IMAP authentication seems broken (SSL routines:tls_early_post_process_client_hello:unsupported protocol)

[elchusco]

Setup

I am using docker latest version with docker-compose provided here.

Here are my env vars :

      - CYPHT_AUTH_USERNAME=*********
      - CYPHT_AUTH_PASSWORD=*********
      - CYPHT_DB_CONNECTION_TYPE=host
      - CYPHT_DB_HOST=db
      - CYPHT_DB_NAME=cypht
      - CYPHT_DB_USER=********
      - CYPHT_DB_PASS=**********
      - CYPHT_SESSION_TYPE=DB
      - CYPHT_AUTH_TYPE=IMAP
      - CYPHT_IMAP_AUTH_NAME="Mailserver"
      - CYPHT_IMAP_AUTH_SERVER=mail.exemple.com
      - CYPHT_IMAP_AUTH_PORT=993
      - CYPHT_IMAP_AUTH_TLS=true
      - CYPHT_DEFAULT_SMTP_NAME="Mailserver"
      - CYPHT_DEFAULT_SMTP_SERVER=mail.exemple.com
      - CYPHT_DEFAULT_SMTP_PORT=587
      - CYPHT_DEFAULT_SMTP_TLS=true
      - CYPHT_DEFAULT_SMTP_NO_AUTH=false
      - CYPHT_MODULE_DESKTOP_NOTIFICATIONS=enable
      - CYPHT_DEFAULT_SETTING_TIMEZONE=Europe/Paris
      - CYPHT_DEFAULT_SETTING_LANGUAGE=en
      - CYPHT_ADMIN_USERS="********@exemple.com"

I am trying to authenticate against a Dovecot instance which runs well for a couple of years and I never had any issue with any other IMAP client.

Here's dovecot SSL config :

ssl_min_protocol = TLSv1.2
ssl = required
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_prefer_server_ciphers = yes
disable_plaintext_auth = yes

Issue

When I try to login on Cypht WebUI, I get a "Invalid username or password" message.

When I check Dovecot logs I get this logs:

Feb 17 13:38:06  dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Feb 17 13:38:06  dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<+IfHleT0ya3BN192>
Feb 17 13:38:06  dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

What I tried

Change CYPHT_IMAP_AUTH_TLS from true to false

I shouldn't do it as my IMAP is secured by SSL, but still. Dovecot logs now says:

Feb 17 13:14:55 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<BF/lQuT0j23BN192>

I don't know what I'm supposed to think here as no SSL negociation should be attempted, I should have a SSL version number error.

Change SSL config on dovecot

I tried to comment those lines without any success:

# ssl_min_protocol = TLSv1.2
# ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# ssl_prefer_server_ciphers = yes  

I also tried to change ssl_min_protocol from TLSv1.2 to TLSv1.0 : same results.

I changed ssl_cipher_list to ALL with same results as well.

Am I missing something there ?

[marclaporte]

@elchusco Sorry, I don't know. Can you test with a standard non-Docker install? This will let us know if it's a general Cypht issue, or specific to Cypht-Docker.

[marclaporte]

The good, the bad and the ugly: We need a Docker expert to guide us!