For me , that command works.
I also modified IMAPDSSLSTART=NO and IMAP_TLS_REQUIRED=1
On 22/10/14 18:21, Quinn Comendant wrote:
On Fri, 17 Oct 2014 10:52:12 +0300, Catalin Leanca wrote:
I managed to disable SSLv3 in /etc/courier/imapd-ssl and
/etc/courier/pop3-ssl
Changed TLS_PROTOCOL=SSLv3 to TLS_PROTOCOL=TLS1
Catalin (and others): have you succeeded in disabling SSLv3 in courier? When I
try this configuration, I am unable to connect even with a TLS-compatible
client, not even the openssl itself:
openssl s_client -state -nbio -connect mail.example.com:993
I get this output:
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=54
According to the openssl documentation, this error usually results from the
connection not being able to auto-negotiate a suitable ssl version to use. So,
I force a TLS connection using -tls1:
openssl s_client -state -nbio -connect oak2.strangecode.com:993 -tls1
And then I get a successful connection with the openssl client. The problem is
the real IMAP client I use (Gyazmail) doesn't connect (thought it does support
TLS). Perhaps it is trying SSLv3 first, and fails to negotiate to TLS?
I read also some Courier versions have this problem, some not [1]. I'd
appreciate if you could run the above openssl command (without -tls1) and let
me know if it connects for you or not.
BTW, if you want to test that your server refuses SSLv3 connections, run the
openssl client with '-ssl3'.
Quinn
[1] http://sourceforge.net/p/courier/mailman/message/17185523/
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
--
CS Catalin LEANCA
ICI ROTLD - Serviciul Tehnic
Bd. Maresal Averescu 8-10,
Sector 1, Bucuresti
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com