[Users] [Bug 3612] New: auto-configure sets POP=SSL & SMTP=SSL/STARTTLS

pf at pfortin.com pf at pfortin.com
Sat Feb 6 17:09:25 CET 2016 

On Sat, 6 Feb 2016 09:47:06 +0100 Albert ARIBAUD wrote:

>Bonjour,
>
>Le Sat, 06 Feb 2016 02:48:18 +0000
>noreply at thewildbeast.co.uk a écrit:
>
>> http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3612
>> 
>>             Bug ID: 3612
>>            Summary: auto-configure sets POP=SSL & SMTP=SSL/STARTTLS
>>     Classification: Unclassified
>>            Product: Claws Mail
>>            Version: GIT
>>           Hardware: PC
>>                 OS: Linux
>>             Status: NEW
>>           Severity: enhancement
>>           Priority: P3
>>          Component: Other
>>           Assignee: users at lists.claws-mail.org
>>           Reporter: pf at pfortin.com
>> 
>> Setting up new accounts with auto-configure results in:
>> POP3 = SSL
>> SMTP = SSL/STARTTLS
>> 
>> Here's the DNS responses I get on clicking auto-configure:
>> _pop3s._tcp.pfortin.com: type SRV, class IN, priority 10, weight 1,
>> port 995, target pop-2.luxsci.com
>> _submission._tcp.pfortin.com: type SRV, class IN, priority 0, weight
>> 1, port 6465, target secure-email-2.luxsci.com
>> 
>> POP3 & SMTP are usually set the same way... this difference may not
>> be obvious to new users.  
>
>Hmm... apart from the fact that the bug report summary does not clearly
>state what the problem is, 

It's an *enhancement*; but based on further investigation, it's beginning
to appear like a STARTTLS bug...  

>why *should* POP and SMTP be set the same way? 

Conversely, why should they NOT be set the same way? I run two instances
of CM with a total of 15 active email accounts (nearly as many retired)
and ALL of them are set to:
   POP3 = SSL  (orthogonally: I hate IMAP)
   SMTP = SSL

>Those are different services and may well imply different settings
>without anything being wrong.

I tried changing POP3 from SSL to SSL/STARTTLS and EVERY server access
resulted in:
** Session timed out. You may be able to recover by increasing the
timeout value in Preferences/Other/Miscellaneous.

So I suppose a _bug_ report could be opened against misleading
information :)

>What capabilities do your POP and SMTP servers announce on connection?

Good question...  and with very interesting results....

---------POP----------
Packet captures shows that while the CM settings are SSL, the
communications occur as TLSV1.2; the sequence is:
   CM                            Server
SYN(wsz=29200,MSS=1460,SACK=1,...)
                              SYN,ACK(wsz=14480,MSS=1380,SACK=1,...)
ACK(calcWsz=29312)
Client Hello (TLSv1.2)
                              ACK
                              Server Hello (TLSv1.2)
etc....

However, when set to STARTTLS, this is the ENTIRE exchange:
   CM                            Server
SYN(wsz=29200,MSS=1460,SACK=1,...)
                              SYN,ACK(wsz=14480,MSS=1380,SACK=1,...)
ACK(calcWsz=29312)
FIN, ACK  <===========<<<
                              ACK
                              FIN,ACK
ACK

NO capabilities are ever announced because CM aborts the connection
instead of initiating the next step...  is this what CM should be doing?
Up to this point, there is no information in the SYN sequence telling the
server what is coming...   Now looking like a bug v. an enhancement
report...

---------SMTP----------
This too returns:
*** Session timed out. You may be able to recover by increasing the
timeout value in Preferences/Other/Miscellaneous.

Wireshark reports:
   CM                            Server
SYN(wsz=29200,MSS=1460,SACK=1,...)
                              SYN,ACK(wsz=14480,MSS=1380,SACK=1,...)
ACK(calcWsz=29312)
FIN, ACK  <===========<<<
                              ACK
                              FIN,ACK
ACK

-----------------------
So, in both POP & SMTP, CM aborts connections when set to STARTTLS...

>This may influence the auto-configuration process.

How?   The auto-configuration is based on DNS SRV records, nothing else
as witnessed by a wireshark capture:
CM sends 2 packets:
  DNSq:  _pop3s._tcp.domain.tld: type SRV, class IN
  DNSq:  _submission._tcp.domain.tld: type SRV, class IN
and gets these responses ~230ms later:
  DNSr:  _pop3s._tcp.pfortin.com: type SRV, class IN, priority 10, 
            weight 1, port 995, target pop.service.tld
  DNSr:  _submission._tcp.pfortin.com: type SRV, class IN, priority 0,
            weight 1, port 6465, target smtp.service.tld

Nothing else...

If STARTTLS doesn't work at all, then that would imply that only SSL is
required (note that SSL actually uses TLSv1.2 in the wireshark captures)
and STARTTLS may be redundant...  

Over the years, I never noticed that _all_ my accounts are set to SSL.
When I've had problems setting up new ones, I recall having to make
changes to the SSL pane...  

Based on my wireshark captures, can anyone be using STARTTLS successfully?

What am I missing?

>Amicalement,

Likewise :)

More information about the Users mailing list