Page MenuHomekolab.org

Fix STARTTLS and implicit SSL
Closed, ResolvedPublic

Description

This ticket supersedes the sagas in T864 and T902.

Frontend Connections (listeners)

Regardless of the configuration of a backend connection, when a client connects to a listener that is not configured to apply implicit SSL, the following capabilities need to be provided (no more, and no less):

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] imapf06.mykolab.com Cyrus IMAP Murder 2.5.6.3-Kolab-2.5.6-3.1.el6.kolab_14 server ready

This will allow a client to upgrade the connection with TLS, by using the STARTTLS command, without bypassing the upgrade of the connection.

However, a current initial (i.e. pre-STARTTLS) Guam capability response looks as follows:

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE URLAUTH 
URLAUTH=BINARY X-NETSCAPE MUPDATE=mupdate://mupdate.mykolab.com/ AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE 
X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE STARTTLS] imapf06.mykolab.com Cyrus IMAP Murder 2.5.6.3-
Kolab-2.5.6-3.1.el6.kolab_14 server ready

This includes some 41 capabilities that are superfluous, but more importantly;

  • Includes AUTH=PLAIN,
  • Includes AUTH=LOGIN,
  • Includes SASL-IR,
  • Includes COMPRESS=DEFLATE,
  • Does NOT include LOGINDISABLED

Moreover, when the client connects to a listener that is configured to apply implicit SSL, the following capabilities are offered in current Guam / #EImap:

verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE URLAUTH 
URLAUTH=BINARY X-NETSCAPE MUPDATE=mupdate://mupdate.mykolab.com/ AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE 
X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE STARTTLS] imapf06.mykolab.com Cyrus IMAP Murder 2.5.6.3-
Kolab-2.5.6-3.1.el6.kolab_14 server ready

Please note the presence of STARTTLS on a listener that is configured to apply implicit SSL.

Backend connections (imap_servers)

The Guam architecture is mistakenly using backend configuration to impose logic on frontend connections (listeners) that deserve treatment in their own right.

Summary

#ListenerPortSTARTTLS?Implicit SSL?BackendPortTLSRelevant?
1imap143no.falseimap143falseno.
2imap143yes.falseimap143falseyes.
3imap143yes.falseimap143starttlsyes.
4imap143yes.falseimaps993trueyes.
5imaps993no.trueimap143falseyes.
6imaps993no.trueimap143starttlsyes.
7imaps993no.trueimaps993trueyes.

"no." and "yes." are functional requirements, "true", "false" and "starttls" are configuration values or runtime parameters.

  1. Scenario is invalid and not valuable, on the principle of not offering clients unencrypted connections, period.
  2. Scenario 2 is valid, providing a TLS termination point. Connection to backend is plaintext and w/o TLS.
  3. Scenario expects clients to use STARTTLS. Scenario should offer clients a correct STARTTLS connection upgrade procedure despite configuration or runtime state for backend connections. See also Scenario #4.
  4. See Scenario #3.
  5. Scenario 5 is as valid as Scenario 2, for precisely the same reasons. The client does expect NO STARTTLS among the capabilities presented to it.
  6. Scenario 6 is as valid as Scenario 3, 4 and 7. The client does expect NO STARTTLS among the capabilities presented to it, despite the backend configuration perhaps maybe incidentally having been configured to be connected to using a STARTTLS-based explicit connection security upgrade procedure.
  7. Scenario 7 is as valid as Scenario 3, 4 and 6. The client does expect NO STARTTLS among the capabilities presented to it.

Example Configuration

In the following example configuration, the backend is configured to use implicit SSL (the most secure), and two listeners provide clients with a port 143 IMAP server reverse proxy (expected to function only with STARTTLS, as per the outlined scenarios) and a port 993 IMAP server reverse proxy (expected to function only with implicit SSL, as per the outlined scenarios).

