0

When I click "Get Messages" in the Thunderbird client, I cannot retrieve any email from my Cyrus-imap pop3 server. I configured Thunderbird client to use pop3 port 995, Connection security: SSL/TLS. There is no error messages shown in Thunderbird . It appears Thurderbird has logged in the server but find the mailbox is empty. But, the mailbox is not empty actually because I can use openssl to retrieve emails from it. During the connection of Thunderbird, there are some logs in /var/log/maillog:

Sep 14 04:17:32 host1 pop3s[26537]: skiplist: checkpointed /var/lib/imap/tls_sessions.db (125 records, 23196 bytes) in 0 seconds
Sep 14 04:17:32 host1 pop3s[26537]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits new) no authentication
Sep 14 04:17:32 host1 pop3s[26537]: counts: retr=<0> top=<0> dele=<0>

Why does starttls occur in the log? I configured Thunderbird to use SSL/TLS not STARTTLS. What does the "counts: retr=<0> top=<0> dele=<0>" mean?

I think the problem is probably caused by the self-signed certificate Cyrus-imap uses. so I applied for a letsencrypt certificate for the domain and change /etc/imap.conf from

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

to:

tls_cert_file:        /etc/letsencrypt/live/example.com/fullchain.pem
tls_key_file:        /etc/letsencrypt/live/example.com/privkey.pem
tls_ca_file:        /etc/letsencrypt/live/example.com/chain.pem

,and set the permission of /etc/letsencrypt/live/example.com/, /etc/letsencrypt/archive/example.com/ and all files in the directories to 777. When I click "Get Messages" in Thunderbird again, the problem persists but the logs in /var/log/maillog change to:

Sep 14 04:36:25 host1 pop3s[30099]: skiplist: checkpointed /var/lib/imap/tls_sessions.db (126 records, 23388 bytes) in 0 seconds
Sep 14 04:36:25 host1 pop3s[30099]: TLS server engine: cannot load CA data
Sep 14 04:36:25 host1 pop3s[30099]: unable to get certificate from '/etc/letsencrypt/live/example.com/fullchain.pem'
Sep 14 04:36:25 host1 pop3s[30099]: TLS server engine: cannot load cert/key data
Sep 14 04:36:25 host1 pop3s[30099]: [pop3d] error initializing TLS
Sep 14 04:36:25 host1 pop3s[30099]: Fatal error: tls_init() failed
Sep 14 04:36:25 host1 pop3s[30099]: counts: retr=<0> top=<0> dele=<0>

So what on earth is the problem? Did Thunderbird successfully connect/login the server but did not find a message for some reason, or just could not connect to the server?

William
  • 69
  • 2
  • 10
  • Just guessing: `tls_ca_file` expects a certificate from a CA, and the CA only, not the complete chain. If `tls_ca_file` is necessary you could extract it from the chain file and store it in it's own file, but maybe you can just comment it out if it is not needed. – Gerald Schneider Sep 14 '20 at 13:44
  • @GeraldSchneider I tried to comment tls_ca_file, use "tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt" and use "/etc/letsencrypt/live/example.com/isrgrootx1.pem"(isrgrootx1.pem is downloaded from letsencrypt), but none worked. – William Sep 14 '20 at 13:52
  • You used `chmod 777` inappropriately (note that there are **no** appropriate uses for chmod 777, not even "testing") and now you can't load your TLS certs because they are compromised. Fix the permissions and start over, and hope nobody stole your private keys. – Michael Hampton Sep 14 '20 at 14:56
  • stumbled on this as I have exact same, stupid, issue. frustrated beyond belief with the sheer lack of documenation and quality. Digging into the source code now but I'd rather dump cyrus-imap and find something that just works. – Kilo Apr 01 '21 at 01:29

0 Answers0