IMAPS and/or openssl problem

Bob Chiodini rchiodin at bellsouth.net
Fri Aug 31 10:56:35 UTC 2007 

Timothy Murphy wrote:
> Andy Green wrote:
>
>   
>> Somebody in the thread at some point said:
>>
>>     
>>>>         telnet <myserver> 993
>>>> I just get
>>>>         Trying <server IP address>
>>>> and nothing further, until I type ctrl-C.
>>>>         
>>> Check /var/log/messages to see if anything is logged.  The behavior of
>>> telnet sounds like the behavior of openssl.  It's probably not the
>>>       
>> No, he doesn't even get a tcp connection established.  If I telnet to my
>> IMAP server I see
>>
>> telnet 192.168.0.xx 993
>> Trying 192.168.0.xx...
>> Connected to 192.168.0.xx.
>> Escape character is '^]'.
>>
>> I would first confirm that something is still listening on your external
>> network interface on 993.
>>     
>
> Thanks for all the responses.
>
> nmap seems to show that port 993 is open:
> =====================================
> [tim at martha ~]$ nmap 86.43.71.228
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-31 02:13 CEST
> Interesting ports on 86.43.71.228:
> Not shown: 1688 closed ports
> PORT     STATE    SERVICE
> 80/tcp   open     http
> 135/tcp  filtered msrpc
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 593/tcp  filtered http-rpc-epmap
> 993/tcp  filtered imaps
> 1720/tcp filtered H.323/Q.931
> 2001/tcp open     dc
> 5190/tcp open     aol
>
> Nmap finished: 1 IP address (1 host up) scanned in 20.467 seconds
> =====================================
>
> But "netstat -anp --tcp" does not show anything listening on 993
> =====================================
> [tim at martha ~]$ sudo netstat -anp --tcp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address               Foreign Address            
> State       PID/Program name
> tcp        0      0 127.0.0.1:8000              0.0.0.0:*                  
> LISTEN      1745/nasd
> tcp        0      0 127.0.0.1:2208              0.0.0.0:*                  
> LISTEN      1637/hpiod
> tcp        0      0 0.0.0.0:139                 0.0.0.0:*                  
> LISTEN      1878/smbd
> tcp        0      0 0.0.0.0:631                 0.0.0.0:*                  
> LISTEN      1654/cupsd
> tcp        0      0 127.0.0.1:25                0.0.0.0:*                  
> LISTEN      1714/sendmail: acce
> tcp        0      0 0.0.0.0:445                 0.0.0.0:*                  
> LISTEN      1878/smbd
> tcp        0      0 127.0.0.1:2207              0.0.0.0:*                  
> LISTEN      1642/python
> tcp        0      0 0.0.0.0:33215               0.0.0.0:*                  
> LISTEN      1443/rpc.statd
> tcp        0      0 192.168.1.149:34676         86.43.71.228:2001          
> ESTABLISHED 3298/ssh
> tcp        0      0 :::901                      :::*                       
> LISTEN      1680/xinetd
> tcp        0      0 :::111                      :::*                       
> LISTEN      1422/rpcbind
> tcp        0      0 :::22                       :::*                       
> LISTEN      1668/sshd
> tcp        0      0 :::631                      :::*                       
> LISTEN      1654/cupsd
> =====================================
>
> I can telnet 993 on my server without problem:
> =====================================
> [tim at alfred ~]$ telnet localhost 993
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> ^]
> telnet> quit
> Connection closed.
> =====================================
>
> And "iptables -L" seems to allow this connection:
> =====================================
> ...
> Chain net2fw (1 references)
> target     prot opt source               destination
> ACCEPT     0    --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere            icmp
> echo-request
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:appserv-http
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:appserv-http
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
> Drop       0    --  anywhere             anywhere
> LOG        0    --  anywhere             anywhere            LOG level info
> prefix `Shorewall:net2fw:DROP:'
> DROP       0    --  anywhere             anywhere
> ...
> =====================================
>
> So my best guess is that there is something wrong
> with my dovecot configuration.
> I "yum remove"d and "yum install"ed dovecot
> (and re-edited dovecot.conf),
> but that didn't seem to make any difference.
>
>   
>> Why not tcpdump it over your ssh session to the server while you try to
>> connect and see what you can see.
>>
>> Another more exotic workaround would be, on your local machine
>>
>> ssh root at myserver -N -L993:localhost:993
>>
>> while this runs, 993 (the first number) on your local client box will
>> magically be an encrypted wormhole to port 993 on myserver.  Try running
>> that in one terminal session, and temporarily alter kmail to go look at
>> localhost for IMAP instead of myserver.
>>     
>
> I'll try these tomorrow.
> Thanks very much for your help anyway.
>
>   
Tim,

Is fred the server and martha the remote machine?  If so, the netstat 
command should be run on fred.  I'd also check /etc/hosts.allow and 
/etc/hosts.deny.

Bob...

More information about the fedora-list mailing list