[
    {
        kolab_guam, [
            {
                imap_servers, [
                    {
                        default, [
                            { host, "192.168.56.101" },
                            { port, 993 },
                            { tls, true }
                        ]
                    }
                ]
            },
            {
                listeners, [
                    {
                        imap, [
                            { port, 143 },
                            { imap_server, default },
                            {
                                rules, [
                                    { filter_groupware, [] }
                                ]
                            },
                            {
                                tls_config, [
                                    { certfile, "/etc/ssl/sample.pem" }
                                ]
                            }
                        ]
                    },
                    {
                        imaps, [
                            { port, 993 },
                            { implicit_tls, true },
                            { imap_server, default },
                            {
                                rules, [
                                    { filter_groupware, [] }
                                ]
                            },
                            {
                                tls_config, [
                                    { certfile, "/etc/ssl/sample.pem" }
                                ]
                            }
                        ]
                    }
                ]
            }
        ]
    },

    {
        lager, [
            {
                handlers, [
                    { lager_console_backend, debug },
                    { lager_file_backend, [ { file, "log/error.log"}, { level, error } ] },
                    { lager_file_backend, [ { file, "log/console.log"}, { level, info } ] }
                ]
            }
        ]
    },

    %% SASL config
    {
        sasl, [
            { sasl_error_logger, { file, "log/sasl-error.log" } },
            { errlog_type, error },
            { error_logger_mf_dir, "log/sasl" },      % Log directory
            { error_logger_mf_maxbytes, 10485760 },   % 10 MB max file size
            { error_logger_mf_maxfiles, 5 }           % 5 files max
        ]
    }
].

Details

Ticket Type
Task

Event Timeline

vanmeeuwen assigned this task to seigo.
vanmeeuwen raised the priority of this task from to 60.
vanmeeuwen updated the task description. (Show Details)
vanmeeuwen added a project: Guam.
vanmeeuwen changed Ticket Type from Task to Task.
vanmeeuwen raised the priority of this task from 60 to Unbreak Now!.
vanmeeuwen added a subscriber: vanmeeuwen.
vanmeeuwen updated the task description. (Show Details)Dec 17 2015, 10:51 AM
vanmeeuwen added a subscriber: seigo.

A workaround configuration that aligns the behaviour of listeners with the behaviour of imap_servers may look as follows, splitting the backend configuration in to one imap_server with { tls, starttls } and one with { tls, true }:

[
    {
        kolab_guam, [
            {
                imap_servers, [
                    {
                        imap, [
                            { host, "192.168.56.101" },
                            { port, 143 },
                            { tls, starttls }
                        ]
                    },
                    {
                        imaps, [
                            { host, "192.168.56.101" },
                            { port, 993 },
                            { tls, true }
                        ]
                    }
                ]
            },
            {
                listeners, [
                    {
                        imap, [
                            { port, 143 },
                            { imap_server, imap },
                            {
                                rules, [
                                    { filter_groupware, [] }
                                ]
                            },
                            {
                                tls_config, [
                                    { certfile, "/etc/ssl/sample.pem" }
                                ]
                            }
                        ]
                    },
                    {
                        imaps, [
                            { port, 993 },
                            { implicit_tls, true },
                            { imap_server, imaps },
                            {
                                rules, [
                                    { filter_groupware, [] }
                                ]
                            },
                            {
                                tls_config, [
                                    { certfile, "/etc/ssl/sample.pem" }
                                ]
                            }
                        ]
                    }
                ]
            }
        ]
    },

    {
        lager, [
            {
                handlers, [
                    { lager_console_backend, debug },
                    { lager_file_backend, [ { file, "log/error.log"}, { level, error } ] },
                    { lager_file_backend, [ { file, "log/console.log"}, { level, info } ] }
                ]
            }
        ]
    },

    %% SASL config
    {
        sasl, [
            { sasl_error_logger, { file, "log/sasl-error.log" } },
            { errlog_type, error },
            { error_logger_mf_dir, "log/sasl" },      % Log directory
            { error_logger_mf_maxbytes, 10485760 },   % 10 MB max file size
            { error_logger_mf_maxfiles, 5 }           % 5 files max
        ]
    }
].

