IMAP authentication seems broken (SSL routines:tls_early_post_process_client_hello:unsupported protocol) #18
Description
Setup
I am using docker latest version with docker-compose provided here.
Here are my env vars :
- CYPHT_AUTH_USERNAME=*********
- CYPHT_AUTH_PASSWORD=*********
- CYPHT_DB_CONNECTION_TYPE=host
- CYPHT_DB_HOST=db
- CYPHT_DB_NAME=cypht
- CYPHT_DB_USER=********
- CYPHT_DB_PASS=**********
- CYPHT_SESSION_TYPE=DB
- CYPHT_AUTH_TYPE=IMAP
- CYPHT_IMAP_AUTH_NAME="Mailserver"
- CYPHT_IMAP_AUTH_SERVER=mail.exemple.com
- CYPHT_IMAP_AUTH_PORT=993
- CYPHT_IMAP_AUTH_TLS=true
- CYPHT_DEFAULT_SMTP_NAME="Mailserver"
- CYPHT_DEFAULT_SMTP_SERVER=mail.exemple.com
- CYPHT_DEFAULT_SMTP_PORT=587
- CYPHT_DEFAULT_SMTP_TLS=true
- CYPHT_DEFAULT_SMTP_NO_AUTH=false
- CYPHT_MODULE_DESKTOP_NOTIFICATIONS=enable
- CYPHT_DEFAULT_SETTING_TIMEZONE=Europe/Paris
- CYPHT_DEFAULT_SETTING_LANGUAGE=en
- CYPHT_ADMIN_USERS="********@exemple.com"
I am trying to authenticate against a Dovecot instance which runs well for a couple of years and I never had any issue with any other IMAP client.
Here's dovecot SSL config :
ssl_min_protocol = TLSv1.2
ssl = required
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_prefer_server_ciphers = yes
disable_plaintext_auth = yes
Issue
When I try to login on Cypht WebUI, I get a "Invalid username or password" message.
When I check Dovecot logs I get this logs:
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Feb 17 13:38:06 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<+IfHleT0ya3BN192>
Feb 17 13:38:06 dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument
What I tried
Change CYPHT_IMAP_AUTH_TLS from true to false
I shouldn't do it as my IMAP is secured by SSL, but still. Dovecot logs now says:
Feb 17 13:14:55 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<BF/lQuT0j23BN192>
I don't know what I'm supposed to think here as no SSL negociation should be attempted, I should have a SSL version number error.
Change SSL config on dovecot
I tried to comment those lines without any success:
# ssl_min_protocol = TLSv1.2
# ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# ssl_prefer_server_ciphers = yes
I also tried to change ssl_min_protocol from TLSv1.2 to TLSv1.0 : same results.
I changed ssl_cipher_list to ALL with same results as well.
Am I missing something there ?