Wednesday, October 24, 2007

Courier SSL problems after update

I posted this message as a comment to the HOWTO I used to configure my mail server:
http://www.howtoforge.com/fedora_virtual_postfix_mysql_quota_courier

I've been running a mail server built using this HOWTO for a while now. I recently updated the entire server with a "yum update". Email clients could no longer connect to the server via POP3 or IMAP if SSL was enabled. I was getting errors like this in the error log:

Oct 23 13:19:32 mailhost pop3d-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Oct 24 10:36:13 mailhost imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

I was able to fix this by editing the following files:

/usr/lib/courier-imap/etc/imapd-ssl
/usr/lib/courier-imap/etc/pop3d-ssl

I changed the TLS_PROTOCOL setting from SSL3 to SSL23 in both of these files:

TLS_PROTOCOL=SSL23

Then, I restarted courier-authlib and courier-imap and things were working again:

service courier-authlib restart
service courier-imap restart

The following commands were helpful in testing things out:

openssl s_client -connect mailhost:993 -state -debug
openssl s_client -connect mailhost:995 -state -debug
openssl s_client -ssl2 -connect mailhost:993 -state -debug
openssl s_client -ssl3 -connect mailhost:993 -state -debug
openssl s_client -ssl2 -connect mailhost:995 -state -debug
openssl s_client -ssl3 -connect mailhost:995 -state -debug

I hope this helps someone else, as I spent way too much time trying to solve it.

No comments: