6.0.7 and POP with TLS

[fiesch]

This is a somewhat strange issue with a freshly updated 6.0.7 (coming from 6.0.6)

When the update is applied, external POP accounts on servers that offer TLS authentication (over port 110) do not work anymore. I keep getting the error
"Unrecognized SSL message, plaintext connection?"
(addition: same for newly created accoutns, they don#t pass the connection test with the same error)

logging the traffic being passed and trying my luck with openssl s_client, i found out that zimbra is actually trying to connect to TLSv1 via SSL2.

(the interesting line here is
"14079:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:")
I'm running this on CentOS 5.3 x64 with a multi-server setup (though that should not play into it in this case)
Trying openssl s_client with the starttls pop option and tlsv1 as the forced protocol, communication works - if i leave the default it tries ssl2 and fails.
I guess that might be a part of the problem for Zimbra.

... you might expect the port 110 pop connection to default to tlsv1, though.

Note that external pop works just fine on port 110 when hosts do not offer TLS.

Any ideas how i can get this cleanly back up and working without having to apply a fix on each update?

[phoenix]

Quote:

Originally Posted by fiesch

When the update is applied, external POP accounts on servers that offer TLS authentication (over port 110) do not work anymore. I keep getting the error
"Unrecognized SSL message, plaintext connection?"
(addition: same for newly created accoutns, they don#t pass the connection test with the same error)

The correct port for a secure connection against a POP3 server is 995 not 110.

[tim_ba]

This seems related to my problem I started to have after the upgrade to 6.0.7., except I use IMAP. When I login in ZWC, I get an error for my EXTERNAL IMAP accounts "Error: Connection reset".
Everything worked fine with versions up to 6.0.6. What I think is that the external IMAP server is not using SSL, only port 143 is open.

Here is part of my mailbox.log:
2010-06-17 11:30:05,749 WARN [ScheduledTask-2] [name=login@mail;.... datasource - Scheduled DataSource import failed.
com.zimbra.common.service.ServiceException: system failure: Unable to connect to IMAP server: DataSource: ... type=imap,
isEnabled=true, name=name, host=IP, port=143, connectionType=cleartext, username=Code:service.FAILURE login@mail folderId=1304 }
ExceptionId:ScheduledTask-...
Code:service.FAILURE
at com.zimbra.common.service.ServiceException.FAILURE (ServiceException.java:248)
at com.zimbra.cs.datasource.imap.ImapSync.connect(Ima pSync.java:248)
at com.zimbra.cs.datasource.imap.ImapSync.importData( ImapSync.java:84)
at com.zimbra.cs.datasource.imap.ImapSync.importData( ImapSync.java:79)
at com.zimbra.cs.datasource.DataSourceManager.importD ata(DataSourceManager.java:254)
at com.zimbra.cs.datasource.DataSourceManager.importD ata(DataSourceManager.java:214)
at com.zimbra.cs.datasource.DataSourceTask.call(DataS ourceTask.java:82)
at com.zimbra.cs.datasource.DataSourceTask.call(DataS ourceTask.java:28)
at com.zimbra.common.util.TaskScheduler$TaskRunner.ca ll(TaskScheduler.java:96)
at java.util.concurrent.FutureTask$Sync.innerRun(Futu reTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.jav a:138)
at java.util.concurrent.ScheduledThreadPoolExecutor$S cheduledFutureTask.access$301(ScheduledThreadPoolE xecutor.java:98)
at java.util.concurrent.ScheduledThreadPoolExecutor$S cheduledFutureTask.run(ScheduledThreadPoolExecutor .java:207)
at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream. java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully (InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Inpu tRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:789)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:789)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1123)
at com.zimbra.common.net.CustomSSLSocket.startHandsha ke(CustomSSLSocket.java:90)
at com.zimbra.cs.mailclient.MailConnection.startTls(M ailConnection.java:108)
at com.zimbra.cs.mailclient.MailConnection.connect(Ma ilConnection.java:92)
at com.zimbra.cs.datasource.imap.ImapSync.connect(Ima pSync.java:231)

Is this an upgrade or other issue? Related to Invalid Bug ID and StartTLS? Where should I look further?

[fiesch]

Well this server is configured to offer TLS over Port 110 - and this worked up to 6.0.6 with Zimbra, as well

[eethore]

i'm having the same problem.
it works fine with IMAP, but it shows "Unrecognized SSL message, plaintext connection?" when with POP.

it works fine when in 6.0.2, and problems when in 7.0.0

please help!!!

[mrdebian]

I've got the same problem on 7 version. Anyone with a solution?