我的一位客户刚刚将 Thunderbird 升级到 78 版,现在他无法接收电子邮件,因为它认为 IMAP 连接不是 TLS 1.2......但是当我使用互联网上的工具检查时,它告诉我它是 v1.2。
我该怎么做才能让它再次工作?
以下是一些 imapd-ssl 设置:
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL="TLS1_1:TLS1"
TLS_PRIORITY="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST=HIGH:MEDIUM:!ADH:!MD5:!aNULL:!eNULL:!LOW:!EXP:!RC4
这些设置有什么明显的错误吗?
请注意,我已看过这篇文章:Thunderbird 78 无法连接到 Exchange 支持的 IMAP 帐户但我对黑客不感兴趣。我希望服务器至少使用 TLS 1.2。
我现在用 openssl 进行了测试,以下是输出:
openssl s_client -connect mail.example.com:143 -tls1_2
CONNECTED(00000003)
140310946449048:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1604626110
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
它清楚地显示支持版本 1.2。我不太清楚对等/客户端证书消息是什么意思。这可能是罪魁祸首吗?
openssl
使用正确命令输出更新
正如@ 指出的那样,上面的测试不正确,我需要让 openssl 发送一条STARTTLS
消息,否则它不会启动加密。不过我想知道为什么上面说的是 TLS 1.2...
$ openssl s_client -connect mail.example.com:143 -starttls imap
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.example.com
verify return:1
---
Certificate chain
0 s:/CN=*.example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...snip...
-----END CERTIFICATE-----
subject=/CN=*.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3307 bytes and written 617 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: B2...FA
Session-ID-ctx:
Master-Key: FB...AB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - a9 ... 6f ...}.,.........o
0010 - 17 ... 2f .....&..YX.M.8n/
0020 - a9 ... 7f ......Q....Y..*.
0030 - c9 ... a9 .!'f>06Q...z../.
0040 - ff ... 1f .SZ...Z...;X....
0050 - 94 ... f0 .Se[[email protected]...
0060 - c9 ... 44 [email protected]
0070 - b3 ... 3d .......`.'.....=
0080 - a2 ... bf ..=2.Z....^.):..
0090 - 64 ... 42 d.>B....&.+.!..B
Start Time: 1604637492
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
. OK CAPABILITY completed
现在看起来好多了……除了它显示 TLSv1。因此设置不正确,因为我希望它显示 TLSv1.2。
解决
经过多次尝试,我还是无法让 TLS v1.2 与 courier 配合使用。这很奇怪,因为它只是设置了 OpenSSL,所以我不太清楚为什么它会以某种方式阻止该版本。但无论设置如何,它都不会超过 TLS v1。
因此,正如评论中所建议的那样,我刚刚切换到dovecot 甚至有一个专门针对 courier 的迁移脚本。这有效。Thunderbird 重新加载了所有电子邮件一次,但现在它可以按预期工作,而且我没有丢失任何文件夹。