Solved pop3s failure (qpopper, SeaMonkey, Apple Mail)

Attempting to retrieve email via qpopper with TLS/SSL (pop3s on port 995, plain text password) enabled using the SeaMonkey and Apple Mail mail clients fails with the qpopper log showing the same failure mode:

Code:
Apr 11 22:47:24 shadow qpopper[56980]: OpenSSL error during handshake
Apr 11 22:47:24 shadow qpopper[56980]: ...SSL error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Apr 11 22:47:24 shadow qpopper[56980]: TLS/SSL Handshake failed: -1

Using openssl s_client -connect shadow:995 succeeds:

Code:
Apr 11 22:54:11 shadow qpopper[57209]: (v4.1.0) TLSv1/SSLv3 handshake with client at citadel (192.168.1.3); new session-id; cipher: AES256-GCM-SHA384 (AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD), 256 bits
Apr 11 22:54:30 shadow qpopper[57209]: Stats: trev 0 0 141 1515486 citadel 192.168.1.3

Using mpop --host=shadow --port=995 --tls=on --tls-certcheck=off --tls-starttls=off --user=trev --auth=user --keep=on --delivery=mbox,/home/trev/mbox also succeeds.

Code:
Apr 11 22:59:59 shadow qpopper[57442]: (v4.1.0) TLSv1/SSLv3 handshake with client at citadel (192.168.1.3); new session-id; cipher: AES256-GCM-SHA384 (AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD), 256 bits
Apr 11 23:00:04 shadow qpopper[57442]: Stats: trev 0 0 142 1518258 citadel 192.168.1.3

Where did I go wrong? Setting TLS/SSL, port 995 and authentication normal password in SeaMonkey and setting SSL in Apple Mail seems simple enough :)
 
In the course of updating Mac OS X from 10.10 to 10.11 and iOS from 8 to 9, Apple imposed more rigid restrictions on the TLS protocol used by applications from Apple and from the respective App Stores. Only TLSv1.2 can be negotiated and only the most secure ciphers, employing elliptic curve cryptography with forward secrecy may be utilized (out of the box).

AES256-GCM-SHA384 does not provide forward secrecy, and I guess, at least a modern Apple Mail would refuse to connect for this reason.

A good choice for adjusting the cipher suites would be:
openssl ciphers -v 'HIGH:\!aNULL:\!SSLv3:\!SSLv2'
Code:
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
 
It seems from various experiments with openssl specifying ssl2, ssl3, tls1, tls1_1 and tls1_2 that qpopper compiled from ports using the base system openssl will only support TLSv1.2. All the other permutations fail with the error:

Code:
Apr 12 17:37:00 shadow qpopper[67249]: OpenSSL error during handshake [pop_tls_openssl.c:576]
Apr 12 17:37:00 shadow qpopper[67249]: ...SSL error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [pop_tls_openssl.c:576]
Apr 12 17:37:00 shadow qpopper[67249]: TLS/SSL Handshake failed: -1 [popper.c:231]

The Apple mail.app in question was from Mavericks, but I've just tried El Capitan's mail.app with the same result.
 
I just had a look into pop_tls_openssl.c. IMHO, the comment at the SSL/TLS initialization tells everything:
Code:
   /*
     * Select the connection method.  We use SSLv23_server_method by default.
     * We use other methods if so directed.
     *
     * A TLS/SSL connection established with this method understands the
     * SSLv2, SSLv3, and TLSv1 protocols.  A client sends out an SSLv2
     * client hello messages and indicates that it also understands SSLv3
     * and TLSv1.  A server understands SSLv2, SSLv3, and TLSv1 client
     * hello messages.  This is the best choice when compatibility is a
     * concern. 
     */

The best TLS protocol that mail/qpopper offers is TLSv1.0 which was defined in 1999, and with the release of TLSv1.2 in 2008 and it's wide employment since, TLSv1.0 is simply outdated, and obviously so qpopper is. Qualcomm even doesn't anymore maintain the product website, mentioned in the package description of the ports, namely
http://www.eudora.com/products/unsupported/qpopper/ redirects to Mozillas Thunderbird, which is discontinued as well (this is another story, though). The direct download of qpopper from the Qualcomm ftp server doesn't work either, and instead the ports system retrieves the source package from the fallback server located in Japan.

I guess, we have to face the fact, that qpopper simply reached its end of life. The best advise to give is, not to use qpopper anymore.
 
The best TLS protocol version that qpopper offers is TLSv1.2 as demonstrated below:

Code:
$ openssl s_client -connect 192.168.1.4:995 -tls1_2
CONNECTED(00000003)
[...]
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=shadow
  i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=shadow.sentry.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1686 bytes and written 615 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
  Protocol  : TLSv1.2 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  Cipher  : AES256-GCM-SHA384
  Session-ID: E81C9653B36384829C2526EEE01140EFAB6D5A4BCDDA0114AE5D6CA70539C2C7
[...]
---
+OK Qpopper (version 4.1.0) at shadow starting.  <14566.1460461673@shadow>
USER trev
+OK Password required for trev.
PASS xxxxxxxxxxxxx
+OK trev has 144 visible messages (0 hidden) in 5678004 octets.
So the problem is not with qpopper not supporting TLSv1.2 presumably because the openssl library with which it was compiled supports TLSv1.2.

It looks to me like the problem is with (1) the mail clients' failure to support better than TLSv1.0 or (2) the base openssl library only featuring TLSv1.2 (if you can call that a problem).

Research shows that Apple Mail, up to at least Yosemite, only supports TLSv1.0 for POP3 (my mailserver logs TLSv1 for SMTP STARTTLS from El Capitan). I have not been able to find anything about El Capitan's support for TLS versions, but it looks suspiciously like it has not improved. An El Capitan mail.app SSL dump is below:

Code:
$ ssldump -A -d -i nfe0 port 995
New TCP connection #1: dynamic1(49210) <-> shadow(995)
1 1  0.0048 (0.0048)  C>SV3.1(146)  Handshake
  ClientHello
  Version 3.1
  random[32]=
  57 0c e2 5b 56 ce 1e 42 ea dc 68 4c c7 a0 30 d6
  6f c9 c7 e5 9c bb 53 f1 c0 c2 5d cd 88 37 9c d3
  cipher suites
  Unknown value 0xff
  Unknown value 0xc024
  Unknown value 0xc023
  Unknown value 0xc00a
  Unknown value 0xc009
  Unknown value 0xc008
  Unknown value 0xc028
  Unknown value 0xc027
  Unknown value 0xc014
  Unknown value 0xc013
  Unknown value 0xc012
  Unknown value 0x6b
  TLS_DHE_DSS_WITH_NULL_SHA
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  Unknown value 0x3d
  Unknown value 0x3c
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xc007
  Unknown value 0xc011
  TLS_RSA_WITH_RC4_128_SHA
  TLS_RSA_WITH_RC4_128_MD5
  compression methods
  NULL
1 2  0.0648 (0.0599)  S>CV3.1(81)  Handshake
  ServerHello  Version 3.1
  random[32]=
  7d 55 61 bd df c2 2e 2c de 29 f4 1d 5c a9 0b 72
  4b ab 34 e8 43 92 b2 b6 4c 96 c6 7b 52 0f 5c 50
  session_id[32]=
  bb 4b 80 5b 8c 8c ec d0 21 67 41 88 0f 84 fc e0
  9c 63 56 72 e5 72 47 9e 18 fa ff 92 d5 c5 fd 49
  cipherSuite  TLS_RSA_WITH_AES_256_CBC_SHA
  compressionMethod  NULL
1 3  0.0648 (0.0000)  S>CV3.1(1383)  Handshake  Certificate
1 4  0.0648 (0.0000)  S>CV3.1(4)  Handshake  ServerHelloDone
1 5  1.2091 (1.1443)  C>SV3.1(262)  Handshake  ClientKeyExchange
  EncryptedPreMasterSecret[256]=  [...]
1 6  1.3195 (0.1103)  C>SV3.1(1)  ChangeCipherSpec
1 7  1.3195 (0.0000)  C>SV3.1(48)  Handshake
1 8  1.3199 (0.0003)  S>CV3.1(2)  Alert  level  fatal  value  bad_record_mac
1  1.3201 (0.0002)  S>C  TCP FIN
1  1.3255 (0.0054)  C>S  TCP FIN

This looks to me like qpopper server offers TLSv1.2 and mail.app client is unable to match it resulting in a failed TLS handshake.
 
Further experimentation with openssl eventually led to the solution. Having tried all the supported ciphers, it turned out that with the TLS1 protocol used by SeaMonkey and Apple Mail, only the RC4-SHA and RC4-MD5 ciphers were supported.

So, adding set tls-cipher-list=RC4-SHA,RC4-MD5 to /usr/local/etc/qpopper/qpopper.conf solved my issue :)

Code:
Apr 13 22:18:58 shadow qpopper[35033]: (v4.1.0) TLSv1/SSLv3 handshake with client at shadow (192.168.1.4); new session-id; cipher: RC4-SHA (RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1), 128 bits
Apr 13 22:18:58 shadow qpopper[35033]: Stats: trev 0 0 135 9976231 shadow 192.168.1.4
 
UPDATE

With the upgrade to SeaMonkey v2.48 its mail client has dropped support for the RC4-SHA and RC4-MD5 ciphers which no longer allow a successful TLSv1/SSLv3 connection between SeaMonkey and qpopper.

Trying RC4-SHA and RC4-MD5 connections with SeaMonkey now results in:

Code:
Aug  7 08:10:51 shadow qpopper[29407]: TLS/SSL Handshake failed: -1
Aug  7 08:11:06 shadow qpopper[29421]: OpenSSL error during handshake
Aug  7 08:11:06 shadow qpopper[29421]: ...SSL error: error:1408A0C1:SSL \
routines:ssl3_get_client_hello:no shared cipher

The good news is that SeaMonkey now supports the AES128-SHA cipher:

Code:
Aug  7 08:43:50 shadow qpopper[30032]: (v4.1.0) TLSv1/SSLv3 handshake with client\
at shadow (192.168.1.4); new session-id; cipher: AES128-SHA \
(AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1), 128 bits

Retesting with Apple Mail (both Mavericks and Sierra) shows they now also support the AES128-SHA and AES256-GCM-SHA384 ciphers respectively.

As a result, I've removed set tls-cipher-list=RC4-SHA,RC4-MD5 from /usr/local/etc/qpopper/qpopper.conf.
 
Back
Top