Hi

I have to install a new mailserver for my company on a red hat enterprise linux 5 and I choosed Courier as my suite. I've builded rpm package with rpmbuild, following Courier website instructions and I've installed this package:

courier-authlib-0.59.3-10.rh5Server courier-authlib-ldap-0.59.3-10.rh5Server courier-pop3d-0.56.0-1.5Server courier-webadmin-0.56.0-1.5Server courier-authlib-devel-0.59.3-10.rh5Server courier-maildrop-0.56.0-1.5Server courier-imapd-0.56.0-1.5Server courier-maildrop-wrapper-0.56.0-1.5Server courier-0.56.0-1.5Server courier-ldap-0.56.0-1.5Server

I've a problem with imap-over-ssl and pop3-over-ssl. I used mkimapdcert and mkpop3dcert to create my self-signed certs and then I set up imapd-ssl and pop3d-ssl with

TLS_PROTOCOL=SSL23

after this thread "[courier-users] SSL problems with courier 0.56.0"

I tried also with

SSL_PROTOCOL=223

but in both cases  I have the same error in /var/log/maillog

imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

If i use TLS, instead, i don't have this error.

Anyone can help me?

For completeness, print imap-ssl and pop3d-ssl conf here

Bye Daniele

===============IMAPD-SSL=============== ##VERSION: $Id: imapd-ssl.dist.in,v 1.12 2005/07/02 01:13:57 mrsam Exp $ # # imapd-ssl created from imapd-ssl.dist by sysconftool # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # #  Copyright 2000 - 2004 Double Precision, Inc.  See COPYING for #  distribution information. # #  This configuration file sets various options for the Courier-IMAP server #  when used to handle SSL IMAP connections. # #  SSL and non-SSL connections are handled by a dedicated instance of the #  couriertcpd daemon.  If you are accepting both SSL and non-SSL IMAP #  connections, you will start two instances of couriertcpd, one on the #  IMAP port 143, and another one on the IMAP-SSL port 993. # #  Download OpenSSL from [1]http://www.openssl.org/ # ##NAME: SSLPORT:1 # #  Options in the imapd-ssl configuration file AUGMENT the options in the #  imapd configuration file.  First the imapd configuration file is read, #  then the imapd-ssl configuration file, so we do not have to redefine #  anything. # #  However, some things do have to be redefined.  The port number is #  specified by SSLPORT, instead of PORT.  The default port is port 993. # #  Multiple port numbers can be separated by commas.  When multiple port #  numbers are used it is possibly to select a specific IP address for a #  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900" #  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1 #  The SSLADDRESS setting is a default for ports that do not have #  a specified IP address.

SSLPORT=993

##NAME: SSLADDRESS:0 # #  Address to listen on, can be set to a single IP address. # # SSLADDRESS=127.0.0.1

SSLADDRESS=0

##NAME: SSLPIDFILE:0 # # That's the SSL IMAP port we'll listen on. # Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP.

SSLPIDFILE=/var/spool/courier/tmp/imapd-ssl.pid

##NAME: SSLLOGGEROPTS:0 # # courierlogger(1) options. #

SSLLOGGEROPTS="-name=imapd-ssl"

##NAME: IMAPDSSLSTART:0 # # Different pid files, so that both instances of couriertcpd can coexist # happily. # # You can also redefine IMAP_CAPABILITY, although I can't # think of why you'd want to do that. # # # Ok, the following settings are new to imapd-ssl: # #  Whether or not to start IMAP over SSL on simap port:

IMAPDSSLSTART=YES

##NAME: IMAPDSTARTTLS:0 # #  Whether or not to implement IMAP STARTTLS extension instead:

IMAPDSTARTTLS=YES

##NAME: IMAP_TLS_REQUIRED:1 # # Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. # (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS # is issued).

IMAP_TLS_REQUIRED=0

######################################################################### # # The following variables configure IMAP over SSL.  If OpenSSL is available # during configuration, the couriertls helper gets compiled, and upon # installation a dummy TLS_CERTFILE gets generated.  courieresmtpd will # automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE # and COURIERTLS exist. # # WARNING: Peer certificate verification has NOT yet been tested.  Proceed # at your own risk.  Only the basic SSL/TLS functionality is known to be # working. Keep this in mind as you play with the following variables. # ##NAME: COURIERTLS:0 #

COURIERTLS=/usr/lib/courier/bin/couriertls

##NAME: TLS_PROTOCOL:0 # # TLS_PROTOCOL sets the protocol version.  The possible versions are: # # SSL2 - SSLv2 # SSL3 - SSLv3 # TLS1 - TLS1

#TLS_PROTOCOL=SSL3 TLS_PROTOCOL=SSL23

##NAME: TLS_STARTTLS_PROTOCOL:0 # # TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS # extension, as opposed to IMAP over SSL on port 993. #TLS_STARTTLS_PROTOCOL=TLS1 TLS_STARTTLS_PROTOCOL=SSL23

##NAME: TLS_CIPHER_LIST:0 # # TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the # OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST # undefined # # TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

##NAME: TLS_TIMEOUT:0 # TLS_TIMEOUT is currently not implemented, and reserved for future use. # This is supposed to be an inactivity timeout, but its not yet implemented. #

##NAME: TLS_DHCERTFILE:0 # # TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair. # When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA # you must generate a DH pair that will be used.  In most situations the # DH pair is to be treated as confidential, and the file specified by # TLS_DHCERTFILE must not be world-readable. # # TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS # servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually # treated as confidential, and must not be world-readable. # TLS_CERTFILE=/usr/lib/courier/share/imapd.pem

##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. # pathname can be a file or a directory. If a file, the file should # contain a list of trusted certificates, in PEM format. If a # directory, the directory should contain the trusted certificates, # in PEM format, one per file and hashed using OpenSSL's c_rehash # script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying # the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set # to PEER or REQUIREPEER). # # # TLS_TRUSTCERTS=

##NAME: TLS_VERIFYPEER:0 # # TLS_VERIFYPEER - how to verify client certificates.  The possible values of # this setting are: # # NONE - do not verify anything # # PEER - verify the client certificate, if one's presented # # REQUIREPEER - require a client certificate, fail if one's not presented # # TLS_VERIFYPEER=NONE

##NAME: TLS_CACHE:0 # # A TLS/SSL session cache may slightly improve response for IMAP clients # that open multiple SSL sessions to the server.  TLS_CACHEFILE will be # automatically created, TLS_CACHESIZE bytes long, and used as a cache # buffer. # # This is an experimental feature and should be disabled if it causes # problems with SSL clients.  Disable SSL caching by commenting out the # following settings:

TLS_CACHEFILE=/var/spool/courier/couriersslcache TLS_CACHESIZE=524288

##NAME: MAILDIRPATH:0 # # MAILDIRPATH - directory name of the maildir directory. # MAILDIRPATH=../Maildir

=============POP3D-SSL================= ##VERSION: $Id: pop3d-ssl.dist.in,v 1.13 2005/07/02 01:13:57 mrsam Exp $ # # pop3d-ssl created from pop3d-ssl.dist by sysconftool # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # #  Copyright 2000-2004 Double Precision, Inc.  See COPYING for #  distribution information. # #  This configuration file sets various options for the Courier-IMAP server #  when used to handle SSL POP3 connections. # #  SSL and non-SSL connections are handled by a dedicated instance of the #  couriertcpd daemon.  If you are accepting both SSL and non-SSL POP3 #  connections, you will start two instances of couriertcpd, one on the #  POP3 port 110, and another one on the POP3-SSL port 995. # #  Download OpenSSL from [2]http://www.openssl.org/ # ##NAME: SSLPORT:0 # #  Options in the pop3d-ssl configuration file AUGMENT the options in the #  pop3d configuration file.  First the pop3d configuration file is read, #  then the pop3d-ssl configuration file, so we do not have to redefine #  anything. # #  However, some things do have to be redefined.  The port number is #  specified by SSLPORT, instead of PORT.  The default port is port 995. # #  Multiple port numbers can be separated by commas.  When multiple port #  numbers are used it is possibly to select a specific IP address for a #  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900" #  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1 #  The SSLADDRESS setting is a default for ports that do not have #  a specified IP address.

SSLPORT=995

##NAME: SSLADDRESS:0 # #  Address to listen on, can be set to a single IP address. # # SSLADDRESS=127.0.0.1

SSLADDRESS=0

##NAME: SSLPIDFILE:0 # # #

SSLPIDFILE=/var/spool/courier/tmp/pop3d-ssl.pid

##NAME: SSLLOGGEROPTS:0 # # courierlogger(1) options. #

SSLLOGGEROPTS="-name=pop3d-ssl"

##NAME: POP3DSSLSTART:0 # #  Whether or not to start POP3 over SSL on spop3 port:

POP3DSSLSTART=YES

##NAME: POP3_STARTTLS:0 # # Whether or not to implement the POP3 STLS extension:

POP3_STARTTLS=YES

##NAME: POP3_TLS_REQUIRED:1 # # Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. # (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS # is issued).

POP3_TLS_REQUIRED=0

##NAME: COURIERTLS:0 # # The following variables configure POP3 over SSL.  If OpenSSL is available # during configuration, the couriertls helper gets compiled, and upon # installation a dummy TLS_CERTFILE gets generated.  courieresmtpd will # automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE # and COURIERTLS exist. # # WARNING: Peer certificate verification has NOT yet been tested.  Proceed # at your own risk.  Only the basic SSL/TLS functionality is known to be # working. Keep this in mind as you play with the following variables.

COURIERTLS=/usr/lib/courier/bin/couriertls

##NAME: TLS_PROTOCOL:0 # # TLS_PROTOCOL sets the protocol version.  The possible versions are: # # SSL2 - SSLv2 # SSL3 - SSLv3 # TLS1 - TLS1

TLS_PROTOCOL=SSL23

##NAME: TLS_STARTTLS_PROTOCOL:0 # # TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS # extension, as opposed to POP3 over SSL on port 995. #

TLS_STARTTLS_PROTOCOL=SSL23

##NAME: TLS_CIPHER_LIST:0 # # TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the # OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST # undefined # # TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

##NAME: TLS_TIMEOUT:0 # TLS_TIMEOUT is currently not implemented, and reserved for future use. # This is supposed to be an inactivity timeout, but its not yet implemented. #

##NAME: TLS_DHCERTFILE:0 # # TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair. # When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA # you must generate a DH pair that will be used.  In most situations the # DH pair is to be treated as confidential, and the file specified by # TLS_DHCERTFILE must not be world-readable. # # TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS # servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually # treated as confidential, and must not be world-readable. # TLS_CERTFILE=/usr/lib/courier/share/pop3d.pem

##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. # pathname can be a file or a directory. If a file, the file should # contain a list of trusted certificates, in PEM format. If a # directory, the directory should contain the trusted certificates, # in PEM format, one per file and hashed using OpenSSL's c_rehash # script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying # the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set # to PEER or REQUIREPEER). # # # TLS_TRUSTCERTS=

##NAME: TLS_VERIFYPEER:0 # # TLS_VERIFYPEER - how to verify client certificates.  The possible values of # this setting are: # # NONE - do not verify anything # # PEER - verify the client certificate, if one's presented # # REQUIREPEER - require a client certificate, fail if one's not presented # # TLS_VERIFYPEER=NONE

##NAME: TLS_CACHE:0 # # A TLS/SSL session cache may slightly improve response for long-running # POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE # bytes long, and used as a cache buffer. # # This is an experimental feature and should be disabled if it causes # problems with SSL clients.  Disable SSL caching by commenting out the # following settings:

TLS_CACHEFILE=/var/spool/courier/couriersslcache TLS_CACHESIZE=524288

##NAME: MAILDIRPATH:0 # # MAILDIRPATH - directory name of the maildir directory. # MAILDIRPATH=../Maildir

-- Daniele Piaggesi ----------------------- System Administrator Pronetics s.p.a. Via E. L. Cerva 127/C Tel.    +39.06.51530849 Mob.  +39.328.6176226

References

Visible links 1. http://www.openssl.org/ 2. http://www.openssl.org/