[BlueOnyx:16471] Blackberrys, dovecot, IMAP and TLS
Darren Wolfe
darren at intersys-group.com
Mon Nov 17 13:28:24 -05 2014
Hi,
I thought I would detail a problem I've been working on (and solved) all day, in case anyone else experiences it.
Following the POODLE updates where SSLv3 was disabled, we found that after an unrelated reboot of the server, our customers with Blackberry's who had configured their email to use IMAP with SSL encryption, suddenly stopped working.
After enabling verbose SSL debugging in 10-logging.conf, we were seeing this in the mail log:
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [178.239.84.172]
Nov 17 17:29:15 server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.239.84.172, lip=1.1.1.1, TLS handshaking: Disconnected, session=<omhVUREISACy71Ss>
If SSL was disabled, it would connect correctly.
Thinking this was some sort of client certificate error (which we don't use), we turned off all client certificate related SSL options in dovecot which had no effect.
After a lot more fiddling, and comparing pre-sslv3 disabled configuration files, we found this new addition to 10-ssl.conf
# DH parameters length to use.
ssl_dh_parameters_length = 2048
This is a new option added to dovecot from the previous we had in 5107r
Reviewing the Blackberry documentation suggested that this should work as they support values from 512 to 4096 but it does not. We changed it back to its default value of 1024 and it worked.
So in conclusion:
If you are seeing TLS failures with Blackberrys when using IMAP then set the ssl_dh_parameters_length to 1024
-----------------------------
InterSys Micronics Ltd
Darren Wolfe
Tel: 01253 716800, Fax: 01253 722777
e-mail: darren at intersys-group.com
website: http://www.intersys-group.com
The Old Fire Station, Edward Street, Lytham St. Annes, Lancashire, FY8 1XR
-----------------------------
More information about the Blueonyx
mailing list