Sunday, January 13, 2008

When in doubt, test.

Shortly after I last upgraded my mail server, one user reported that his mail client was failing to connect with the message:

"Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server..."

He was the only one known to be having this issue, so after a cursory check of the server with no obvious problems, I suggested that this might be an error on his end, such as connecting to the secure IMAP port without using SSL/TLS. Occam’s Razor suggests that a server error is more likely than a client error which just happens to coincide with a server upgrade, so I eventually decided to dig up some infrequently used commands and perform a thorough analysis.

Testing proved that there was indeed a server problem with certain SSL connections, while others worked every time. Deft Googling revealed that the imapd-ssl config file shipping with Gutsy Gibbon had TLS_PROTOCOL=SSL3, whereas it should be TLS_PROTOCOL=SSL23. The user who first reported the error is tech-savvy, so I sent him the commands I used to diagnose the problem and promised to eventually write this post. Below are the commands which are now my first step in diagnosing mail connection problems.

# Test secure SMTP
openssl s_client -connect example.com:25 -starttls smtp -showcerts
#
# Test secure IMAP
openssl s_client -ssl2 -connect example.com:993 -showcerts
openssl s_client -ssl3 -connect example.com:993 -showcerts
openssl s_client -tls1 -connect example.com:993 -showcerts


To test secure POP, simply substitute 995 for 993 in the above commands, likewise if you run secure SMTP on a port other than 25, you will need to alter the first command.