This still brings about unexpected results, however:

$ imtest -s -u kanarip@kanarip.ch -a kanarip@kanarip.ch 172.17.42.1
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE MUPDATE=mupdate://mupdate.mykolab.com/ AUTH=PLAIN AUTH=LOGIN SASL-IR] 
imapf06.mykolab.com Cyrus IMAP Murder 2.5.6.3-Kolab-2.5.6-3.1.el6.kolab_14 server ready
Please enter your password: 
C: A01 AUTHENTICATE PLAIN ******
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE URLAUTH 
URLAUTH=BINARY X-NETSCAPE MUPDATE=mupdate://mupdate.mykolab.com/ LOGINDISABLED COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE 
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (tls protection) SESSIONID=<imapf06.mykolab.com-
1117-1450346054-1-8356401161916061251>
Authenticated.
Security strength factor: 128
. LIST "" "*"
* LIST (\Noinferiors \HasNoChildren) "/" INBOX
* LIST (\HasChildren) "/" Archive
* LIST (\HasNoChildren) "/" Archive/2005
* LIST (\HasNoChildren) "/" Calendar
* LIST (\HasNoChildren) "/" Configuration
* LIST (\HasNoChildren) "/" Contacts
* LIST (\HasNoChildren) "/" Drafts
* LIST (\HasNoChildren) "/" Files
* LIST (\HasNoChildren) "/" Journal
* LIST (\HasNoChildren) "/" Notes
* LIST (\HasNoChildren) "/" Sent
* LIST (\HasNoChildren) "/" Spam
* LIST (\HasNoChildren) "/" Tasks
* LIST (\HasNoChildren) "/" Trash
. OK Completed (0.000 secs 15 calls)
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.
$ imtest -t "" -u kanarip@kanarip.ch -a kanarip@kanarip.ch 172.17.42.1
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE URLAUTH 
URLAUTH=BINARY X-NETSCAPE MUPDATE=mupdate://mupdate.mykolab.com/ AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE 
X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE STARTTLS] imapf06.mykolab.com Cyrus IMAP Murder 2.5.6.3-
Kolab-2.5.6-3.1.el6.kolab_14 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE URLAUTH 
URLAUTH=BINARY X-NETSCAPE MUPDATE=mupdate://mupdate.mykolab.com/ AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE 
X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
Please enter your password: 
C: A01 AUTHENTICATE PLAIN ******
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE URLAUTH 
URLAUTH=BINARY X-NETSCAPE MUPDATE=mupdate://mupdate.mykolab.com/ LOGINDISABLED COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE 
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (tls protection) SESSIONID=<imapf06.mykolab.com-
11544-1450346083-1-3437818499270028870>
Authenticated.
Security strength factor: 128
. LIST "" "*"
* LIST (\Noinferiors \HasNoChildren) "/" INBOX
* LIST (\HasChildren) "/" Archive
* LIST (\HasNoChildren) "/" Archive/2005
* LIST (\HasNoChildren) "/" Calendar
* LIST (\HasNoChildren) "/" Configuration
* LIST (\HasNoChildren) "/" Contacts
* LIST (\HasNoChildren) "/" Drafts
* LIST (\HasNoChildren) "/" Files
* LIST (\HasNoChildren) "/" Journal
* LIST (\HasNoChildren) "/" Notes
* LIST (\HasNoChildren) "/" Sent
* LIST (\HasNoChildren) "/" Spam
* LIST (\HasNoChildren) "/" Tasks
* LIST (\HasNoChildren) "/" Trash
. OK Completed (0.000 secs 15 calls)
^CC: Q01 LOGOUT
Connection closed.
$ 
seigo moved this task from Backlog to Review on the Guam board.Dec 18 2015, 5:05 PM
vanmeeuwen closed this task as Resolved.Jan 18 2016, 11:59 AM
vanmeeuwen moved this task from Review to Done on the Guam board.