Saturday, November 02, 2019

Courier-Imap no longer accepts ssl connections after update to -current

Hi (again):

After updating to current yesterday, and then updating all the packages
(using "pkg_add -vui -Dsnap"), I can no longer connect to the ssl (993) port
of the courier-imap server running on the system.

Prior to the update, ssl connections were working without an issue.

Now, when trying to connect, the client gets a "A secure connection to the
server cannot be established" message.

On the server, I see the following in the log for each ssl connection
attempt:

Nov 2 07:40:38 host imapd-ssl: ip=[::ffff:127.0.0.1], couriertls:
/etc/ssl/private/imapd.pem: error:02FFF00D:system
library:func(4095):Permission denied

Nov 2 07:40:38 host imapd-ssl: ip=[::ffff:127.0.0.1], couriertls:
/etc/ssl/private/imapd.pem: error:20FFF002:BIO
routines:CRYPTO_internal:system lib

The packages for courier currently installed are:

pkg_info | grep courier
courier-authlib-0.69.1 authentication library for courier
courier-authlib-mysql-0.69.1 mysql authentication module for
courier-authLib
courier-imap-5.0.8 imap server for maildir format mailboxes
courier-pop3-5.0.8 pop3 server for maildir format mailboxes
courier-unicode-2.1 courier unicode library

I did not make any changes to the /etc/courier/imapd-ssl configuration file.
What was working for me before was:
cat imapd-ssl |grep -v ^$ | grep -v ^#
SSLPORT=993
SSLADDRESS=0
MAXDAEMONS=500
MAXPERIP=100
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=NO
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/local/bin/couriertls
TLS_CERTFILE=/etc/ssl/private/imapd.pem
TLS_DHPARAMS=/etc/ssl/private/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/CA/cacert.pem
TLS_VERIFYPEER=NONE
MAILDIRPATH=Maildir

Anyway, I don't know what the error lines really mean. I am wondering if it
is something do with the "interface" between courier and the ssl libraries.
I have tried "exploring" the web on this over the last 24 hours, but have
been unable to find anything to point me in any direction.

As this is an "internal" mail-server, I just re-enabled the non-ssl
connection, so I can still connect to my mail.

But, I am wondering if there is anything that I could do to resolve this
ssl-connection issue.

Thanks (again)
Ted

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)