Cannot connect using imap to postfix/courier-imap anymore

[vespaman]

OK, so this is kind of a silly question

Many years ago I installed postfix/courier-imap as well as roundcube on my main server, and it has been working flawless until last week, presumably it broke with a world update.
Since it was so many years ago, I have forgotten the relationship between all the mail stuff, and therefore I am not sure where to start looking.

The good thing is that roundcube works just fine; I can send and receive mail using it.

With clients there are trouble when connecting using ssl.
If I use plain unencrypted imap it also seams to work, at least with thunderbird, kmail freaks out, but it was a long time since I could rely on kmail, so I think this should be disregarded.

If I try to use ssl, the only error that I get in the server log, is:

[cach0rr0]

im assuming this is imaps on 993 and not starttls on standard imap

honestly? i havent a clue where the courier config files are, but if i were, for example, tasked with figuring out someone else's system with unfamiliar IMAP systems, my port of call would be:

-do a netstat -tlnp and see what's listening where. A runtime configuration error could mean the listener never loads, which would lead me to
-running an 'equery files courier-imap' to figure out where the deuce the config files are, followed by:
-thumbing through the init script and relevant /etc/conf.d/* bits. I would start up the daemon with the same command line args found between the two places, and replicate the beahaviour, hoping for a more meaningful error. if I didn't get one, I'd do the same under strace

other thing to do, nail down if the issue really is specific to encrypted connections. Check standard SSL vs STARTTLS, check 143 vs 993, see what works, then we can figure out what doesnt.

vague reply? indeed! Those are starting points and thinking points. More log data would certainly be helpful, as well anything you can find from the pieces of suggestion above
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash

[vespaman]

OK, so I really appreciate that my data is .. vague ..

Here's the output from netstat;

[cach0rr0]

the '-p' switch on netstat especially helpful (did i omit that? I'll look after I post this...)

id wager if it's able to listen at all on 993, the cert isnt breaking anything

starting manually from CLI would be helpful

also using openssl's s_client would be helpful, e.g.

[vespaman]

OK bad copy-paste lost the 'p'

[cach0rr0]

"did not change anything" - i assume you used s_client again to test?

with most IMAP systems, it's supposed to be a simple matter of editing a conf file, adding a line to point to cert, editing a line to point to key, done and done
i dont know how specifically one does this with courier (i use cyrus+postfix). Thing is, once you get a cert to show up with s_client, it's just like any other IMAP server.

SO, piecemeal - does the cert show in s_client now? If not, we're missing something in the .conf one would assume. Does the cert produced by mkimapdcert look to be valid?

Just some thoughts, again, not a courier guy, so I'm flying a bit blind.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash

[vespaman]

Yes, I used s_client again.

But i think i have found a solution that works somewhat; adding useflag gnutls and re-emerging! So I am

Not sure why this fixed things. But this gives me another error in the logfile;

[cach0rr0]

could be courier was built against an older version of openssl, openssl was upgraded, courier needs to be rebuilt against newer openssl?
i say that as that could be why using gnutls got past the issue. if so, revdep-rebuild, or simply forcibly re-emerge courier (this time without gnutls use set)

PS: dovecot is damn simple, and it works! Only reason I use cyrus is its mailbox files (no, not mbox) rather than a traditional .maildir setup
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash