Results 1 to 6 of 6

Thread: 6.0.7 and POP with TLS

  1. #1
    Join Date
    Apr 2010
    Location
    Bavaria, Germany
    Posts
    18
    Rep Power
    5

    Default 6.0.7 and POP with TLS

    This is a somewhat strange issue with a freshly updated 6.0.7 (coming from 6.0.6)

    When the update is applied, external POP accounts on servers that offer TLS authentication (over port 110) do not work anymore. I keep getting the error
    "Unrecognized SSL message, plaintext connection?"
    (addition: same for newly created accoutns, they don#t pass the connection test with the same error)

    logging the traffic being passed and trying my luck with openssl s_client, i found out that zimbra is actually trying to connect to TLSv1 via SSL2.

    (the interesting line here is
    "14079:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:")
    I'm running this on CentOS 5.3 x64 with a multi-server setup (though that should not play into it in this case)
    Trying openssl s_client with the starttls pop option and tlsv1 as the forced protocol, communication works - if i leave the default it tries ssl2 and fails.
    I guess that might be a part of the problem for Zimbra.

    ... you might expect the port 110 pop connection to default to tlsv1, though.

    Note that external pop works just fine on port 110 when hosts do not offer TLS.

    Any ideas how i can get this cleanly back up and working without having to apply a fix on each update?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by fiesch View Post
    When the update is applied, external POP accounts on servers that offer TLS authentication (over port 110) do not work anymore. I keep getting the error
    "Unrecognized SSL message, plaintext connection?"
    (addition: same for newly created accoutns, they don#t pass the connection test with the same error)
    The correct port for a secure connection against a POP3 server is 995 not 110.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Mar 2009
    Location
    Sarajevo
    Posts
    44
    Rep Power
    6

    Default

    This seems related to my problem I started to have after the upgrade to 6.0.7., except I use IMAP. When I login in ZWC, I get an error for my EXTERNAL IMAP accounts "Error: Connection reset".
    Everything worked fine with versions up to 6.0.6. What I think is that the external IMAP server is not using SSL, only port 143 is open.

    Here is part of my mailbox.log:
    2010-06-17 11:30:05,749 WARN [ScheduledTask-2] [name=login@mail;.... datasource - Scheduled DataSource import failed.
    com.zimbra.common.service.ServiceException: system failure: Unable to connect to IMAP server: DataSource: ... type=imap,
    isEnabled=true, name=name, host=IP, port=143, connectionType=cleartext, username=Code:service.FAILURE login@mail folderId=1304 }
    ExceptionId:ScheduledTask-...
    Code:service.FAILURE
    at com.zimbra.common.service.ServiceException.FAILURE (ServiceException.java:248)
    at com.zimbra.cs.datasource.imap.ImapSync.connect(Ima pSync.java:248)
    at com.zimbra.cs.datasource.imap.ImapSync.importData( ImapSync.java:84)
    at com.zimbra.cs.datasource.imap.ImapSync.importData( ImapSync.java:79)
    at com.zimbra.cs.datasource.DataSourceManager.importD ata(DataSourceManager.java:254)
    at com.zimbra.cs.datasource.DataSourceManager.importD ata(DataSourceManager.java:214)
    at com.zimbra.cs.datasource.DataSourceTask.call(DataS ourceTask.java:82)
    at com.zimbra.cs.datasource.DataSourceTask.call(DataS ourceTask.java:28)
    at com.zimbra.common.util.TaskScheduler$TaskRunner.ca ll(TaskScheduler.java:96)
    at java.util.concurrent.FutureTask$Sync.innerRun(Futu reTask.java:303)
    at java.util.concurrent.FutureTask.run(FutureTask.jav a:138)
    at java.util.concurrent.ScheduledThreadPoolExecutor$S cheduledFutureTask.access$301(ScheduledThreadPoolE xecutor.java:98)
    at java.util.concurrent.ScheduledThreadPoolExecutor$S cheduledFutureTask.run(ScheduledThreadPoolExecutor .java:207)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream. java:168)
    at com.sun.net.ssl.internal.ssl.InputRecord.readFully (InputRecord.java:293)
    at com.sun.net.ssl.internal.ssl.InputRecord.read(Inpu tRecord.java:331)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:789)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:789)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1123)
    at com.zimbra.common.net.CustomSSLSocket.startHandsha ke(CustomSSLSocket.java:90)
    at com.zimbra.cs.mailclient.MailConnection.startTls(M ailConnection.java:108)
    at com.zimbra.cs.mailclient.MailConnection.connect(Ma ilConnection.java:92)
    at com.zimbra.cs.datasource.imap.ImapSync.connect(Ima pSync.java:231)

    Is this an upgrade or other issue? Related to Invalid Bug ID and StartTLS? Where should I look further?

  4. #4
    Join Date
    Apr 2010
    Location
    Bavaria, Germany
    Posts
    18
    Rep Power
    5

    Default

    Well this server is configured to offer TLS over Port 110 - and this worked up to 6.0.6 with Zimbra, as well

  5. #5
    Join Date
    Sep 2009
    Posts
    10
    Rep Power
    6

    Default

    i'm having the same problem.
    it works fine with IMAP, but it shows "Unrecognized SSL message, plaintext connection?" when with POP.

    it works fine when in 6.0.2, and problems when in 7.0.0

    please help!!!

  6. #6
    Join Date
    Mar 2010
    Posts
    25
    Rep Power
    5

    Default

    I've got the same problem on 7 version. Anyone with a solution?

Similar Threads

  1. Hwo to disable the msg TLS auth only?
    By snake_eyes in forum Administrators
    Replies: 1
    Last Post: 01-12-2010, 08:56 AM
  2. NGINX TLS certificates
    By jfone in forum Administrators
    Replies: 5
    Last Post: 10-02-2009, 06:43 AM
  3. Invalid or untrusted server SSL certificate
    By GaryParr in forum General Questions
    Replies: 34
    Last Post: 02-13-2009, 10:39 AM
  4. Zimbra + LDAP + Posix + Samba
    By fruitlounge in forum Administrators
    Replies: 24
    Last Post: 06-30-2008, 09:55 PM
  5. can't you help me
    By iwan siahaan in forum Administrators
    Replies: 6
    Last Post: 12-17-2007, 05:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •