POP3 TLS issues

sara_bellum
sara_bellum used Ask the Experts™
on
I just upgraded my Ubuntu 8.04 server to 10.04 but there were mail configuration errors before the upgrade (for example, I could not download syslog messages to my client mailbox).

After the upgrade, I can't connect to the server from my Ubuntu Evolution client at all, the error now reads: 'Unable to connect to POP server mail.mydomain.com, error sending username'

I ran several tests:
$ telnet localhost 25 shows all the correct entries which I can post as needed

$ telnet mail.mydomain.com 110
Connected to server1.mydomain.com.
Escape character is '^]'.
+OK Hello there.
USER
-ERR TLS required to log in.  

$ openssl s_client -connect 127.0.0.1:995
Protocol: TLSv1
# lots of output that I've omitted...
No client certificate CA names sent
Verify return code: 10 (certificate has expired)
+OK Hello there

$ openssl s_client -ssl3 -connect 127.0.0.1:995
$ openssl s_client -tls1 -connect 127.0.0.1:995

produce the same bottom line: expired certificate, but I do get the OK Hello there at the end.
I tried renewing the certificate via HowtoForge instructions at
http://www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-2-p5

but I admit that I find the lengthy instructions confusing - my mail configuration has never been fully functional, probably because I don't really understand the relationship between the files in /etc/postfix/ssl and /etc/ssl.

$ ls -l /etc/postfix/ssl shows:
smtpd.crt old timestamp
smtpd.csr old timestamp
cacert.pem current
cakey.pem current
smtpd.key current

$ ls -l /etc/ssl shows:
directory certs with current timestamp and an enormous number of files in it
directory private old timestamp
openssl.cnf old timestamp
openssl_default.cnf old timestamp

I can see from the above output that TLS is running on an expired certificate even though I created a new one today. I think I need to fix that before renewing smtpd.crt and smtpd.csr ( I found http://www.howtoforge.com/forums/archive/index.php/t-41883.html which I need to study, to fix the crt and csr problem)

The pop3/courier server doesn't appear to be using TLS at all, probably because of the disconnect between the timestamps on the certificate files in /etc/postfix/ssl.  Finally, I understand that TLS must or should be used for mail clients to authenticate.

So my first question related to the mail problem is how to fix the TLS problem.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ok I fixed it - I'll proceed in the order that I posted my comments:
-  telnet mail.mydomain.com 110: a telnet connection is not secure / doesn't use TLS, therefore  telnet is disabled as far as user authentication is concerned (this is not a pop3 error!)
- $ openssl s_client -connect 127.0.0.1:995 certificate has expired - because I haven't renewed the certs in /etc/ssl (at least I think that's the reason, same of course for tls and ssl3 connections)
- the howtoforge instructions for the url I posted are good, and reviewing them several times (especially for an upgrade) is important, to check all settings
- updating the smtpd crt and csr keys in /etc/postfix/ssl was important but didn't fix the problem
- there are any number of applications that ssl keys support (ssh, mail, apache etc) and these apps can share keys. Focusing on the /etc/postfix/ssl keys rather than apache was the right approach for now.
- No pop3  authentication errors were reported in /var/log/auth.log or /var/log/mail.log or  /var/log/syslog - and pop3 connections from my client appeared in the logs when attempting to connect, followed by a disconnect when they failed. Also, there were no errors on postfix reload or restart. Therefore the problem was with the client.
- The Evolution client was not using certificates. I checked the authentication settings to see which ones are supported  - the only setting that worked for me was SSL - Password: the client requests a certificate, I clicked ok to approve and then all was well :)

I hope this helps someone.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial