Bug#846082: cyrus-imapd: TLS connections fail with 2.5.10-2 (new config option?)

David Caldwell david at porkrind.org
Mon Nov 28 11:25:00 UTC 2016 

Package: cyrus-imapd
Version: 2.5.10-2
Severity: important

Dear Maintainer,

I just installed 2.5.10-2 tonight and afterward no clients could connect to
the imap server (thunderbird, iOS mail). I tried testing with s_client and
got this:

    # openssl s_client -connect <my-server-redacted>:993 -tls1_2
    CONNECTED(00000003)
    140392100000896:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number 40
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 176 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1480330922
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---

In /var/log/mail.log I found these messages (for each connection attempt):

    Nov 28 02:49:50 death cyrus/imaps[19158]: inittls: Loading hard-coded DH parameters
    Nov 28 02:49:50 death cyrus/imaps[19158]: imaps TLS negotiation failed: cpe-172-249-96-89.socal.res.rr.com [172.249.96.89]

I played around and eventually commented out this line in /etc/imapd.conf:

    tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH

After that all the clients (including s_client) could connect (s_client
reported this: "TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384").

I don't understand the syntax of that line, but I suspect something might be
wrong there. If it's correct, any idea why no clients can connect to the
server?

Thanks,
    David

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cyrus-imapd depends on:
ii  cyrus-common  2.5.10-2
ii  dpkg          1.18.15
ii  libc6         2.24-5
ii  libicu57      57.1-4
ii  libsasl2-2    2.1.27~72-g88d82a3+dfsg-1
ii  libssl1.1     1.1.0c-2
ii  libwrap0      7.6.q-25
ii  zlib1g        1:1.2.8.dfsg-2+b3

cyrus-imapd recommends no packages.

cyrus-imapd suggests no packages.

-- no debconf information

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list