Package Details: courier-mta 1.3.5-1

Git Clone URL: https://aur.archlinux.org/courier-mta.git (read-only, click to copy)
Package Base: courier-mta
Description: IMAP(s)/POP3(s) and SMTP Server with ML-manager, webmail and webconfig
Upstream URL: http://courier-mta.org
Licenses: GPL2
Conflicts: courier-imap, courier-maildrop, imap-server, smtp-forwarder, smtp-server, ucspi-tcp
Provides: courier-imap, courier-maildrop, imap-server, pop3-server, smtp-forwarder, smtp-server
Submitter: svenstaro
Maintainer: vario
Last Packager: vario
Votes: 13
Popularity: 0.000582
First Submitted: 2012-10-13 09:56 (UTC)
Last Updated: 2023-11-25 16:21 (UTC)

Required by (1497)

Sources (14)

Latest Comments

1 2 3 4 5 6 .. 8 Next › Last »

vario commented on 2023-09-28 05:17 (UTC)

@arnaudlecam pkgconf is part of the base-devel group, which is a prerequisite of AUR use. See Getting started

arnaudlecam commented on 2023-09-27 20:27 (UTC) (edited on 2023-09-27 20:28 (UTC) by arnaudlecam)

Hi,

Could you please add 'pkgconf' (needed for libidn checking) in makedepends of the PKGBUILD ?

vario commented on 2022-12-18 07:27 (UTC)

Version 1.2.1 released after some deep debugging by andrej!

andrej commented on 2022-12-17 10:12 (UTC) (edited on 2022-12-17 10:13 (UTC) by andrej)

There is a workaround. Big thanks to Sam Varshavchik for finding it!

TL;DR: Append your D-H parameters (contents of the file set in TLS_DHPARAMS) at the end of your certificate files (TLS_CERTFILE + the suffixed domain-specific files).

andrej commented on 2022-12-12 02:46 (UTC)

I’ve filed a bug upstream.

andrej commented on 2022-12-12 02:15 (UTC) (edited on 2022-12-12 02:25 (UTC) by andrej)

Not sure if this is caused by version 1.2 of courier-mta or version 3.0.x of openssl, but courier-mta currently has a critical bug that renders STARTTLS inoperable unless you connect to the server using a domain name that mismatches the domain name in the certificate(s) (which makes little sense, i.e. STARTTLS is completely inoperable). The bug is tricky, because:

  • SSL requesting the certified domain name: works
  • SSL requesting a bogus domain name: works [useless]
  • STARTTLS requesting the certified domain name fails
  • STARTTLS requesting a bogus domain name works [useless]

This^^^ can be reliably reproduced using (1) Thunderbird, (2) R2Mail2 and (3) openssl s_client. It affects both IMAP and SMTP. For s_client in particular, this is how you can test your server:

# This will fail and exit immediately (with or without error, at random!):

openssl s_client -starttls imap -crlf -connect domain.in.certificate:143
openssl s_client -starttls smtp -crlf -connect domain.in.certificate:25

# This will work; try to enter (e.g.) '1 capability' for IMAP or 'EHLO blah' for SMTP:

openssl s_client -starttls imap -crlf -connect domain.NOT.in.certificate:143
openssl s_client -starttls smtp -crlf -connect domain.NOT.in.certificate:25

The error symptom is either an abrupt connection termination with no messages and no errors or, sometimes, an error like this one:

0052A735227F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:358:

The leading string seems to be something random, the stuff after : is stable.

For easier debugging, I’ve pasted a trivial IMAP client on Pastebin.

It establishes a STARTTLS connection to a server, authenticates using cram-sha256 and reads the mailbox status. As described above, setting server to the domain name in the certificate will fail (freeze in this case) whereas setting server to a bogus domain that resolves to the same mail server’s IP address (but is not in the certificate) will succeed.

I think this is a critical bug, because it renders opportunistic STARTTLS security over SMTP’s port 25 inoperable. SSL on 465 works perfectly fine though. For IMAP the obvious workaround is to just use IMAP over SSL on 993 and give up on STARTTLS for the time being.

vario commented on 2022-07-10 06:31 (UTC)

Versions keep appearing with nothing on the courier-announce list

vario commented on 2022-01-16 20:11 (UTC)

New version coming soon - just waiting on a fix for compile glitch in courier-1.1.6 package.

opensorcerer commented on 2021-12-28 13:32 (UTC)

@vario Right, sorry.

vario commented on 2021-12-27 16:34 (UTC)

@opensorcerer make is part of the base-devel group, which is a prerequisite of AUR use. See Getting started