Your message dated Wed, 07 Dec 2016 10:49:55 +0000 with message-id <[email protected]> and subject line Bug#846082: fixed in cyrus-imapd 2.5.10-3 has caused the Debian Bug report #846082, regarding cyrus-imapd: TLS connections fail with 2.5.10-2 (new config option?) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 846082: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846082 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: cyrus-imapd Version: 2.5.10-2 Severity: important Dear Maintainer, I just installed 2.5.10-2 tonight and afterward no clients could connect to the imap server (thunderbird, iOS mail). I tried testing with s_client and got this: # openssl s_client -connect <my-server-redacted>:993 -tls1_2 CONNECTED(00000003) 140392100000896:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1480330922 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- In /var/log/mail.log I found these messages (for each connection attempt): Nov 28 02:49:50 death cyrus/imaps[19158]: inittls: Loading hard-coded DH parameters Nov 28 02:49:50 death cyrus/imaps[19158]: imaps TLS negotiation failed: cpe-172-249-96-89.socal.res.rr.com [172.249.96.89] I played around and eventually commented out this line in /etc/imapd.conf: tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH After that all the clients (including s_client) could connect (s_client reported this: "TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384"). I don't understand the syntax of that line, but I suspect something might be wrong there. If it's correct, any idea why no clients can connect to the server? Thanks, David -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cyrus-imapd depends on: ii cyrus-common 2.5.10-2 ii dpkg 1.18.15 ii libc6 2.24-5 ii libicu57 57.1-4 ii libsasl2-2 2.1.27~72-g88d82a3+dfsg-1 ii libssl1.1 1.1.0c-2 ii libwrap0 7.6.q-25 ii zlib1g 1:1.2.8.dfsg-2+b3 cyrus-imapd recommends no packages. cyrus-imapd suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: cyrus-imapd Source-Version: 2.5.10-3 We believe that the bug you reported is fixed in the latest version of cyrus-imapd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <[email protected]> (supplier of updated cyrus-imapd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 07 Dec 2016 11:23:20 +0100 Source: cyrus-imapd Binary: cyrus-common cyrus-doc cyrus-imapd cyrus-pop3d cyrus-admin cyrus-murder cyrus-replication cyrus-nntpd cyrus-caldav cyrus-clients cyrus-dev libcyrus-imap-perl Architecture: source Version: 2.5.10-3 Distribution: unstable Urgency: medium Maintainer: Debian Cyrus Team <[email protected]> Changed-By: Ondřej Surý <[email protected]> Description: cyrus-admin - Cyrus mail system - administration tools cyrus-caldav - Cyrus mail system - CalDAV and CardDAV support cyrus-clients - Cyrus mail system - test clients cyrus-common - Cyrus mail system - common files cyrus-dev - Cyrus mail system - developer files cyrus-doc - Cyrus mail system - documentation files cyrus-imapd - Cyrus mail system - IMAP support cyrus-murder - Cyrus mail system - proxies and aggregator cyrus-nntpd - Cyrus mail system - NNTP support cyrus-pop3d - Cyrus mail system - POP3 support cyrus-replication - Cyrus mail system - replication libcyrus-imap-perl - Interface to Cyrus imap client imclient library Closes: 846082 Changes: cyrus-imapd (2.5.10-3) unstable; urgency=medium . * Rely on default tls_ciphers and tls_versions configurations (Closes: #846082) Checksums-Sha1: 7c6a1dc63d501ac7e6659c24fcae19366d4cadc3 3225 cyrus-imapd_2.5.10-3.dsc ccc34134be0cb5e89d087bbae8ae3530ccd14055 86124 cyrus-imapd_2.5.10-3.debian.tar.xz Checksums-Sha256: ff0026e6952a477efd544c0fc9f6930c8bc7916f8b4c488619c7b1adaea0246a 3225 cyrus-imapd_2.5.10-3.dsc d9974d29e5c08df57e7caec437eff8532b2b3f2361f38fe3b324c61fdf37ab35 86124 cyrus-imapd_2.5.10-3.debian.tar.xz Files: 88c0a21494733ed37c76c2fa6b9bc2e4 3225 mail extra cyrus-imapd_2.5.10-3.dsc 6ad3b62d2812cb2e70b1dcc9450f7dfc 86124 mail extra cyrus-imapd_2.5.10-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJYR+UyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHLskQAIWmJoFsPV3xC6rHlEgi+EAT B4MZVvX0y0Wv2YADnBOfC5/3pd+2OWEXoSAstWiHf+dOQeiXa2wyZdgkbUhPEuLK tbrR7ejuQTMsoLEigBrZYsrLytkWrs1GaAXcmRdoj5RiScpXH2K4QDB5D+6zXvvl GgQmbjqCd3EXHyCTCX9LJgTNdCuCVDLQCe8EpoyRGdJOCikhLntIGCHRNCB/dl7e r1TzIg7CRgP4vNa/otc3afOZIKxzNuwZG3U+Y2XHaL9/s66LAMN4hSd5OW/yYyWq yPSiBH+JdiF1cNE4PJ9gHP7CNJYIkmzVDqqQryKV7DTsuEETzlag2Q8E299aH+zC XmH2ibtTu9SMhJ4GlY+ek0BJcPw46uLngYO/tYz1PARnhWS5L8NCuYTl9GE5WmMu yBtFS0aXJ0Mk+dLS6+0xcq5twmZXYzR46rXBQ+f0GeDO48S2oDOp3wzLpHfZw4Tz VhFhoCoMQP5hMjnyBHZlzwDhydJeJGrOvEIEIWMEBRcmjmMjBGBnpoYfPzSouvAW 6Kyj0i6xuyJlkFF3+wDD0qGb/l6rrxCTxHGbvzbJciBaBv2iCwOpDnG4vCafE+Ig /ITnbq0wzhm/c7ghSobYUywMXuKTMsA7Nyxq7ZamOWVJnY3LbGRuOvC+1R8a7WCG aiaLIRlQd9hcuKPEK5Ve =mZyR -----END PGP SIGNATURE-----
--- End Message ---
