ports/50999: SSL with (mail/)dovecot simply doesn't work

Juha Ylitalo juha.o.ylitalo at kolumbus.fi
Tue Apr 15 19:50:18 UTC 2003 

>Number:         50999
>Category:       ports
>Synopsis:       SSL with (mail/)dovecot simply doesn't work
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 15 12:50:16 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Juha Ylitalo <juha.o.ylitalo at kolumbus.fi>
>Release:        FreeBSD 4.7-RELEASE-p10 i386
>Organization:
>Environment:
System: FreeBSD coat.st-paul 4.7-RELEASE-p10 FreeBSD 4.7-RELEASE-p10 #5: Thu Apr 3 21:00:02 EEST 2003 root at coat.st-paul:/usr/obj/usr/src/sys/COAT i386


	
>Description:
I have dovecot compiled from ports with default options, copied 
/usr/local/etc/dovecot-example.conf to /usr/local/etc/dovecot.conf and
did necessary fixes to make it possible to start /usr/local/sbin/dovecot
without complains (can be found from http://jylitalo.homeip.net/dovecot.conf).
Before I start running dovecot, I also created SSL certs with 
/usr/local/share/dovecot/mkcerts.sh script.

Now when I try to test it with 
openssl s_client -host localhost -port 993 -verify -debug
my openssl window will print following:
verify depth is 0
CONNECTED(00000003)
depth=0 /OU=IMAP server/CN=imap.example.com/Email=postmaster at example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/Email=postmaster at example.com
verify return:1
80573:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/s3_pkt.c:1046:SSL
alert number 20
80573:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto/../ssl/s23_lib.c:226:
bash-2.05a$

At the sametime dovecot prints:
dovecot: Apr 15 22:33:09 Info: Dovecot starting up
imap-login: Apr 15 22:33:14 Warning: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [127.0.0.1]
imap-login: Apr 15 22:33:14 Info: Disconnected [127.0.0.1]

If I try to use mutt, it will simply say that TLS failed and with evolution
it will show me certificate, but then things will fail.

dovecot seems to work nicely as plaintext IMAP server, but plaintext is too
big security hole to accept and I don't want to start setting up stunnel,
since dovecot claims to support SSL.

Reason why this PR got so high severity and priority in my classification is
that based on personal testing and mailing-list discussions, evolution 1.2.2
and uw-imap simply don't work well together. This forced me to look for
alternatives and on quick study dovecot was only other IMAP mail server, which
supports mailboxes (vs. maildirs). That one is real requirement for me,
because at this moment, I don't want to start studying how you integrate
procmail, spamassasin, etc. into maildir system.
	
>How-To-Repeat:
	
See description...
>Fix:
Only work-around that I've found so far is to go back to uw-imap even though
that means that its time to say hasta la vista to Evolution 1.2.2 (those two
together don't make good pair).
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list