Topic: SSL Error on Iphone iOS 9 OX Capitan

[Stefano]

so we got a 7.2 and 7.6.. OT in this forum

@brenno and seb: your SME are in EOL since a long time, they are unsupported.. please move asap to 8.1 or, better, to 9.

moving this topic to general discussion

[Brenno]

For clarity, I was never suggesting there was an issue with the SME product.  I was merely indicating that seb's experience was mirrored by my own.  When I have issues I often turn to this forum to see if they've been reported by anyone else; it's an important diagnostic step, IMO, so I feel there's value in somebody saying "Yeah, me too!".

But, to reiterate, this is definitely a change in iOS 9.  I was able to connect to my 7.6 box without issue from devices still running iOS 8.  We don't officially support iOS so I'm not obligated to try to fix this, but nonetheless it's a pain in the a$$ and I'd prefer that there be an option to patch the SSL issue rather than have to upgrade the entire machine.  Is there nothing from CentOS on this?

IIRC, jumping to SME 8 will force all internal clients to authenticate for SMTP, so that will also mean touching all inside clients to make that change, too.

[Daniel B.]

but nonetheless it's a pain in the a$$ and I'd prefer that there be an option to patch the SSL issue rather than have to upgrade the entire machine.  Is there nothing from CentOS on this?

No, SME7, just as its upstream CentOS 4 are EOL, which means there'll be no further update (be it bug fix, new feature, or even security).

IIRC, jumping to SME 8 will force all internal clients to authenticate for SMTP, so that will also mean touching all inside clients to make that change, too.

No, you can disable this feature (even if it's not recommended, but you can at least disable it for some time, and once every client has auth enabled, you can turn it back on)

[janet]

Brenno

My answer is the same as Daniel.

No one upstream is working on obseleted end of life software, that is why they release new versions of CentOS which are in SME 8 & SME 9
If you want updated packages you have to use the new OS in it's entirity, unless you personally want to try & release suitable patches, but good luck, in my opinion it's far easier to upgrade.

A simple db command can disable authenticated smtp in SME 8, as Daniel says it is not recommended practice, but it can be done

You could have carried out the upgrade in the time it has taken to post here & answer these posts !

[Fumetto]

I can confirm "bug"; iPhone update to IOS 9 and got error on mail sistema with SME8.x full updated.

I hate Apple's software...

A part of imaps log

2015-09-18 19:50:47.323437500 2015.09.18 19:50:47 LOG3[8299:47380366448768]: SSL_read (SSL_ERROR_SYSCALL): Connection timed out (110)
2015-09-18 19:50:47.323493500 2015.09.18 19:50:47 LOG5[8299:47380366448768]: Connection reset: 4362 bytes sent to SSL, 298 bytes sent to socket
2015-09-18 19:50:47.324444500 imap(amministrazione): Info: Connection closed: Connection reset by peertcpsvd: info: end 8299 exit 0
2015-09-18 19:50:47.324547500 tcpsvd: info: status 3/400
2015-09-18 19:50:47.324590500
2015-09-18 19:51:28.840920500 2015.09.18 19:51:28 LOG3[8301:47759673518208]: SSL_read (SSL_ERROR_SYSCALL): Connection timed out (110)
2015-09-18 19:51:28.840975500 2015.09.18 19:51:28 LOG5[8301:47759673518208]: Connection reset: 17076 bytes sent to SSL, 1511 bytes sent to socket
2015-09-18 19:51:28.841650500 imap(amministrazione): Info: Connection closed: Connection reset by peer

[Brenno]

I'm looking to do the upgrade over the weekend.  I have 8.x on DVD already, so it's just a matter of going onsite and working it through.

Regarding the reinitialization of the master yum repositories, is that what this link is instructing?  It's worded a little differently so I wanted to verify.

Can you give more details as to disabling the need for authentication for SMTP on the LAN side?  I did some searching and couldn't located that part - and I'm assuming it's not the same as what's found in the server manager > email settings > smtp authentication since that drop-down strikes me as affecting all SMTP connections, not just internal.

[janet]

Fumetto

I can confirm "bug"; iPhone update to IOS 9 and got error on mail sistema with SME8.x full updated.

Perhaps you missed my previous post here
http://forums.contribs.org/index.php/topic,51944.msg265190.html#msg265190

iOS 9 on an iPhone 5 works OK for me using IMAPS & SSMTP (SSL all certificates) collecting/sending mail remotely on a SME8.1 server, so there does not seem to be an inherent bug in iOS 9 that stops all users.
Since then I tested on SME9.1beta2 & works OK there too.

