puzzling.org · mary.gardiner.id.au

Courier IMAP/POP SSL errors

Problems with SSL connections after upgrades

Symptoms

If suddenly users are having trouble connecting to Courier IMAP or POP over SSL after upgrading, you may have SSL version problems.

You will find errors like the following in /var/log/syslog:

couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Outlook users get the following error from previous settings:

Cannot connect to the server

Outlook users get the following error from using the wizard to set up a new account:

A secure connection to the server cannot be established.

Other IMAP clients likely give similar errors, but some will work.

You may also get errors trying to connect from the commandline:

env TLS_VERIFYPEER=NONE couriertls -host=YOURHOSTNAME -port=993
couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
openssl s_client -connect YOURHOSTNAME:993
CONNECTED(00000003)
write:errno=104

Fix

What has happened is that recent versions of Courier like to use SSL version 3. Very few IMAP clients seem to want to talk SSLv3. You need to change your TLS_PROTOCOL configuration file variable, and possibly (if you have it) your SSL_PROTOCOL variable to allow SSL version 2.

In Courier versions 0.56 and above, you can specify both version 2 and version 3 at the same time:

TLS_PROTOCOL=SSL23

In Courier versions before 0.56, you will have to specify version 2 only:

TLS_PROTOCOL=SSL2

On Debian/Ubuntu systems, the relevant files are /etc/courier/courier-imap-ssl and /etc/courier/courier-pop-ssl.

Fix is due to this Debian bug message.

Last modified: 15 April 2009