Bug 400221

Summary: can't talk to dovecot imap server
Product: [Frameworks and Libraries] Akonadi Reporter: Johannes Rohr <jorohr>
Component: IMAP resourceAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED NOT A BUG    
Severity: normal CC: dvratil, kde, reis
Priority: NOR    
Version: 5.9.1   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Johannes Rohr 2018-10-23 21:01:55 UTC 
Somehow, KMail has lost the ability to talk to my IMAP server, which is a dovecot server, version  1:2.2.27-3ubuntu1.4 on Ubuntu Artful

The connection is set up as an SSL connection on port 993.

On the local console I see:

org.kde.pim.kimap: Connection to server lost  9
org.kde.pim.imapresource: Session login cancelled
org.kde.pim.kimap: Connection to server lost  9
org.kde.pim.imapresource: Session login cancelled

many times over.

In the log on the server I see

Oct 23 22:44:02 ida dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXXX, lip=XXXX, TLS handshaking: Disconnected, session=<KQkMbut4kN9UkUxx>

both repeating themselves endlessly until I kill kmail

The same setup works find in Thunderbird, K-9 Mail, Evolution and did word find with Kmail until recently. 

SOFTWARE VERSIONS
(available in About System)
KDE Plasma Version:    5.49.0
KDE Frameworks Version: 5.49.0
Qt Version: Qt 5.11.2 (kompiliert gegen 5.11.2)
Comment 1 Johannes Rohr 2018-10-24 07:10:33 UTC 
One observation: As soon as I click to remove the affected IMAP account from KMail, I see a prompt for the IMAP password pop up, but it instantly goes away again. This is reproducible.
Comment 2 Johannes Rohr 2018-10-29 16:36:59 UTC 
Just checked the server's SSL cert. It is valid.
Comment 3 Pedro Celestino Reis Rodrigues 2018-11-21 15:08:56 UTC 
Having the same problem here
Comment 4 Pedro Celestino Reis Rodrigues 2018-11-21 15:19:47 UTC 
(In reply to Pedro Celestino Reis Rodrigues from comment #3)
> Having the same problem here

However, I am experiencing a mixed behavior, the conection to my institutional server does not work but conection to hotmail still works.
Comment 5 Pedro Celestino Reis Rodrigues 2019-12-04 08:39:29 UTC 
In my case the problem, and the solution are explained here
https://lists.debian.org/debian-kde/2018/11/msg00001.html
Comment 6 Pedro Celestino Reis Rodrigues 2019-12-04 08:54:09 UTC 
I know the source of the problem is not in either kmail or akonadi, but their behavior could be made more friendly. A popup error message stating that ssl authentication is not possible would be good. Adding the information that the key server version is too old would be perfect.
Comment 7 Chris Samuel 2020-04-27 05:48:48 UTC 
Hi there,

I have a strong suspicion that this is SSL related, I've found that this does not work:

openssl s_client -connect example.com:993
[...]
139765775537472:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2149:
[...]

but this does (found here: https://imlc.me/dh-key-too-small ):

openssl s_client -connect example.com:993 --cipher 'DEFAULT:!DH'

Now the received wisdom is that this is because of OpenSSL configuration and you can fix it by adding this to /etc/ssl/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

However, that does not seem to work, either for the OpenSSL command line or for Akonadi.

All the best,
Chris
Comment 8 Chris Samuel 2020-04-27 05:52:05 UTC 
Apologies, I had two bugs open in adjacent tabs and updated this instead of https://bugs.kde.org/show_bug.cgi?id=419782 (I strongly suspect it's a duplicate of this).
Comment 9 Chris Samuel 2020-04-27 06:10:17 UTC 
The solution (for me) under Kubuntu 20.04 was to modify /etc/ssl/openssl.cnf after the line:

oid_section             = new_oids

by adding:

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
Comment 10 Daniel Vrátil 2020-05-11 06:42:10 UTC 
Looks like a server issue requiring an old or incompatible crypto algos, which is beyond KDE PIM, sorry.