Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: pearless on May 10, 2010, 03:46:06 AM
-
I am running the latest v7 with all the fixes and SSL for IMAP and SMTP with a self generated certificate
On the internal network, everything works fine (Thunderbird on WinXP, + iMAC OSX 10.4 with Apple's mail client), and webmail.
Accessing this externally:
1) My iPhone works perfectly.
2) Webmail works fine from some locations. Some locations I can accept the "untrusted" self signed certificate but not much happens after that (typically under LINUX); Under Windows this works fine.
3) Evolution and Thunderbird under vanilla debian LINUX - both ask me to accept the certificate and then searches for the IMAP folders and never finds them. Using WireShark I found a "SSL Malformed Packet" error followed by a "TCP Previous Segment Lost" warning.
I'm not sure if this is a bug or not.
Does anyone have any ideas?
Cheers
Douglas
-
You report different problems here. Which one is concerning the WS capture? Only case 3?
It dies not necessarily need to be a bug, it could have to do with the capture settings:
http://www.wireshark.org/lists/wireshark-users/200704/msg00070.html
Also try and have a look at this one: http://blog.wisefaq.com/2009/04/08/ssl-errors-and-how-to-diagnose-them/
Are you using a proxy server?
-
with a self generated certificate
And what happens when you use the SME Server default certificate? Did you try that? If not, can you try that?
-
And what happens when you use the SME Server default certificate? Did you try that? If not, can you try that?
Perhaps I was unclear in my request for help, I am using the SME generated certificate, is that what you are referring to?
-
You report different problems here. Which one is concerning the WS capture? Only case 3?
It dies not necessarily need to be a bug, it could have to do with the capture settings:
http://www.wireshark.org/lists/wireshark-users/200704/msg00070.html
Also try and have a look at this one: http://blog.wisefaq.com/2009/04/08/ssl-errors-and-how-to-diagnose-them/
Are you using a proxy server?
From your suggestion, I disabled the "Allow subdissector to reassemble TCP streams"
option in the tcp protocol preferences.
below is how the last part of the trace now looks (Wireshark under debian using the Evolution mail client:
"SSLv3 [TCP Previous segment lost] Continuation Data, [Unreassembled P"
"TCP [TCP Dup ACK 45#1] 55898 > imaps [ACK] Seq=515 Ack=1582 Win=103"
So I assume that this means that I am losing one or more packets?
If so, any ideas as to why?
[UPDATE 1] I also tried using webmail (under debian) and I am getting the same messages.
[UPDATE 2] Under Windows XP using a differnet infrastructure (+proxy), webmail works using IE and no error messages.
[UPDATE 3] After researching this issue from a SSL perspective, I found there appears to be issues where a conversation starts with SSL2 and changes to SSL3 after the initial handshake and these can manifest themselves "SSL Malformed Packet" errors. This seems to be true with OpenSSL; I assume SSL2 support is enabled by default and I will try to disable this and see if it makes a difference.
So why only on the external network (internet) using webmail or a mail client - but not my iPhone either using cellular or the same WIFI that the debian box is using. Note the debian is under VMWARE server 2. I will also try under XP.
Cheers
Douglas
-
It turns out that the MTU for the Wifi connection to my ADSL modem was 1492 and not 1500 used by direct ethernet connections.
So dropping it to 1492 solved the issue for Wifi connected machines!
More info: http://www.debianhelp.co.uk/mtu.htm
Cheers
Douglas.
-
You must have a firewalling or other networking problem somewhere between clients and servers. A sub-optimal MTU should create a performance problem, but things should still work.
I suspect this is the issue you are seeing (the "from some locations" suggests it - they are the ones not receiving ICMP, and not retrying with smaller packet size):
http://www.phildev.net/mss/mss-talk.pdf