| View previous topic :: View next topic |
| Author |
Message |
octavsly
n00b
Joined: 22 Aug 2007
Posts: 23
Location: Eindhoven, HTC
|
 Posted: Sun Jul 06, 2014 10:28 am Post subject: imapd via STARTLS not working after upgrade{SOLVED] |
 |
|
Posted so other can find the solution easier.
After updating the net-mail/courier-imap to 4.15-r1, I could not retrieve the e-mails via STARTTLS anymore.
Strangely enough it still worked via SSL/TLS (port 993).
Tried debugging via http://www.courier-mta.org/authlib/README.authdebug.html but STARTTLS was not there.
Then found in the /var/log/messages the following error:
| Code: | | imapd-ssl: couriertls: /usr/share/dhparams.pem: error:02001002:system library:fopen:No such file or directory |
http://www.courier-mta.org/imap/INSTALL.html shows:
| Quote: | Upgrading from Courier-IMAP 4.14, and earlier
Version 4.15 removes the TLS_DHCERTFILE parameter from imap, and pop3d configuration files. DH parameters, and DH parameters only, get read from the new TLS_DHPARAMS file (and the other functionaly of TLS_DHCERTFILE, for DSA certificates, is merged into TLS_CERTFILE). The default startup script in the package is updated to run the new mkdhparams script, that creates a new TLS_DHPARAMS file. |
In gentoo /etc/*/impad-ssl file, parameter TLS_DHPARAMS was set to /usr/share/dhparams.pem and the file was not existent.
Two solutions:
1. Disable th aparameter in the impad-ssl file:
| Code: | | #TLS_DHPARAMS=/usr/share/dhparams.pem |
OR
2. Run, as the manual says, mkdhparams which will create that file |
|
| Back to top |
|
 |
cilly
n00b
Joined: 27 Jun 2006
Posts: 3
|
| Posted: Mon Jul 21, 2014 5:12 pm Post subject: Re: imapd via STARTLS not working after upgrade{SOLVED] |
|
|
Thank you!!!!!!
 |
|
| Back to top |
|
|
Floppe
n00b
Joined: 27 Feb 2003
Posts: 50
Location: Finland
|
| Posted: Wed Jul 23, 2014 10:01 am Post subject: |
|
|
| Many thanks! |
|
| Back to top |
|
|
Duncan Mac Leod
Guru
Joined: 02 May 2004
Posts: 311
Location: Germany
|
| Posted: Tue May 19, 2015 2:07 pm Post subject: |
|
|
Microsoft's last patchday (May 2015) introduced another problem, REQUIRING a DHE key length of 1,024 bits! (default is 768 if you are using OpenSSL and the mkdhparams tools).
If you are using a DHE key length of < 1,024 bits, a TLS connection is not possible.
https://support.microsoft.com/en-us/kb/3061518/
Two soultions:
#1 set the environment variable BITS (see manpage of mkdhparams)
or
#2 edit /usr/sbin/mkdhparams and change the value 768 to 1024
Generate a new .pem file and it will work again.
Took me hours to track down the problem, so I post this to make your life easier.
The problem occurs in our network ONLY for Windows 8.1 and Windows Server 2012 R2 systems, all other systems were not affected, but AFAIK Microsoft is planning to patch the other operating systems in the next months.
Hope that helps... |
|
| Back to top |
|
|
octavsly
n00b
Joined: 22 Aug 2007
Posts: 23
Location: Eindhoven, HTC
|
| Posted: Tue Jun 16, 2015 9:13 am Post subject: |
|
|
Thanks Duncan Mac Leod for the info.
Reason for change can be seen in https://weakdh.org/
For regenerating the key use DH_BITS instead of BITS as the manual says.
| Code: | | rm /usr/share/dhparams.pem ; DH_BITS=2048 mkdhparams |
Newer versions of thunderbird also refuse connection to < 1024 bits. The message is a bit cryptic.
| Quote: | | The IMAP server info@server.com does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server settings'. |
However if Error console is opened (Ctrl+Shift+J) a more clear message appear:
| Quote: |
Timestamp: 06/16/2015 11:02:12 AM
Error: An error occurred during a connection to imap.server.com:143.
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
(Error code: ssl_error_weak_server_ephemeral_dh_key)
|
I will write a bug in gentoo to have the default to 1024 |
|
| Back to top |
|
|
mt_undershirt
n00b
Joined: 20 Dec 2014
Posts: 4
|
| Posted: Tue Jun 16, 2015 9:44 am Post subject: Yes! |
|
|
 Many thanks to octavsly and MacLeod, my thunderbird just failed on multiple accounts after today's upgrade to 38.0.1 with the aforementioned cryptic error message.
Connection was still working on other machines and iOS devices, though.  
So, you probably saved me a lot of time otherwise wasted on tracking down the problem, I truly  appreciate that.
As described, removing the old dhparams.pem and running 1024-bit modified mkdhparams on the server did the trick right away.
Regards
mtu |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Tue Jun 16, 2015 11:30 am Post subject: |
|
|
| IMO re-creating the .pem file should be scheduled regularly, eg. via cron once per week/month or so, even if you're not paranoid. |
|
| Back to top |
|
|
F1r31c3r
Tux's lil' helper
Joined: 31 Aug 2007
Posts: 107
Location: UK
|
| Posted: Thu Jun 25, 2015 4:18 am Post subject: workaround for the user |
|
|
Hi all,
I too came across this problem and after 2 hours with my hosting provider they provided me with reassurance but nothing more.
They told me they had fixed it twice but it still did not work so i decided to disable the use of the key and force Thunderbird to use a higher encryption key.
If you go to Edit -> Preferences, then the advanced and General tab. At the bottom is a button called Config Editor. Click it and enter this then use the filter to find all ssl3 entries.
Find | Quote: | | security.ssl3.dhe_rsa_aes_128_sha |
and set it to false by double clicking it.
Now you will find the server is forced to use an alternative which has a more secure mechanism.
This is how i got around it, so if you are struggling with your hosting company then this is a quick work around untill you can kick them up the ass to fix it.
_________________
A WikI, A collection of mass misinformation based on opinion and manipulation by a deception of freedom.
If we know the truth, then we should be free from deception (John 8:42-47 ) |
|
| Back to top |
|
|
|
Networking & Security
