Odd problem: IMAP/S suddenly not working, but no errors, and IMAP still works

Chris Pepper pepper at cbio.mskcc.org
Sun Oct 31 20:51:37 EDT 2010 

	mail.reppep.com (CentOS 5) is running cyrus-imapd-2.3.7-7.el5_4.3, 
along with SquirrelMail, postfix, etc. Last night, I noticed that when I 
sent mail from Thunderbird, it was not able to file copies in the Sent 
mailbox, although they did reach the recipients, so postfix was 
accepting mail on 587/tcp.

	I restarted Cyrus IMAPd but don't see any error messages in 
/var/log/maillog, and the cert & key look fine. SquirrelMail is fine 
using plain IMAP. I opened 143/tcp in the firewall, and am able to fetch 
mail via IMAP with STARTTLS, so it looks like the cert and key are fine.

	But "telnet mail.reppep.com 993" and openssl fail to get any response. 
Port 993 is open to the Internet, FWIW.

	Does anyone have any suggestions for what went wrong and/or how to fix? 
I'll try tcpdump next to see if it's responding at all.

	Alternatively, is there a way to make sure Cyrus requires STARTTLS on 
143? I was blocking external access to it to make sure users always use 
encryption to connect, but port 143 with STARTTLS required would be an 
acceptable alternative.

Thanks,

Chris Pepper

> pepper at imp:~$ !openssl
> openssl s_client -connect www.reppep.com:993
> CONNECTED(00000003)
> 4284:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s23_lib.c:188:


> [root at inspector ~]# cat /etc/imapd.conf
> admins: cyrus
> altnamespace: yes
> configdirectory: /var/lib/imap
> duplicatesuppression: yes
> hashimapspool: no
> partition-default: /var/spool/imap
> servername: mail.reppep.com
> singleinstancestore: yes
> #syslog_prefix: cyrus
> unixhierarchysep: yes
>
> lmtp_downcase_rcpt: yes
> maxmessagesize: 20971520
> sendmail: /usr/sbin/sendmail
> #quotawarn: 80
>
> #allowplaintext: yes
> #allowplainwithouttls: yes
> sasl_pwcheck_method: saslauthd
> #imap_auth_login: yes
> #imap_auth_cram_md5: yes
> #imap_auth_plain: yes
>
> autocreateinboxfolders:      Junk
> autocreatequota: -1
> #autocreate_sieve_script: /etc/junk.sieve
> autocreate_sieve_compiledscript: /etc/sieve.bc
> autosievefolders: Junk
> autosubscribeinboxfolders:   Junk
> createonpost: yes
> #sievedir: /var/lib/imap/sieve
> sieveusehomedir: true
>
> tls_ca_file:   /etc/pki/tls/certs/mail.reppep.com.20100115.crt
> tls_cert_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt
> tls_key_file:  /etc/pki/tls/private/mail.reppep.com.20080219.key
> tls_cipher_list: SSLv3:TLSv1:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> [root at inspector ~]# ls -l /etc/pki/tls/certs/mail.reppep.com.20100115.crt /etc/pki/tls/private/mail.reppep.com.20080219.key
> -rw-r--r-- 1 root root 6466 Oct  1 17:13 /etc/pki/tls/certs/mail.reppep.com.20100115.crt
> -rw-r----- 1 root mail  497 Feb 19  2008 /etc/pki/tls/private/mail.reppep.com.20080219.key
> [root at inspector ~]# netstat -an|grep LIST|grep tcp|sort -n
> tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:2000                0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN
> tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN
> tcp        0      0 10.0.104.200:53             0.0.0.0:*                   LISTEN
> tcp        0      0 :::110                      :::*                        LISTEN
> tcp        0      0 127.0.0.1:10024             0.0.0.0:*                   LISTEN
> tcp        0      0 127.0.0.1:10025             0.0.0.0:*                   LISTEN
> tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN
> tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN
> tcp        0      0 :::143                      :::*                        LISTEN
> tcp        0      0 ::1:953                     :::*                        LISTEN
> tcp        0      0 :::2000                     :::*                        LISTEN
> tcp        0      0 :::22                       :::*                        LISTEN
> tcp        0      0 :::4242                     :::*                        LISTEN
> tcp        0      0 :::443                      :::*                        LISTEN
> tcp        0      0 :::5222                     :::*                        LISTEN
> tcp        0      0 :::5223                     :::*                        LISTEN
> tcp        0      0 :::5229                     :::*                        LISTEN
> tcp        0      0 :::5269                     :::*                        LISTEN
> tcp        0      0 66.92.104.200:53            0.0.0.0:*                   LISTEN
> tcp        0      0 :::8080                     :::*                        LISTEN
> tcp        0      0 :::80                       :::*                        LISTEN
> tcp        0      0 :::8483                     :::*                        LISTEN
> tcp        0      0 :::9090                     :::*                        LISTEN
> tcp        0      0 :::9091                     :::*                        LISTEN
> tcp        0      0 :::993                      :::*                        LISTEN
> tcp        0      0 :::995                      :::*                        LISTEN
> tcp        0      0 ::ffff:127.0.0.1:4243       :::*                        LISTEN

More information about the Info-cyrus mailing list