[courier-users] SSL problem unsolved with courier 0.56.0

permalink · #1 (**permalink**) 07-19-2007

--===============1903012664==
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
Hi 
 
I have to install a new mailserver for my company on a red hat
enterprise linux 5 and I choosed Courier as my suite. 
I've builded rpm package with rpmbuild, following Courier website
instructions and I've installed this package: 
 
courier-authlib-0.59.3-10.rh5Server 
courier-authlib-ldap-0.59.3-10.rh5Server 
courier-pop3d-0.56.0-1.5Server 
courier-webadmin-0.56.0-1.5Server 
courier-authlib-devel-0.59.3-10.rh5Server 
courier-maildrop-0.56.0-1.5Server 
courier-imapd-0.56.0-1.5Server 
courier-maildrop-wrapper-0.56.0-1.5Server 
courier-0.56.0-1.5Server 
courier-ldap-0.56.0-1.5Server 
 
I've a problem with imap-over-ssl and pop3-over-ssl. I used mkimapdcert
and mkpop3dcert to create my self-signed certs and then I set up
imapd-ssl and pop3d-ssl with 
 
TLS_PROTOCOL=3DSSL23 
 
after this thread "[courier-users] SSL problems with courier 0.56.0"<=
br>
 
I tried also with<big> 
 
</big>SSL_PROTOCOL=3D223 
 
but in both cases=C2=A0 I have the same error in /var/log/maillog =

 
imapd-ssl: couriertls: connect: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number 
 
If i use TLS, instead, i don't have this error. 
 
Anyone can help me? 
 
For completeness, print imap-ssl and pop3d-ssl conf here 
 
Bye Daniele 
 
 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DIMAPD-SSL=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D 
##VERSION: $Id: imapd-ssl.dist.in,v 1.12 2005/07/02 01:13:57
mrsam Exp $ 
# 
# imapd-ssl created from imapd-ssl.dist by sysconftool 
# 
# Do not alter lines that begin with ##, they are used when upgrading =

# this configuration. 
# 
#=C2=A0 Copyright 2000 - 2004 Double Precision, Inc.=C2=A0 See COPYING fo=
r 
#=C2=A0 distribution information. 
# 
#=C2=A0 This configuration file sets various options for the Courier-IMAP=

server 
#=C2=A0 when used to handle SSL IMAP connections. 
# 
#=C2=A0 SSL and non-SSL connections are handled by a dedicated instance o=
f
the 
#=C2=A0 couriertcpd daemon.=C2=A0 If you are accepting both SSL and non-S=
SL IMAP 
#=C2=A0 connections, you will start two instances of couriertcpd, one on =
the 
#=C2=A0 IMAP port 143, and another one on the IMAP-SSL port 993. 
# 
#=C2=A0 Download OpenSSL from <a class=3D"moz-txt-link-freetext" href=3D"=
http://www.openssl.org/">http://www.openssl.org/</a> 
# 
##NAME: SSLPORT:1 
# 
#=C2=A0 Options in the imapd-ssl configuration file AUGMENT the options i=
n
the 
#=C2=A0 imapd configuration file.=C2=A0 First the imapd configuration fil=
e is
read, 
#=C2=A0 then the imapd-ssl configuration file, so we do not have to redef=
ine 
#=C2=A0 anything. 
# 
#=C2=A0 However, some things do have to be redefined.=C2=A0 The port numb=
er is 
#=C2=A0 specified by SSLPORT, instead of PORT.=C2=A0 The default port is =
port 993. 
# 
#=C2=A0 Multiple port numbers can be separated by commas.=C2=A0 When mult=
iple port 
#=C2=A0 numbers are used it is possibly to select a specific IP address f=
or a 
#=C2=A0 given port as "ip.port".=C2=A0 For example, "127.0.0.1.900,192.68=
=2E0.1.900" 
#=C2=A0 accepts connections on port 900 on IP addresses 127.0.0.1 and
192.68.0.1 
#=C2=A0 The SSLADDRESS setting is a default for ports that do not have<br=
>
#=C2=A0 a specified IP address. 
 
SSLPORT=3D993 
 
##NAME: SSLADDRESS:0 
# 
#=C2=A0 Address to listen on, can be set to a single IP address. 
# 
# SSLADDRESS=3D127.0.0.1 
 
SSLADDRESS=3D0 
 
##NAME: SSLPIDFILE:0 
# 
# That's the SSL IMAP port we'll listen on. 
# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP. 
 
SSLPIDFILE=3D/var/spool/courier/tmp/imapd-ssl.pid 
 
##NAME: SSLLOGGEROPTS:0 
# 
# courierlogger(1) options. 
# 
 
SSLLOGGEROPTS=3D"-name=3Dimapd-ssl" 
 
##NAME: IMAPDSSLSTART:0 
# 
# Different pid files, so that both instances of couriertcpd can coexist<=
br>
# happily. 
# 
# You can also redefine IMAP_CAPABILITY, although I can't 
# think of why you'd want to do that. 
# 
# 
# Ok, the following settings are new to imapd-ssl: 
# 
#=C2=A0 Whether or not to start IMAP over SSL on simap port: 
 
IMAPDSSLSTART=3DYES 
 
##NAME: IMAPDSTARTTLS:0 
# 
#=C2=A0 Whether or not to implement IMAP STARTTLS extension instead: 
 
IMAPDSTARTTLS=3DYES 
 
##NAME: IMAP_TLS_REQUIRED:1 
# 
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. 
# (this option advertises the LOGINDISABLED IMAP capability, until
STARTTLS 
# is issued). 
 
IMAP_TLS_REQUIRED=3D0 
 
 
################################################## #######################=
 
# 
# The following variables configure IMAP over SSL.=C2=A0 If OpenSSL is
available 
# during configuration, the couriertls helper gets compiled, and upon =

# installation a dummy TLS_CERTFILE gets generated.=C2=A0 courieresmtpd w=
ill 
# automatically advertise the ESMTP STARTTLS extension if both
TLS_CERTFILE 
# and COURIERTLS exist. 
# 
# WARNING: Peer certificate verification has NOT yet been tested.=C2=A0
Proceed 
# at your own risk.=C2=A0 Only the basic SSL/TLS functionality is known t=
o be 
# working. Keep this in mind as you play with the following variables.<br=
>
# 
##NAME: COURIERTLS:0 
# 
 
COURIERTLS=3D/usr/lib/courier/bin/couriertls 
 
##NAME: TLS_PROTOCOL:0 
# 
# TLS_PROTOCOL sets the protocol version.=C2=A0 The possible versions are=
: 
# 
# SSL2 - SSLv2 
# SSL3 - SSLv3 
# TLS1 - TLS1 
 
#TLS_PROTOCOL=3DSSL3 
TLS_PROTOCOL=3DSSL23 
 
##NAME: TLS_STARTTLS_PROTOCOL:0 
# 
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP
STARTTLS 
# extension, as opposed to IMAP over SSL on port 993. 
#TLS_STARTTLS_PROTOCOL=3DTLS1 
TLS_STARTTLS_PROTOCOL=3DSSL23 
 
##NAME: TLS_CIPHER_LIST:0 
# 
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the<b=
r>
# OpenSSL library.=C2=A0 In most situations you can leave TLS_CIPHER_LIST=
 
# undefined 
# 
# TLS_CIPHER_LIST=3D"ALL:!ADH:RC4+RSA:+SSLv2:@STRENG TH" 
 
##NAME: TLS_TIMEOUT:0 
# TLS_TIMEOUT is currently not implemented, and reserved for future use.<=
br>
# This is supposed to be an inactivity timeout, but its not yet
implemented. 
# 
 
##NAME: TLS_DHCERTFILE:0 
# 
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.<b=
r>
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA<b=
r>
# you must generate a DH pair that will be used.=C2=A0 In most situations=
the 
# DH pair is to be treated as confidential, and the file specified by =

# TLS_DHCERTFILE must not be world-readable. 
# 
# TLS_DHCERTFILE=3D 
 
##NAME: TLS_CERTFILE:0 
# 
# TLS_CERTFILE - certificate to use.=C2=A0 TLS_CERTFILE is required for
SSL/TLS 
# servers, and is optional for SSL/TLS clients.=C2=A0 TLS_CERTFILE is usu=
ally 
# treated as confidential, and must not be world-readable. 
# 
TLS_CERTFILE=3D/usr/lib/courier/share/imapd.pem 
 
##NAME: TLS_TRUSTCERTS:0 
# 
# TLS_TRUSTCERTS=3Dpathname - load trusted certificates from pathname.<br=
>
# pathname can be a file or a directory. If a file, the file should 
# contain a list of trusted certificates, in PEM format. If a 
# directory, the directory should contain the trusted certificates, 
# in PEM format, one per file and hashed using OpenSSL's c_rehash 
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying 
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set 
# to PEER or REQUIREPEER). 
# 
# 
# TLS_TRUSTCERTS=3D 
 
##NAME: TLS_VERIFYPEER:0 
# 
# TLS_VERIFYPEER - how to verify client certificates.=C2=A0 The possible
values of 
# this setting are: 
# 
# NONE - do not verify anything 
# 
# PEER - verify the client certificate, if one's presented 
# 
# REQUIREPEER - require a client certificate, fail if one's not
presented 
# 
# 
TLS_VERIFYPEER=3DNONE 
 
