over SSL

Followed virtual users postfix ubuntu 12.10 guide. I can connect over ports 143 and 110, but 995 and 993 don't work. Seems to be a problem with certificates but i've spent hours on google with no luck.

Telnet on 110 works fine, no errors show up in mail.log:

Code:

telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

+OK Hello there.

Telnet on 995 or 993 doesn't connect:

Code:

telnet localhost 995

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

Hangs there and I get the following entry in mail.log when I try connecting over 995 in Thunderbird:

Code:

couriertls: read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

I created the certificates using mkpop3dcert and mkimapdcert. Contents of
pop3d.cnf:

Code:

RANDFILE = /usr/lib/courier/pop3d.rand



[ req ]

default_bits = 1024

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = no

default_md = sha1



[ req_dn ]

C=US

ST=TN

L=Nashville

O=Courier Mail Server

OU=Automatically-generated POP3 SSL key

CN=myhost.mydomain.com

emailAddress=info@mydomain.com





[ cert_type ]

nsCertType = server

Any ideas? I'm pretty stuck at this point.

What's the output of

Code:

netstat -tap

? Any errors in your mail log?

Code:

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 *:http                  *:*                     LISTEN      1472/apache2

tcp        0      0 *:ssh                   *:*                     LISTEN      558/sshd

tcp        0      0 *:smtp                  *:*                     LISTEN      9908/master

tcp        0      0 localhost.localdo:10024 *:*                     LISTEN      833/amavisd-new (ma

tcp        0      0 localhost.localdo:10025 *:*                     LISTEN      9908/master

tcp        0     52 myhost.mydomain.com:ssh 10.1.11.5:50196         ESTABLISHED 23159/sshd: patrick

tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      8476/couriertcpd

tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      8408/couriertcpd

tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      558/sshd

tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      9908/master

tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      8445/couriertcpd

tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      8513/couriertcpd

Here are all the errors in mail.log. They occur when someone tries to connect using ssl through outlook or thunderbird

Code:

pop3d-ssl: LOGIN FAILED, user=***, ip=[::ffff:***]

pop3d-ssl: Unexpected SSL connection shutdown.



pop3d-ssl: couriertls: read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate



postfix/smtpd[8519]: improper command pipelining after EHLO from unknown[10.1.11.5]: QUIT\r\n

I think the problem is with the certificates or how courier is handling them. netstat shows that courier is listening on 995 and 993 and I see entries in the mail log when a user tries to connect. And it doesn't seem to be a problem with saslauth or the mysql virtual users setup because users can connect just fine over 110 and 95.

However, I have no idea how to test the certificates to see where the problem is or how to fix it :(

Can you recreate the certificates and just accept the default values?