You really need to report a bug in bugzilla if you want a better answer, & be prepared to supply log files & further information as requested.

[janet]

Brenno

Regarding the reinitialization of the master yum repositories, is that what this link is instructing?  It's worded a little differently so I wanted to verify.

Yes that's it.

Can you give more details as to disabling the need for authentication for SMTP on the LAN side? 

See the release notes, by the way 8.0 was released on 26 May 2012 which is along time ago.
You are likely to need (be forced)  to upgrade in another year or so, so why not move to SME 9.x now.
Requires backup & restore though, as all upgrades to v9.0 are not supported (due to underlying CentOS constraints)

See
http://forums.contribs.org/index.php/topic,48671.0.html
under Major changes since beta 7 & Mail server
Require authentication for all emails, including local.
under Mail Server
Require SMTP authentication by default when sending to an external address.

The email Howto is a good place to look re how to disable this
http://wiki.contribs.org/Email#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients

Also discussed here
http://forums.contribs.org/index.php/topic,48650.msg241849.html#msg241849
& here
http://bugs.contribs.org/show_bug.cgi?id=5575

Authenticated smtp is a good feature to stop viruses or hackers making use of your mail engine, so the better approach is to change settings on email clients.

[Brenno]

janet,

Looking at the links you've provided, I'm going to use the following commands to disable the need for authentication on the LAN:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update

config setprop qpsmtpd Authentication disabled
signal-event email-update

Hopefully these are the right steps; I don't want to inadvertently enable outside relaying.  But, I'm nervous about having the authentication required on the LAN side as I need more time to assess what production equipment might be impacted in addition to getting all workstations updated.  Plus, I'm traveling all next week and can't be onsite.  Game plan is to enable this feature ASAP.

Post-upgrade script is running right now 

[Daniel B.]

Or you can just:

Code: [Select]

db configuration setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update


[Brenno]

Have completed the CD upgrade from 7.6 to 8.1 and disabled qpsmtpd as suggested - tested and seems to be working fabulously.

Yum is not working though; it says:

Code: [Select]

Could not retrieve mirrorlist http://mirrorlist.contribs.org/mirrorlist/smeaddons-8 error was [Errno 4] IOError: <urlopen error (-3, 'Temporary failure in name resolution')>

Cannot find a valid baseurl for repo: smeaddons

I enabled the default respositories as above, ran a yum clean clean all and validated that the repositories were enabled with /sbin/e-smith/audittools/repositories

I can bring the URL up in my web browser just fine and I can ping contribs.org from the SME box.  I cannot ping mirrorlist.contribs.org from the SME box, though.

[janet]

Brenno

Mirrors appear to be OK
http://mirror.contribs.org/mirrors/

Did you do:

cd /home/e-smith/db/
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event yum-modify

then (although it should not be necessary)
yum clean all --enablerepo=*

then
yum update

[Brenno]

Hi Janet,

Yes - ran all those commands verbatim (three times now).  It hangs on "determining fastest mirrors" and then eventually comes up with the temporary resolution error message above.

The SME server cannot ping mirrorlist.contribs.org; it comes back unknown host.  Pinging contribs.org and forums.contribs.org is fine.  Can ping all three is OK from my Win7 workstation.

Edit: I added Google's DNS (8.8.8.8 ) to the Domains page in server-manager and yum is now happily running!

[Brenno]

Worse fears realized!

Box was running well before yum update.  After the update finished and the machine rebooted, it tells me that there's a problem with the superblock on /dev/sdb1 (which is a USB drive that I use for AFFA).

Now stuck in an endless cycle of rebooting to the error and then having to restart again.  Going to try to re-install from CD to see what happens.

[Brenno]

Ok, I don't know what happened, but I used recovery mode from the installer CD to edit out the drive in /etc/fstab and rebooted just fine.  Once booted I can mount the external drive and browse contents just fine, but for some reason it sure doesn't like trying to boot with the drive already there!

I'll leave that for another day; I believe AFFA should auto-mount the drive anyway so if the machine is rebooted it won't matter that it's not in /etc/fstab.

Anyway, enough of me rambling on in this thread!  To return to the original topic, the upgrade from 7.6 to 8.1 has restored access to IMAP accounts on iOS 9 devices.