##NAME: TLS_CACHE:0 
# 
# A TLS/SSL session cache may slightly improve response for IMAP clients<=
br>
# that open multiple SSL sessions to the server.=C2=A0 TLS_CACHEFILE will=
be 
# automatically created, TLS_CACHESIZE bytes long, and used as a cache<br=
>
# buffer. 
# 
# This is an experimental feature and should be disabled if it causes =

# problems with SSL clients.=C2=A0 Disable SSL caching by commenting out =
the 
# following settings: 
 
TLS_CACHEFILE=3D/var/spool/courier/couriersslcache 
TLS_CACHESIZE=3D524288 
 
##NAME: MAILDIRPATH:0 
# 
# MAILDIRPATH - directory name of the maildir directory. 
# 
MAILDIRPATH=3D../Maildir 
 
 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DPOP3D-SSL=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D 
##VERSION: $Id: pop3d-ssl.dist.in,v 1.13 2005/07/02 01:13:57
mrsam Exp $ 
# 
# pop3d-ssl created from pop3d-ssl.dist by sysconftool 
# 
# Do not alter lines that begin with ##, they are used when upgrading =

# this configuration. 
# 
#=C2=A0 Copyright 2000-2004 Double Precision, Inc.=C2=A0 See COPYING for<=
br>
#=C2=A0 distribution information. 
# 
#=C2=A0 This configuration file sets various options for the Courier-IMAP=

server 
#=C2=A0 when used to handle SSL POP3 connections. 
# 
#=C2=A0 SSL and non-SSL connections are handled by a dedicated instance o=
f
the 
#=C2=A0 couriertcpd daemon.=C2=A0 If you are accepting both SSL and non-S=
SL POP3 
#=C2=A0 connections, you will start two instances of couriertcpd, one on =
the 
#=C2=A0 POP3 port 110, and another one on the POP3-SSL port 995. 
# 
#=C2=A0 Download OpenSSL from <a class=3D"moz-txt-link-freetext" href=3D"=
http://www.openssl.org/">http://www.openssl.org/</a> 
# 
##NAME: SSLPORT:0 
# 
#=C2=A0 Options in the pop3d-ssl configuration file AUGMENT the options i=
n
the 
#=C2=A0 pop3d configuration file.=C2=A0 First the pop3d configuration fil=
e is
read, 
#=C2=A0 then the pop3d-ssl configuration file, so we do not have to redef=
ine 
#=C2=A0 anything. 
# 
#=C2=A0 However, some things do have to be redefined.=C2=A0 The port numb=
er is 
#=C2=A0 specified by SSLPORT, instead of PORT.=C2=A0 The default port is =
port 995. 
# 
#=C2=A0 Multiple port numbers can be separated by commas.=C2=A0 When mult=
iple port 
#=C2=A0 numbers are used it is possibly to select a specific IP address f=
or a 
#=C2=A0 given port as "ip.port".=C2=A0 For example, "127.0.0.1.900,192.68=
=2E0.1.900" 
#=C2=A0 accepts connections on port 900 on IP addresses 127.0.0.1 and
192.68.0.1 
#=C2=A0 The SSLADDRESS setting is a default for ports that do not have<br=
>
#=C2=A0 a specified IP address. 
 
SSLPORT=3D995 
 
##NAME: SSLADDRESS:0 
# 
#=C2=A0 Address to listen on, can be set to a single IP address. 
# 
# SSLADDRESS=3D127.0.0.1 
 
SSLADDRESS=3D0 
 
##NAME: SSLPIDFILE:0 
# 
# 
# 
 
SSLPIDFILE=3D/var/spool/courier/tmp/pop3d-ssl.pid 
 
##NAME: SSLLOGGEROPTS:0 
# 
# courierlogger(1) options. 
# 
 
SSLLOGGEROPTS=3D"-name=3Dpop3d-ssl" 
 
##NAME: POP3DSSLSTART:0 
# 
#=C2=A0 Whether or not to start POP3 over SSL on spop3 port: 
 
POP3DSSLSTART=3DYES 
 
##NAME: POP3_STARTTLS:0 
# 
# Whether or not to implement the POP3 STLS extension: 
 
POP3_STARTTLS=3DYES 
 
##NAME: POP3_TLS_REQUIRED:1 
# 
# Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. 
# (this option advertises the LOGINDISABLED POP3 capability, until
STARTTLS 
# is issued). 
 
POP3_TLS_REQUIRED=3D0 
 
##NAME: COURIERTLS:0 
# 
# The following variables configure POP3 over SSL.=C2=A0 If OpenSSL is
available 
# during configuration, the couriertls helper gets compiled, and upon =

# installation a dummy TLS_CERTFILE gets generated.=C2=A0 courieresmtpd w=
ill 
# automatically advertise the ESMTP STARTTLS extension if both
TLS_CERTFILE 
# and COURIERTLS exist. 
# 
# WARNING: Peer certificate verification has NOT yet been tested.=C2=A0
Proceed 
# at your own risk.=C2=A0 Only the basic SSL/TLS functionality is known t=
o be 
# working. Keep this in mind as you play with the following variables.<br=
>
 
COURIERTLS=3D/usr/lib/courier/bin/couriertls 
 
##NAME: TLS_PROTOCOL:0 
# 
# TLS_PROTOCOL sets the protocol version.=C2=A0 The possible versions are=
: 
# 
# SSL2 - SSLv2 
# SSL3 - SSLv3 
# TLS1 - TLS1 
 
TLS_PROTOCOL=3DSSL23 
 
##NAME: TLS_STARTTLS_PROTOCOL:0 
# 
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3
STARTTLS 
# extension, as opposed to POP3 over SSL on port 995. 
# 
 
TLS_STARTTLS_PROTOCOL=3DSSL23 
 
##NAME: TLS_CIPHER_LIST:0 
# 
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the<b=
r>
# OpenSSL library.=C2=A0 In most situations you can leave TLS_CIPHER_LIST=
 
# undefined 
# 
# TLS_CIPHER_LIST=3D"ALL:!ADH:RC4+RSA:+SSLv2:@STRENG TH" 
 
##NAME: TLS_TIMEOUT:0 
# TLS_TIMEOUT is currently not implemented, and reserved for future use.<=
br>
# This is supposed to be an inactivity timeout, but its not yet
implemented. 
# 
 
##NAME: TLS_DHCERTFILE:0 
# 
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.<b=
r>
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA<b=
r>
# you must generate a DH pair that will be used.=C2=A0 In most situations=
the 
# DH pair is to be treated as confidential, and the file specified by =

# TLS_DHCERTFILE must not be world-readable. 
# 
# TLS_DHCERTFILE=3D 
 
##NAME: TLS_CERTFILE:0 
# 
# TLS_CERTFILE - certificate to use.=C2=A0 TLS_CERTFILE is required for
SSL/TLS 
# servers, and is optional for SSL/TLS clients.=C2=A0 TLS_CERTFILE is usu=
ally 
# treated as confidential, and must not be world-readable. 
# 
TLS_CERTFILE=3D/usr/lib/courier/share/pop3d.pem 
 
##NAME: TLS_TRUSTCERTS:0 
# 
# TLS_TRUSTCERTS=3Dpathname - load trusted certificates from pathname.<br=
>
# pathname can be a file or a directory. If a file, the file should 
# contain a list of trusted certificates, in PEM format. If a 
# directory, the directory should contain the trusted certificates, 
# in PEM format, one per file and hashed using OpenSSL's c_rehash 
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying 
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set 
# to PEER or REQUIREPEER). 
# 
# 
# TLS_TRUSTCERTS=3D 
 
##NAME: TLS_VERIFYPEER:0 
# 
# TLS_VERIFYPEER - how to verify client certificates.=C2=A0 The possible
values of 
# this setting are: 
# 
# NONE - do not verify anything 
# 
# PEER - verify the client certificate, if one's presented 
# 
# REQUIREPEER - require a client certificate, fail if one's not
presented 
# 
# 
TLS_VERIFYPEER=3DNONE 
 
##NAME: TLS_CACHE:0 
# 
# A TLS/SSL session cache may slightly improve response for long-running<=
br>
# POP3 clients. TLS_CACHEFILE will be automatically created,
TLS_CACHESIZE 
# bytes long, and used as a cache buffer. 
# 
# This is an experimental feature and should be disabled if it causes =

# problems with SSL clients.=C2=A0 Disable SSL caching by commenting out =
the 
# following settings: 
 
TLS_CACHEFILE=3D/var/spool/courier/couriersslcache 
TLS_CACHESIZE=3D524288 
 
##NAME: MAILDIRPATH:0 
# 
# MAILDIRPATH - directory name of the maildir directory. 
# 
MAILDIRPATH=3D../Maildir 
 
 
 
<div class=3D"moz-signature">-- 
Daniele
Piaggesi 
--------=
--------------- 
System
Administrator 
Pronetic=
s
s.p.a. 
Via E. L=
=2E
Cerva 127/C 
Tel.=C2=A0=
=C2=A0=C2=A0=C2=A0+39.06.51530849 
Mob.=C2=A0=
=C2=A0+39.328.6176226 
</div>
</body>
</html>

--===============1903012664==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
--===============1903012664==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users

--===============1903012664==--

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode