Courier IMAP & POP without SSL work, but not with SSL.

Discussion in 'Installation/Configuration' started by Traxus, Jan 6, 2006.

  1. Traxus

    Traxus New Member

    I have setup ISPConfig on a conputer running Suse 10 (this is my first serious go at Linux), following the perfect setup instructions, and proceeded to test. I managed to send a web hosting user mails, and I can download them using POP3 and IMAP to a mail client (Mozilla Suite). It does not work when I try to do the same using POP3S or IMAPS.

    As described in the perfect setup, I am using the courier-pop-ssl and courier-imap-ssl daemons for that. Both are started, I double checked that.

    "netstat -tap" shows me:
    tcp        0      0 *:imaps                 *:*                     LISTEN                                           4757/couriertcpd
    tcp        0      0 *:pop3s                 *:*                     LISTEN                                           5095/couriertcpd
    tcp        0      0 *:pop3                  *:*                     LISTEN                                           5180/couriertcpd
    tcp        0      0 *:imap                  *:*                     LISTEN                                           4755/couriertcpd
    So I assume they are really listening to the correct ports. When Mozilla tries to connect to the server, it just mills a while, and then time-outs and returns that the server was disconnected. In the mail log appear lines like:
    Jan 6 00:17:11 mars imapd: Connection, ip=[::ffff:]
    for the attempted imaps connections, simmilar for the pop3s ones.

    Has anyone an idea what could be wrong, or give me a hint on the way to the solution? Thank You.
  2. falko

    falko Super Moderator

  3. Traxus

    Traxus New Member

    Thank You.
    I have, following the data out of the give threat, backed up the existing imapd and pop3d certificates, edited both cnf files to generate more correct certificates (with the real name of the mail server), and restarted the two mail daemons. This had not fixed the problem.

    iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    Last edited: Jan 6, 2006
  4. falko

    falko Super Moderator

    Ok, your firewall is not the problem (because it isn't turned on). Did you try to restart Courier and maybe even your whole system?
    Aren't there any more precise messages in your logs?
  5. Traxus

    Traxus New Member

    Related to courier and postfix I know of the "mail" log, which contains informations about the attempted connects and disconnects, but otherwise I am a complete Linux noobie. Are the any other logs I could check, have you any recomendation? Maybe some specific log Courier notes down its actions?

    Maybe I should mention that I encountered a bug in the Courier instalation on Suse 10, it does not per default assign the Courier SSL daemons to the correct ports, but to the non SSL ones. In the courier-pop3-ssl and couriter-imap-ssl daemon startup scripts were errors I fixed. I am wondering if anyone got ISPConfig working with courier on the released Suse 10, maybe there are additional glitches in there beside the wrong ports.
    Thank You.

    PS: I have restarted the system, now I have discovered following rather interesting entries in the mail log:
    Jan  6 11:17:12 mars authdaemond: modules="authuserdb authpam authldap authcustom authpipe", daemons=5
    Jan  6 11:17:12 mars authdaemond: Installing libauthuserdb
    Jan  6 11:17:12 mars authdaemond: cannot open shared object file: No such file or directory
    Jan  6 11:17:12 mars authdaemond: Installing libauthpam
    Jan  6 11:17:12 mars authdaemond: Installation complete: authpam
    Jan  6 11:17:12 mars authdaemond: Installing libauthldap
    Jan  6 11:17:12 mars authdaemond: cannot open shared object file: No such file or directory
    Jan  6 11:17:12 mars authdaemond: Installing libauthcustom
    Jan  6 11:17:12 mars authdaemond: Installation complete: authcustom
    Jan  6 11:17:12 mars authdaemond: Installing libauthpipe
    Jan  6 11:17:12 mars authdaemond: Installation complete: authpipe
    Jan  6 11:17:22 mars postfix/postfix-script: starting the Postfix mail system
    Jan  6 11:17:22 mars postfix/master[5252]: daemon started -- version 2.2.5, configuration /etc/postfix
    Another few facts:
    "telnet localhost 143" replies:
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.
    "telnet localhost 993" replies
    Shouldnt a normal telnet to port 993 be straightly rejected?

    "openssl s_client -connect localhost:993" replies
    6868:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:494:
    The above implies that there is a daemon running on port 993, but its not supporting the SSL protocol? I cannot currently attempt to connect through a client to it, will try that in the later afternoon.
    Last edited: Jan 6, 2006
  6. falko

    falko Super Moderator

    No, no other logs, it's the mail log...

    What did you change in the scripts? The ports are:
    993 for IMAPS
    995 for POP3S
  7. Traxus

    Traxus New Member

    Yes, thats what I did. The scripts used the constants $PORT, which were set to the 110 or 143, instead of the constants $SSLPORT, which were set to 993 and 995. Without that change courier SSL implementations did listen to the wrong ports. Now I am having the feeling they do listen to the right ports, but not using SSL encriptions, since I just had a nice conversation with the POP3 SSL daemon through normal telnet:
    mars:/etc/courier # telnet localhost 995
    Connected to localhost.
    Escape character is '^]'.
    +OK Hello there.
    user test.inovabit.com_testie
    +OK Password required.
    pass <CENZORED>
    +OK logged in.
    +OK POP3 clients that break here, they violate STD53.
    1 1411
    2 1402
    +OK Bye-bye.
    Connection closed by foreign host.
    I dont think this should have worked this way if encryption was active, right?
  8. falko

    falko Super Moderator

    Did you have a look into
    if there's something you can do to enable IMAPS and POP3S?
  9. Traxus

    Traxus New Member

    Both services, courier-pop-ssl and courier-imap-ssl are running and receiving traffic on the correct ports. To my limited knowledge though they seem to expect non-encrypted (non-SSL) traffic. If you look above, I initiated a telnet connection to port 995.

    I have been searching for a solution all over the net in the last day or so, the problem is that so far I found references of about 2 people having the same problem as me under Suse 10, but no data if they solved it and how, only simmilar posts as is mine on here. It seems in Suse 10 the courier scripts were changed, and by default they start on the wrong port, and when people fix it authorisation fails. I supose the next step is to find some old suse 9.x script and see if I can extract what is wrong with the 10 scripts.

    In case I do not manage to fix this bug... What would be the Linux distribution that would be recomended for ISPConfig?

    PS: Lovely. I cobbled together a complete solution to the IMAP part of the problem. The courier package scripts in Suse 10 are riddled with bugs. Now I will see if I can do the same for the POP3 part, then I will post the solution on here for any other poor soul after I tested it.
    Last edited: Jan 6, 2006
  10. falko

    falko Super Moderator

    Any distribution that HowtoForge has a tutorial for, and also CentOS 4.1/4.2 (I haven't written a tutorial for CentOS yet, but I've been told it is working :) ).

    Personally, I recommend Debian.

    That would be great! :)
  11. Traxus

    Traxus New Member

    Once again, thanks for all the offered assistance.

    I would say Courier works well now after some testing. I get occasionaly a situation that looks like Mozilla keeps polling IMAP folders that are empty on the server, but that doesnt look critical.

    Here the solution how to get Courier POP3 and IMAP working correctly over SSL on Suse 10.0:
    This distributions comes with broken service start scripts courier-pop-ssl and courier-imap-ssl in /etc/init.d/. You can find the corrected scripts as attachments to this post.

    It is possible that the people at Suse will release a fix for that problem, but I have a feeling they will skip on that and it will be only come corrected with the upcomming 10.1 release.

    Attached Files:

  12. st2xo

    st2xo New Member

    your wrong - there are 3 people having the same problem! ;)

    After searching and googling more than 1 day at all, we had the same idea at the same time and patched the /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl files

    Your script courier-pop-ssl.gz (thank you!) won´t work at our system (I think mostly same configuration than your system), the courier-imap-ssl.gz we had´nt tested.
    If I use courier-pop-ssl.gz the courier-pop-ssl seems to be completly crashed
    /etc/init.d/courier-pop-ssl status
    /etc/init.d/courier-pop-ssl stop
    /etc/init.d/courier-pop-ssl start
    won´t give a result.
    After resetting to the original pop3d-ssl (from Suse10 perfect setup) the status/stop/start are giving the regular results.

    So here I post that both scripts propably patched a little bit different from your scripts. I didn´t checked out the differences, after 10 hours courier, postfix, pop and imap my nerves can´t anymore :rolleyes:

    At the end now these services are working
    • pop3-SSL (port 995)
    • imap-SSL (995)
    • smtp_auth with TLS (25)

    these service aren´t working
    • pop3 TLS (25)
    • imap TLS (25)
    • pop3-SSL secure authentification
    • imap-SSL secure authentification
    • smtp_auth with SSL (465)

    I think that there is still a problem with the deamons running not on all ports they should. But at least, secure mail transfer is now possible and at next I will look to much other things to configure on our new system. There is much stuff to do ...

    hope that helps, too ....

    Attached Files:

  13. Traxus

    Traxus New Member

    Interesting. I am curious what the differences are between our two solutions, maybe we should provide a more general solution. Thank You for the contribution.

    Right now I am fighting to setup the PHP correctly to handle Postnuke... :D
  14. wwparrish

    wwparrish New Member

    Your both wrong, there are at least 4 people with this problem :D

    Did perfect install on clean new os install. All seemed fine, all checks during install did as documented. Now after a couple of reboots some stuff is not running and same issues as above. I am lookin at the scripts for the services now.

    MAJOR Bummer !!!!

    edit: Unless someone objects I would like to document my investigation here in this post with updates via editing, It might help someone else, keeps me from jotting notes all over the place and someone might notice something I missed or misunderstood.

    note that st20x files are the config files as found in /etc/courier
    and Traxus files are the acutal startup scricpts found in /etc/init.d

    made a backup copy of /etc/init.d/courier-imap-ssl and used Traxus file instead. Ran it with the restart command
    ares:/etc/init.d # ./courier-imap-ssl restart
    Shutting down Courier-IMAP (SSL) done
    Starting Courier-IMAP (SSL)
    ares:/etc/init.d # netstat -tap
    tcp 0 0 *:imaps *:* LISTEN 3040/couriertcpd

    Woo Hooo !!! now have something listening at least.

    ok same thing with courier-pop-ssl.
    it runs now!!!
    chmod 755 ./courier-pop-ssl
    ares:/etc/init.d # ./courier-pop-ssl restart
    Shutting down Courier-POP3 (SSL) done
    Starting Courier-POP3 (SSL)unlimited
    ares:/etc/init.d # netstat -tap

    tcp 0 0 *:pop3s *:* LISTEN 3572/couriertcpd
    Last edited: Feb 6, 2006
  15. wad

    wad New Member

    Okay, I've got the same problem. Courier-imap on SUSE 10, when trying to get imap-ssl working, is just broken. I'm fairly new to linux, and it would be great if someone could post a solution to the problem here.

    --- ERic
  16. falko

    falko Super Moderator

    There are three different solutions posted above - did you try them?

Share This Page