[Users] [Bug 3612] New: auto-configure sets POP=SSL & SMTP=SSL/STARTTLS

Albert ARIBAUD albert.aribaud at free.fr
Sat Feb 6 17:37:29 CET 2016 

Bonjour,

Le Sat, 6 Feb 2016 11:09:25 -0500
pf at pfortin.com a écrit:

> On Sat, 6 Feb 2016 09:47:06 +0100 Albert ARIBAUD wrote:
> 
> >Bonjour,
> >
> >Le Sat, 06 Feb 2016 02:48:18 +0000
> >noreply at thewildbeast.co.uk a écrit:
> >
> >> http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3612
> >> 
> >>             Bug ID: 3612
> >>            Summary: auto-configure sets POP=SSL & SMTP=SSL/STARTTLS
> >>     Classification: Unclassified
> >>            Product: Claws Mail
> >>            Version: GIT
> >>           Hardware: PC
> >>                 OS: Linux
> >>             Status: NEW
> >>           Severity: enhancement
> >>           Priority: P3
> >>          Component: Other
> >>           Assignee: users at lists.claws-mail.org
> >>           Reporter: pf at pfortin.com
> >> 
> >> Setting up new accounts with auto-configure results in:
> >> POP3 = SSL
> >> SMTP = SSL/STARTTLS
> >> 
> >> Here's the DNS responses I get on clicking auto-configure:
> >> _pop3s._tcp.pfortin.com: type SRV, class IN, priority 10, weight 1,
> >> port 995, target pop-2.luxsci.com
> >> _submission._tcp.pfortin.com: type SRV, class IN, priority 0,
> >> weight 1, port 6465, target secure-email-2.luxsci.com
> >> 
> >> POP3 & SMTP are usually set the same way... this difference may not
> >> be obvious to new users.  
> >
> >Hmm... apart from the fact that the bug report summary does not
> >clearly state what the problem is, 
> 
> It's an *enhancement*; but based on further investigation, it's
> beginning to appear like a STARTTLS bug...  
> 
> >why *should* POP and SMTP be set the same way? 
> 
> Conversely, why should they NOT be set the same way?

Because the infrastructures for sending and receiving mail have no
reason to be the same or to share identical technical choices.

 I run two
>> instances of CM with a total of 15 active email accounts (nearly as
> many retired) and ALL of them are set to:
>    POP3 = SSL  (orthogonally: I hate IMAP)
>    SMTP = SSL

Do you conclude from this thatb STARTTLS should never be used? :)

> >Those are different services and may well imply different settings
> >without anything being wrong.
> 
> I tried changing POP3 from SSL to SSL/STARTTLS and EVERY server access
> resulted in:
> ** Session timed out. You may be able to recover by increasing the
> timeout value in Preferences/Other/Miscellaneous.

So you have tried mis-using a service and ended up with a
non-functional setting. This seems pretty normal to me.

> So I suppose a _bug_ report could be opened against misleading
> information :)

I am still not understanding what here is misleading. Each POP3 service
provider, as well as, and independently of, each SMTP service provider,
even for the same domain, may choose its own settings freely. The goal
of auto-configuration is to get the settings from the provider in some
way, then apply them. If you get the provider settings then apply some
other settings, then you are not doing auto-configuration, you're doing
guess-configuration.

> >What capabilities do your POP and SMTP servers announce on
> >connection?
> 
> Good question...  and with very interesting results....
> 
> ---------POP----------
> Packet captures shows that while the CM settings are SSL, the
> communications occur as TLSV1.2; the sequence is:
>    CM                            Server
> SYN(wsz=29200,MSS=1460,SACK=1,...)
>                               SYN,ACK(wsz=14480,MSS=1380,SACK=1,...)
> ACK(calcWsz=29312)
> Client Hello (TLSv1.2)
>                               ACK
>                               Server Hello (TLSv1.2)
> etc....
> 
> However, when set to STARTTLS, this is the ENTIRE exchange:
>    CM                            Server
> SYN(wsz=29200,MSS=1460,SACK=1,...)
>                               SYN,ACK(wsz=14480,MSS=1380,SACK=1,...)
> ACK(calcWsz=29312)
> FIN, ACK  <===========<<<
>                               ACK
>                               FIN,ACK
> ACK
> 
> NO capabilities are ever announced because CM aborts the connection
> instead of initiating the next step...  is this what CM should be
> doing? Up to this point, there is no information in the SYN sequence
> telling the server what is coming...   Now looking like a bug v. an
> enhancement report...
> 
> ---------SMTP----------
> This too returns:
> *** Session timed out. You may be able to recover by increasing the
> timeout value in Preferences/Other/Miscellaneous.
> 
> Wireshark reports:
>    CM                            Server
> SYN(wsz=29200,MSS=1460,SACK=1,...)
>                               SYN,ACK(wsz=14480,MSS=1380,SACK=1,...)
> ACK(calcWsz=29312)
> FIN, ACK  <===========<<<
>                               ACK
>                               FIN,ACK
> ACK
> 
> -----------------------
> So, in both POP & SMTP, CM aborts connections when set to STARTTLS...

What is the timing? Is the communication aborted as soon as started, or
is there a silent period (which could mean a time-out waiting for the
server's welcome banner, for instance).

BUT... if the server does not support STARTTLS, it may not support
cleartext connections at all.

> >This may influence the auto-configuration process.
> 
> How?   The auto-configuration is based on DNS SRV records, nothing
> else as witnessed by a wireshark capture:
> CM sends 2 packets:
>   DNSq:  _pop3s._tcp.domain.tld: type SRV, class IN
>   DNSq:  _submission._tcp.domain.tld: type SRV, class IN
> and gets these responses ~230ms later:
>   DNSr:  _pop3s._tcp.pfortin.com: type SRV, class IN, priority 10, 
>             weight 1, port 995, target pop.service.tld
>   DNSr:  _submission._tcp.pfortin.com: type SRV, class IN, priority 0,
>             weight 1, port 6465, target smtp.service.tld
> 
> Nothing else...
> 
> If STARTTLS doesn't work at all, then that would imply that only SSL
> is required (note that SSL actually uses TLSv1.2 in the wireshark
> captures) and STARTTLS may be redundant...  

STARTTLS may work or not depending on the server setting. But if it is
supposed to work, then the server should accept cleartext connections,
if only to let the client send the STARTTLS command -- and this means
the server should send a banner and respond to a EHLO with a list of
its capabilities.

> Over the years, I never noticed that _all_ my accounts are set to SSL.
> When I've had problems setting up new ones, I recall having to make
> changes to the SSL pane...  
> 
> Based on my wireshark captures, can anyone be using STARTTLS
> successfully?

Depends on the server -- IP+port: some providers have SSL service on
one port, STARTTLS on another one. 

> What am I missing?

Wouldn't know unless I knew which server (domain) you are talking
about, so that I could check the advertised settings vs working
settings. What I know is, I've got many accounts set to SSL for both
POP and SMTP, and one set to SSL for POP and STARTTLS for SMTP, and all
work well -- but I can't swear they were all auto-configured.

Amicalement,
-- 
Albert.

More information about the Users mailing list