5

Original title: IMAP connection to Dovecot fails only from Thunderbird

I have set up Dovecot with SSL (TLS) on port 993. I can connect with Outlook, PHP SMTP and Android Mail, however Thunderbird doesn't connect. It says Configuration could not be verified - is the username or password wrong?. The Dovecot error log shows this:

Jan 05 22:41:45 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [1.2.3.4]
Jan 05 22:41:45 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [1.2.3.4]
Jan 05 22:41:45 imap-login: Warning: SSL alert: where=0x4008, ret=598: fatal unknown [1.2.3.4]
Jan 05 22:41:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [1.2.3.4]
Jan 05 22:41:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [1.2.3.4]
Jan 05 22:41:45 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=4.5.6.7, TLS handshaking: SSL_accept() failed: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback, session=<yDs4Z48DudCBhYne>

I have disabled SSLv2 and SSLv3 in 10-ssl.conf:

ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

What can the problem be? It works fine in all the other email clients I have tried, which is why this is a bit strange.

Friend of Kim
  • 231
  • 1
  • 4
  • 12
  • Did rebooting happen to install some updates? :) – Michael Hampton Jan 05 '15 at 23:14
  • I see that you have posted an answer. Will read it :) I have a Debian server with Dovecot. Two hours ago I installed Thunderbird on my own Windows machine, and got this error right out of the box. I then restarted the computer and it just worked. – Friend of Kim Jan 05 '15 at 23:17
  • 1
    You might have installed an older version of Thunderbird and it self-updated? Firefox and Thunderbird automatically update themselves on Windows by default. – Michael Hampton Jan 05 '15 at 23:18
  • @MichaelHampton Ahh, I didn't know. That may very well have been the case! Thank you! :) – Friend of Kim Jan 05 '15 at 23:21

1 Answers1

10

First thing I would do would be to update the client.

What is happening here is an attempted protocol downgrade. That is, the client is trying to downgrade from TLSv1 to SSLv3, or from any higher version of TLS to a lower version. (Exactly which is not clear from the logs, and would require more verbose OpenSSL debugging to be enabled, but that particular detail is not really relevant.)

The reason that the protocol downgrade is failing is that your server has protocol downgrade prevention (TLS_FALLBACK_SCSV) enabled, as a mitigation for the POODLE attack.

So, the first thing to check is to make sure the client is up to date; that means at minimum Thunderbird and its supporting libraries.

After that I would check the protocol list. I'm concerned that you didn't specify TLSv1, TLSv1.1 and TLSv1.2 explicitly. While this shouldn't make a difference, as these ought to be enabled by default, it might help.

ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2

Finally, there's the rare possibility that you caught someone attempting to attack your connection, and the attack was thwarted.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thank you for your answer. I believe it might have been my antivirus kicking in. All SSL-encrypted websites apparently are signed by my antivirus provider even though they are not. Additionally right before the reboot it asked me to close Chrome and Thunderbird because of security upgrades. – Friend of Kim Jan 05 '15 at 23:19
  • 1
    Yep, in that case it sounds like your AV screwing with the connection. In this case _it_ is the man in the middle. – Michael Hampton Jan 05 '15 at 23:20
  • @MichaelHampton Why do you whitelist TLS explicitly, instead of just disabling SSL here? – sebix Jan 06 '15 at 09:21
  • @sebix As I said in the post, it's to ensure that they aren't disabled. – Michael Hampton Jan 06 '15 at 14:53