Re: IMAPS and/or openssl problem

Timothy Murphy wrote:
Andy Green wrote:

Somebody in the thread at some point said:

telnet <myserver> 993
I just get
Trying <server IP address>
and nothing further, until I type ctrl-C.
Check /var/log/messages to see if anything is logged. The behavior of
telnet sounds like the behavior of openssl. It's probably not the
No, he doesn't even get a tcp connection established. If I telnet to my
IMAP server I see

telnet 192.168.0.xx 993
Trying 192.168.0.xx...
Connected to 192.168.0.xx.
Escape character is '^]'.

I would first confirm that something is still listening on your external
network interface on 993.

Thanks for all the responses.

nmap seems to show that port 993 is open:
=====================================
[tim@martha ~]$ nmap 86.43.71.228

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-31 02:13 CEST
Interesting ports on 86.43.71.228:
Not shown: 1688 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
993/tcp filtered imaps
1720/tcp filtered H.323/Q.931
2001/tcp open dc
5190/tcp open aol

Except that if you read the man page for nmap you find....

Filtered means that a firewall, filter, or other network obstacle is
covering the port and preventing nmap from determining whether the port is open.

And

[egreshko@misty ~]$ telnet 86.43.71.228 993
Trying 86.43.71.228...

Times out....


Nmap finished: 1 IP address (1 host up) scanned in 20.467 seconds
=====================================

But "netstat -anp --tcp" does not show anything listening on 993
=====================================
[tim@martha ~]$ sudo netstat -anp --tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:8000 0.0.0.0:*
LISTEN 1745/nasd
tcp 0 0 127.0.0.1:2208 0.0.0.0:*
LISTEN 1637/hpiod
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 1878/smbd
tcp 0 0 0.0.0.0:631 0.0.0.0:*
LISTEN 1654/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 1714/sendmail: acce
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 1878/smbd
tcp 0 0 127.0.0.1:2207 0.0.0.0:*
LISTEN 1642/python
tcp 0 0 0.0.0.0:33215 0.0.0.0:*
LISTEN 1443/rpc.statd
tcp 0 0 192.168.1.149:34676 86.43.71.228:2001
ESTABLISHED 3298/ssh
tcp 0 0 :::901 :::*
LISTEN 1680/xinetd
tcp 0 0 :::111 :::*
LISTEN 1422/rpcbind
tcp 0 0 :::22 :::*
LISTEN 1668/sshd
tcp 0 0 :::631 :::*
LISTEN 1654/cupsd
=====================================

I can telnet 993 on my server without problem:
=====================================
[tim@alfred ~]$ telnet localhost 993
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
^]
telnet> quit
Connection closed.
=====================================

And "iptables -L" seems to allow this connection:
=====================================
...
Chain net2fw (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp
dpt:appserv-http
ACCEPT udp -- anywhere anywhere udp
dpt:appserv-http
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
Drop 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info
prefix `Shorewall:net2fw:DROP:'
DROP 0 -- anywhere anywhere
...
=====================================

So my best guess is that there is something wrong
with my dovecot configuration.
I "yum remove"d and "yum install"ed dovecot
(and re-edited dovecot.conf),
but that didn't seem to make any difference.

Why not tcpdump it over your ssh session to the server while you try to
connect and see what you can see.

Another more exotic workaround would be, on your local machine

ssh root@myserver -N -L993:localhost:993

while this runs, 993 (the first number) on your local client box will
magically be an encrypted wormhole to port 993 on myserver. Try running
that in one terminal session, and temporarily alter kmail to go look at
localhost for IMAP instead of myserver.

I'll try these tomorrow.
Thanks very much for your help anyway.



--
First Law of Bicycling:
No matter which way you ride, it's uphill and against the wind.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Cant connect to port 25 from another system
    ... The default sendmail config in RH/Fedora has been to only listen on the ... I previously edited the sendmail.mc file to be sure it is listening on ... Both netstat and nmap confirm that the system *is* listening on port ... When I attempt to telnet to port 25 the connection fails. ...
    (Fedora)
  • Re: POP3 Error 10060 - desperate
    ... After failing to telnet to my ISP ... port 110, ... >packet filter in ISA and Javier recommended. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: IMAPS and/or openssl problem
    ... telnet sounds like the behavior of openssl. ... I would first confirm that something is still listening on your external ... PORT STATE SERVICE ... Filtered means that a firewall, filter, or other network obstacle is ...
    (Fedora)
  • Re: IMAPS and/or openssl problem
    ... Trying <server IP address> ... telnet sounds like the behavior of openssl. ... I would first confirm that something is still listening on your external ... PORT STATE SERVICE ...
    (Fedora)
  • Re: IMAPS and/or openssl problem
    ... Trying <server IP address> ... telnet sounds like the behavior of openssl. ... I would first confirm that something is still listening on your external ... PORT STATE SERVICE ...
    (Fedora)