Re: [Courier-imap] Problem about "not support the selected authentication method" after version upg
Brought to you by:
mrsam
Menu
▾
▴
Re: [Courier-imap] Problem about "not support the selected authentication method" after version upgrade from 4.18.2 to 5.0.
|
From: Neko C. <ep...@gm...> - 2018-11-02 02:11:09
|
Hi Sam Varshavchik Thanks your test and answer. For your test result, I re-created two jail, both same(openssl included) except courier-imap file only as below. Files 5.0/usr/local/bin/couriertls and 4.18.2/usr/local/bin/couriertls differ Files 5.0/usr/local/bin/imapd and 4.18.2/usr/local/bin/imapd differ Files 5.0/usr/local/bin/makedat and 4.18.2/usr/local/bin/makedat differ Files 5.0/usr/local/etc/courier-imap/imapd-ssl.dist and 4.18.2/usr/local/etc/courier-imap/imapd-ssl.dist differ Files 5.0/usr/local/etc/courier-imap/imapd.dist and 4.18.2/usr/local/etc/courier-imap/imapd.dist differ Files 5.0/usr/local/libexec/courier-imap/couriertcpd and 4.18.2/usr/local/libexec/courier-imap/couriertcpd differ Files 5.0/usr/local/libexec/courier-imap/imapd-ssl.rc and 4.18.2/usr/local/libexec/courier-imap/imapd-ssl.rc differ Files 5.0/usr/local/libexec/courier-imap/imapd.rc and 4.18.2/usr/local/libexec/courier-imap/imapd.rc differ Files 5.0/usr/local/libexec/courier-imap/makedatprog and 4.18.2/usr/local/libexec/courier-imap/makedatprog differ Files 5.0/usr/local/libexec/courier-imap/pop3d-ssl.rc and 4.18.2/usr/local/libexec/courier-imap/pop3d-ssl.rc differ Files 5.0/usr/local/libexec/courier-imap/pop3d.rc and 4.18.2/usr/local/libexec/courier-imap/pop3d.rc differ Files 5.0/usr/local/sbin/imaplogin and 4.18.2/usr/local/sbin/imaplogin differ Same 5.0 work NG, 4.18.2 work OK, telnet test same result. About pem file, 5.0 & 4.18.2 both owner/group/permission and content "same" as below. -r-------- 1 root wheel 7423 11月 1 10:00 /usr/local/etc/courier-imap/certificate/ epopen.com/fullchain-privkey_combined.pem And running courier-imap 5.0 process's owner is root. root 40080 0.0 0.3 14892 11056 2 IJ 17:50 0:00.03 /usr/local/libexec/courier-authlib/authdaemond root 52652 0.0 0.1 6720 2668 2 IJ 17:50 0:00.01 /usr/local/libexec/courier-imap/couriertcpd -address=0 -maxprocs=24 -maxperip=20 -access=/usr/local/etc/courier-imap/imapaccess.da root 64085 0.0 0.3 14888 10700 2 IJ 17:50 0:00.01 /usr/local/libexec/courier-authlib/authdaemond root 80121 0.0 0.1 6252 2148 2 IJ 17:50 0:00.01 /usr/local/sbin/courierlogger -facility=mail -pid=/var/run/authdaemond/pid -start /usr/local/libexec/courier-authlib/authdaemond root 88340 0.0 0.1 6252 2148 2 IJ 17:50 0:00.01 /usr/local/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/libexec/courier-imap/couriertcpd -address=0 -m Process and file owner match. My site's SSL certificate issue from Let's Encrypt. The pem file generate procedure follow from https://community.letsencrypt.org/t/configure-courier-imap/3620 for courier-imap 4.x Later, test by openssl found. and test result for you reference as below. courier-imap5.0 $ openssl s_client -connect imap.epopen.com:143 -starttls imap CONNECTED(00000003) 140625353098904:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 510 bytes and written 331 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1541121918 Timeout : 300 (sec) Verify return code: 0 (ok) --- ----------------------------------------------------------------------------------------------- courier-imap 4.18.2 $ openssl s_client -connect imap.epopen.com:143 -starttls imap CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = epopen.com verify return:1 --- Certificate chain 0 s:/CN=epopen.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIHDDCCBfSgAwIBAgISA/TK2TKR09rGpdgCRlKqLBhvMA0GCSqGSIb3DQEBCwUA .......... cut ....... DXNXwrYvDwDh80QnUAbNTp2MDBcSDR4UKlt8WXo8L4Q= -----END CERTIFICATE----- subject=/CN=epopen.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4365 bytes and written 457 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2EDDE8882C367FAA3.....AF870C00E983DF23B Session-ID-ctx: Master-Key: 2AA8B4C8E8F5F79049.......E184CABD Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 51 56 19 ee 6e 69 fd 14-4e 9c b7 ce 9c ee 01 f1 QV..ni..N....... .......... cut ....... 0090 - fc 23 bc 89 e8 fa f7 81-40 18 ef 57 c6 76 41 8d .#......@..W.vA. Start Time: 1541122816 Timeout : 300 (sec) Verify return code: 0 (ok) --- . OK CAPABILITY completed Thanks your support very much. Sam Varshavchik <mr...@co...> 於 2018年11月1日 週四 下午3:07寫道: > Neko Chang writes: > > > 2. In Thunderbird windows, Press Ctrl+Shift+ J to open browser console > and > > error message as below. > > An error occurred during a connection to <URL:http://imap.epopen.com: > > > 143>imap.epopen.com:143. > > SSL received a record that exceeded the maximum permissible length. > > Error code: <a id="errorCode" > > title="SSL_ERROR_RX_RECORD_TOO_LONG">SSL_ERROR_RX_RECORD_TOO_LONG</a> > > Something is misconfigured with your certificate file: > > [mrsam@octopus imap]$ telnet imap.epopen.com 143 > Trying 122.117.86.253… > Connected to imap.epopen.com. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE > THREAD=ORDEREDSUBJECT > THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED > ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double > Precision, Inc. See COPYING for distribution information. > a starttls > a OK Begin SSL/TLS negotiation now. > a NO STARTTLS failed: ip=[::ffff:68.166.206.86], couriertls: > /usr/local/etc/courier-imap/certificate/epopen.com/fullchain- > privkey_combined.pem: erro > * NO Error in IMAP command received by server. > > The full error message is too long, and it gets cut off. > > Inspect this certificate file and check that the actual file's > permissions > and ownership are correct. > > Otherwise, the certificate file must be corrupt, and it cannot be read by > the OpenSSL library. > > _______________________________________________ > Courier-imap mailing list > Cou...@li... > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap > -- Regards, Wei-Jen Chang |
