mailcow-dockerized
mailcow-dockerized copied to clipboard
Published
20 hours ago •
mailcow
mailcow
Support for older TLS versions does not work as expected
Contribution guidelines
- [X] I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
- [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
Hi,
the alpine container and its OpenSSL version used for dovecot does not support TLS versions lower than TLSv1.2 by default: https://debugpointnews.com/alpine-linux-3-17/
This means, setting ssl_min_protocol like described in the [manual](https://docs.mailcow.email/manual-guides/u_e-reeanble-weak-protocols/) also does not work.
The patch for openssl.cnf in [this post](https://github.com/nginxinc/docker-nginx/issues/743#issuecomment-1491683964) makes older TLS versions work again:
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@@ -52,13 +52,6 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+CipherString = DEFAULT@SECLEVEL=0
# List of providers to load
[provider_sect]
### Logs:
```plain text
$ openssl s_client -connect my_mailserver:993 -tls1 -cipher "DEFAULT:@SECLEVEL=0"
Connecting to 123.4.5.6
CONNECTED(00000003)
40D708911B7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:645:
imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=91.19.21.233, lip=172.22.1.250, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol
### Steps to reproduce:
```plain text
1. Set `ssl_min_protocol = TLSv1` in data/conf/dovecot/extra.conf
2. Use `openssl s_client -connect my_mailserver:993 -tls1 -cipher "DEFAULT:@SECLEVEL=0"` to see a failed connection attempt
3. Apply the patch for openssl.cnf (can be done in a running container, no restart needed)
4. Use the openssl s_client command again to see a working connection
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04 LTS
Server/VM specifications:
4GB Ram, 4 CPUs
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
24.0.5
docker-compose version or docker compose version:
v2.26.1
mailcow version:
2024-04
Reverse proxy:
caddy
Logs of git diff:
none
Logs of iptables -L -vn:
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
26939 11M MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0 /* mailcow */
26939 11M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
26939 11M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
18231 8586K ACCEPT all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1263 81831 DOCKER all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
7445 1916K ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
1167 75975 ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.6 tcp dpt:3306
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.4 tcp dpt:443
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
3 180 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.4 tcp dpt:80
68 4004 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
20 1372 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.2 tcp dpt:8983
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465
5 300 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
7445 1916K DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6128K 2906M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
1974K 536M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
16M 8256M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MAILCOW (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
Logs of ip6tables -L -vn:
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7190 7084K MAILCOW all * * ::/0 ::/0 /* mailcow */
7190 7084K DOCKER-USER all * * ::/0 ::/0
7190 7084K DOCKER-ISOLATION-STAGE-1 all * * ::/0 ::/0
3484 6826K ACCEPT all * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
3706 258K DOCKER all * br-mailcow ::/0 ::/0
0 0 ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
3706 258K ACCEPT all br-mailcow br-mailcow ::/0 ::/0
0 0 ACCEPT all * docker0 ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all * docker0 ::/0 ::/0
0 0 ACCEPT all docker0 !docker0 ::/0 ::/0
0 0 ACCEPT all docker0 docker0 ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::5 tcp dpt:4190
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::8 tcp dpt:443
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::5 tcp dpt:995
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::8 tcp dpt:80
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::5 tcp dpt:993
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::5 tcp dpt:143
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::5 tcp dpt:110
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:587
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:465
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:25
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
0 0 DOCKER-ISOLATION-STAGE-2 all docker0 !docker0 ::/0 ::/0
1032K 1792M RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * br-mailcow ::/0 ::/0
0 0 DROP all * docker0 ::/0 ::/0
0 0 RETURN all * * ::/0 ::/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
1032K 1792M RETURN all * * ::/0 ::/0
Chain MAILCOW (1 references)
pkts bytes target prot opt in out source destination
Logs of iptables -L -vn -t nat:
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24101 1462K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2638 199K MASQUERADE all -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.22.1.6 172.22.1.6 tcp dpt:3306
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:12345
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:4190
0 0 MASQUERADE tcp -- * * 172.22.1.4 172.22.1.4 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:995
0 0 MASQUERADE tcp -- * * 172.22.1.4 172.22.1.4 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:993
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:143
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:110
0 0 MASQUERADE tcp -- * * 172.22.1.2 172.22.1.2 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.249 172.22.1.249 tcp dpt:6379
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:587
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:465
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:25
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.6:3306
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.4:443
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
3 180 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.4:80
70 4176 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
21 1432 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.2:8983
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465
5 300 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25
Logs of ip6tables -L -vn -t nat:
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all * * ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all * * ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all * !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE all * !docker0 fd00:dead:beef:c0::/80 ::/0
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::5 fd4d:6169:6c63:6f77::5 tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::5 fd4d:6169:6c63:6f77::5 tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::5 fd4d:6169:6c63:6f77::5 tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::5 fd4d:6169:6c63:6f77::5 tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::5 fd4d:6169:6c63:6f77::5 tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:25
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all br-mailcow * ::/0 ::/0
0 0 RETURN all docker0 * ::/0 ::/0
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::5]:4190
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::8]:443
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::5]:995
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::8]:80
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::5]:993
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::5]:143
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::5]:110
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25
DNS check:
72.64.155.249
104.18.32.7
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
