6.0.7 and POP with TLS

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
fiesch
Posts: 18
Joined: Sat Sep 13, 2014 1:09 am

6.0.7 and POP with TLS

Post by fiesch »

This is a somewhat strange issue with a freshly updated 6.0.7 (coming from 6.0.6)
When the update is applied, external POP accounts on servers that offer TLS authentication (over port 110) do not work anymore. I keep getting the error

"Unrecognized SSL message, plaintext connection?"

(addition: same for newly created accoutns, they don#t pass the connection test with the same error)
logging the traffic being passed and trying my luck with openssl s_client, i found out that zimbra is actually trying to connect to TLSv1 via SSL2.
(the interesting line here is

"14079:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:")

I'm running this on CentOS 5.3 x64 with a multi-server setup (though that should not play into it in this case)

Trying openssl s_client with the starttls pop option and tlsv1 as the forced protocol, communication works - if i leave the default it tries ssl2 and fails.

I guess that might be a part of the problem for Zimbra.
... you might expect the port 110 pop connection to default to tlsv1, though.
Note that external pop works just fine on port 110 when hosts do not offer TLS.
Any ideas how i can get this cleanly back up and working without having to apply a fix on each update?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

6.0.7 and POP with TLS

Post by phoenix »

[quote user="fiesch"]When the update is applied, external POP accounts on servers that offer TLS authentication (over port 110) do not work anymore. I keep getting the error

"Unrecognized SSL message, plaintext connection?"

(addition: same for newly created accoutns, they don#t pass the connection test with the same error)[/QUOTE]The correct port for a secure connection against a POP3 server is 995 not 110.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
tim_ba
Advanced member
Advanced member
Posts: 62
Joined: Sat Sep 13, 2014 12:10 am

6.0.7 and POP with TLS

Post by tim_ba »

This seems related to my problem I started to have after the upgrade to 6.0.7., except I use IMAP. When I login in ZWC, I get an error for my EXTERNAL IMAP accounts "Error: Connection reset".

Everything worked fine with versions up to 6.0.6. What I think is that the external IMAP server is not using SSL, only port 143 is open.
Here is part of my mailbox.log:

2010-06-17 11:30:05,749 WARN [ScheduledTask-2] [name=login@mail;.... datasource - Scheduled DataSource import failed.

com.zimbra.common.service.ServiceException: system failure: Unable to connect to IMAP server: DataSource: ... type=imap,

isEnabled=true, name=name, host=IP, port=143, connectionType=cleartext, username=Code:service.FAILURE login@mail folderId=1304 }

ExceptionId:ScheduledTask-...

Code:service.FAILURE

at com.zimbra.common.service.ServiceException.FAILURE (ServiceException.java:248)

at com.zimbra.cs.datasource.imap.ImapSync.connect(Ima pSync.java:248)

at com.zimbra.cs.datasource.imap.ImapSync.importData( ImapSync.java:84)

at com.zimbra.cs.datasource.imap.ImapSync.importData( ImapSync.java:79)

at com.zimbra.cs.datasource.DataSourceManager.importD ata(DataSourceManager.java:254)

at com.zimbra.cs.datasource.DataSourceManager.importD ata(DataSourceManager.java:214)

at com.zimbra.cs.datasource.DataSourceTask.call(DataS ourceTask.java:82)

at com.zimbra.cs.datasource.DataSourceTask.call(DataS ourceTask.java:28)

at com.zimbra.common.util.TaskScheduler$TaskRunner.ca ll(TaskScheduler.java:96)

at java.util.concurrent.FutureTask$Sync.innerRun(Futu reTask.java:303)

at java.util.concurrent.FutureTask.run(FutureTask.jav a:138)

at java.util.concurrent.ScheduledThreadPoolExecutor$S cheduledFutureTask.access$301(ScheduledThreadPoolE xecutor.java:98)

at java.util.concurrent.ScheduledThreadPoolExecutor$S cheduledFutureTask.run(ScheduledThreadPoolExecutor .java:207)

at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(ThreadPoolExecutor.java:886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:908)

at java.lang.Thread.run(Thread.java:619)

Caused by: java.net.SocketException: Connection reset

at java.net.SocketInputStream.read(SocketInputStream. java:168)

at com.sun.net.ssl.internal.ssl.InputRecord.readFully (InputRecord.java:293)

at com.sun.net.ssl.internal.ssl.InputRecord.read(Inpu tRecord.java:331)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:789)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:789)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1139)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1123)

at com.zimbra.common.net.CustomSSLSocket.startHandsha ke(CustomSSLSocket.java:90)

at com.zimbra.cs.mailclient.MailConnection.startTls(M ailConnection.java:108)

at com.zimbra.cs.mailclient.MailConnection.connect(Ma ilConnection.java:92)

at com.zimbra.cs.datasource.imap.ImapSync.connect(Ima pSync.java:231)
Is this an upgrade or other issue? Related to Invalid Bug ID and StartTLS? Where should I look further?
fiesch
Posts: 18
Joined: Sat Sep 13, 2014 1:09 am

6.0.7 and POP with TLS

Post by fiesch »

Well this server is configured to offer TLS over Port 110 - and this worked up to 6.0.6 with Zimbra, as well
eethore
Posts: 10
Joined: Sat Sep 13, 2014 12:41 am

6.0.7 and POP with TLS

Post by eethore »

i'm having the same problem.

it works fine with IMAP, but it shows "Unrecognized SSL message, plaintext connection?" when with POP.
it works fine when in 6.0.2, and problems when in 7.0.0
please help!!!
User avatar
mrdebian
Posts: 28
Joined: Sat Sep 13, 2014 1:05 am
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

6.0.7 and POP with TLS

Post by mrdebian »

I've got the same problem on 7 version. Anyone with a solution?
Post Reply