Courier can't authenticate over SSL

Discussion in 'Server Operation' started by patrick3853, Dec 4, 2012.

  1. patrick3853

    patrick3853 New Member

    Followed virtual users postfix ubuntu 12.10 guide. I can connect over ports 143 and 110, but 995 and 993 don't work. Seems to be a problem with certificates but i've spent hours on google with no luck.

    Telnet on 110 works fine, no errors show up in mail.log:

    Code:
    telnet localhost 110
    Trying 127.0.0.1...
    Connected to localhost.localdomain.
    Escape character is '^]'.
    +OK Hello there.
    Telnet on 995 or 993 doesn't connect:

    Code:
    telnet localhost 995
    Trying 127.0.0.1...
    Connected to localhost.localdomain.
    Escape character is '^]'.
    Hangs there and I get the following entry in mail.log when I try connecting over 995 in Thunderbird:

    Code:
    couriertls: read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    I created the certificates using mkpop3dcert and mkimapdcert. Contents of
    pop3d.cnf:

    Code:
    RANDFILE = /usr/lib/courier/pop3d.rand
    
    [ req ]
    default_bits = 1024
    encrypt_key = yes
    distinguished_name = req_dn
    x509_extensions = cert_type
    prompt = no
    default_md = sha1
    
    [ req_dn ]
    C=US
    ST=TN
    L=Nashville
    O=Courier Mail Server
    OU=Automatically-generated POP3 SSL key
    CN=myhost.mydomain.com
    emailAddress=info@mydomain.com
    
    
    [ cert_type ]
    nsCertType = server
    Any ideas? I'm pretty stuck at this point.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    netstat -tap
    ? Any errors in your mail log?
     
  3. patrick3853

    patrick3853 New Member

    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 *:http                  *:*                     LISTEN      1472/apache2
    tcp        0      0 *:ssh                   *:*                     LISTEN      558/sshd
    tcp        0      0 *:smtp                  *:*                     LISTEN      9908/master
    tcp        0      0 localhost.localdo:10024 *:*                     LISTEN      833/amavisd-new (ma
    tcp        0      0 localhost.localdo:10025 *:*                     LISTEN      9908/master
    tcp        0     52 myhost.mydomain.com:ssh 10.1.11.5:50196         ESTABLISHED 23159/sshd: patrick
    tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      8476/couriertcpd
    tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      8408/couriertcpd
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      558/sshd
    tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      9908/master
    tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      8445/couriertcpd
    tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      8513/couriertcpd
    Here are all the errors in mail.log. They occur when someone tries to connect using ssl through outlook or thunderbird

    Code:
    pop3d-ssl: LOGIN FAILED, user=***, ip=[::ffff:***]
    pop3d-ssl: Unexpected SSL connection shutdown.
    
    pop3d-ssl: couriertls: read: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    
    postfix/smtpd[8519]: improper command pipelining after EHLO from unknown[10.1.11.5]: QUIT\r\n
     
    Last edited: Dec 5, 2012
  4. patrick3853

    patrick3853 New Member

    I think the problem is with the certificates or how courier is handling them. netstat shows that courier is listening on 995 and 993 and I see entries in the mail log when a user tries to connect. And it doesn't seem to be a problem with saslauth or the mysql virtual users setup because users can connect just fine over 110 and 95.

    However, I have no idea how to test the certificates to see where the problem is or how to fix it :(
     
  5. falko

    falko Super Moderator ISPConfig Developer

    Can you recreate the certificates and just accept the default values?
     

Share This Page