2020/12/04
Template:Box/nav/log Turning on a couple of debug flags in #Dovecot's config now shows this in mail.log when #Eudora tries to connect:
Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: error Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol Dec 5 00:58:54 cloud1 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=107.15.53.219, lip=68.183.140.54, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=</enhGK21wTFrDzXb> Dec 5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument
The flags I changed:
auth_verbose = yes
- didn't immediately change anythingverbose_ssl = yes
- the extra info appeared after I made this change
As far as I can tell, Eudora should support up through TLSv1.1. I tested Dovecot with TLSv1 and TLSv1.1, and both were successful -- so I really don't understand what's going on here oh wait, maybe "Verification: OK" doesn't mean success. It does say "no protocols available" for 1.0 and 1.1, but gives all kinds of additional certificate info for 1.2.
TLSv1 test:
openssl s_client -connect mail.vbz.net:993 -tls1
Output:
CONNECTED(00000003) 140056042988864:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
So, going on the theory that it's actually refusing TLSv1 and TLSv1.1 connections, I searched for "no protocols available" and found this piece of advice which says that the openssl server configuration is what needs to be changed. Unfortunately, changing it doesn't seem to change the error. It would help if I knew whether I needed to restart something after each change, and what that might be, rather than rebooting all the time.
12/5 Note
Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04 seems to be identifying the same problem, except with Nginx rather than Dovecot. The solution they worked out is via configuring Nginx rather than configuring OpenSSL, suggesting that perhaps Dovecot can be configured to override OpenSSL as well -- but a few attempts to do this were not successful. The Nginx settings given don't translate directly, though there are some analogous config options in Dovecot.