imapfilter: certificate verify failed since version 2.6.13

imapfilter -V
IMAPFilter 2.6.13  Copyright (c) 2001-2019 Eleftherios Chatzimparmpas

Having used imapfilter for years, the latest update to version 2.6.13 breaks certificate verification for me and therefore the entire tool:

imapfilter -v
imapfilter: initiating SSL connection to mail.XXXXX.com; error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
imapfilter: login request to john@example.com@mail.XXXXX.com failed
stack traceback:
	[C]: in ?
	[C]: in function 'error'
	...al/Cellar/imapfilter/2.6.13/share/imapfilter/account.lua:81: in field '_check_result'
	...al/Cellar/imapfilter/2.6.13/share/imapfilter/account.lua:97: in field '_login_user'
	...al/Cellar/imapfilter/2.6.13/share/imapfilter/account.lua:59: in global 'IMAP'
	/Users/john/.imapfilter/config.lua:4: in main chunk

To verify the SSL setup of the server, I ran openssl s_client -connect mail.XXXXX.com:993 -status which yields:

CONNECTED(00000005)
OCSP response: no response sent
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = mail.gandi.net
verify return:1
.... SNIPPED ....
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5211 bytes and written 302 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E4668ADAF79CCF6C96707B2B17BF68AF2502D4AD1E2F6CDC45EF53F485D59AFC
    Session-ID-ctx:
    Master-Key: 3D6B73D5640CB389CE83D54695857DB0A2FE241312B4674CD150A84773D44C53F91345B577042CED1E7B170276350DEB
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5b f4 b7 66 78 60 f8 45-75 e3 36 3c 9a 36 be 5d   [..fx`.Eu.6<.6.]
    0010 - 58 fd ad 5d 16 b6 f1 69-22 a6 cc ec b0 10 26 fd   X..]...i".....&.
    0020 - e1 a5 b3 d4 3d 3a c7 1a-6c b9 2e a1 a8 45 54 6e   ....=:..l....ETn
    0030 - 09 39 6a 60 57 d9 be c4-3d 79 6c 00 db 50 f1 29   .9j`W...=yl..P.)
    0040 - 4e 4d ae 89 36 a7 f0 89-af 13 24 84 ee 5c 75 d2   NM..6.....$..\u.
    0050 - 8e 88 d5 54 2a f0 61 51-f1 e7 09 1d d8 dc f9 e3   ...T*.aQ........
    0060 - 95 60 fc d0 31 83 50 2d-49 b4 53 92 53 f8 e7 76   .`..1.P-I.S.S..v
    0070 - 37 94 34 ac 67 eb 0a f8-ab c9 fb 66 be 03 0e 8e   7.4.g......f....
    0080 - 8a 55 e6 0d 25 9d 0c 9a-fc 1b 77 cc 30 f9 4e 41   .U..%.....w.0.NA
    0090 - 15 11 bf 9d ee fb 91 46-05 33 b2 99 5a ca 5b 67   .......F.3..Z.[g

    Start Time: 1571126967
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot (Debian) ready.

The configuration looks like this:

account1 = IMAP {
  server = "mail.XXXXX.com",
  username = "john@example.com",
  password = password,
  ssl = "tls12",
  port = 993,
}

Thx

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 5
Comments: 47 (16 by maintainers)

Commits related to this issue

imapfilter: add SSLCAFILE make flag This fixes: https://github.com/NixOS/nixpkgs/issues/78304 See this upstream issue: https://github.com/lefcha/imapfilter/issues/201 — committed to NorfairKing/nixpkgs by NorfairKing 4 years ago
imapfilter: add SSLCAFILE make flag This fixes: https://github.com/NixOS/nixpkgs/issues/78304 See this upstream issue: https://github.com/lefcha/imapfilter/issues/201 — committed to NixOS/nixpkgs by NorfairKing 4 years ago

Most upvoted comments

For those not wanting to use the hostname validation functionality: since version 2.7.5, you can set options.hostnames = false to disable it.

Of course this is not recommended, and thus the default is that it’s enabled. But if you know what you’re doing…

lefcha on Dec 16, 2020

Is there any update here? I’d like to package the latest release of imapfilter in EPEL (CentOS/RHEL) for CVE-2016-10937 to be fixed but this issue is blocking me to move forward. Thanks!

averi on Oct 31, 2019

@lefcha — Thanks — attaching as self signed NAS becomes more difficult by the year. It’s sad to see that encryption will soon only be available to companies you can spend $$$ every year to to renew those expensive certificates.

krischik on May 2, 2021

I finally had some time to further investigate my issue. It turns out that it’s an issue with the certificate on the server side which I’ll need to investigate further. Using imapfilter -v returned the error ...error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.... On the server I was getting LS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42.

So the command openssl s_client -showcerts -connect example.com:993 -servername example.com revealed a different CN domain in the SSL certificate. I changed my imapfilter/config.lua to this domain for server= and now it works.

In short, it turned out to be a user error. Apologies for any alarm. I guess this check got more strict after 2.6.12.

rustbuckett on Jan 22, 2020

$ imapfilter imapfilter: initiating SSL connection to hwsrv-638693.hostwindsdns.com; error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed imapfilter: login request to russell@kg5jbe.com@hwsrv-638693.hostwindsdns.com failed stack traceback: [C]: in ? [C]: in function ‘error’ /usr/share/imapfilter/account.lua:81: in field ‘_check_result’ /usr/share/imapfilter/account.lua💯 in field ‘_login_user’ /usr/share/imapfilter/account.lua:59: in global ‘IMAP’ /home/downtime/.imapfilter/config.lua:124: in main chunk

and the dovecot.log on the server shows :

Dec 27 15:48:52 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=2602:304:b226:4299:5365:d28:daaa:ff36, lip=2607:5500:3000:72e::2, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<sFU8brGaxKomAgMEsiZCmVNlDSjaqv82>

Note that the log entry shows an empty username. I can downgrade to 2.6.12 with no other changes and everything works.

rustbuckett on Dec 27, 2019

@merlinblack, yes, works fine with 2.6.15-1 on both F30 and F31 together as CentOS 7 / RHEL 7. No need to specify any flag there, what I did to test it on an F31 container:

mkdir ~/.imapfilter echo ‘’’ myaccount = IMAP { server = ‘imap.gmail.com’, username = ‘test@gmail.com’, password = ‘secret’, ssl = ‘auto’ } ‘’’ > ~/.imapfilter/config.lua imapfilter

Result:

imapfilter: IMAP (3): 1001 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure) imapfilter: username test@gmail.com or password rejected at imap.gmail.com imapfilter: authentication of test@gmail.com@imap.gmail.com failed. stack traceback: [C]: in ? [C]: in function ‘error’ /usr/share/imapfilter/account.lua:99: in field ‘_login_user’ /usr/share/imapfilter/account.lua:59: in global ‘IMAP’ /root/.imapfilter/config.lua:1: in main chunk

averi on Dec 4, 2019

@haraldme Can you try to use the latest version from git, as the https://github.com/lefcha/imapfilter/commit/7c9f8ef44da5d79065804a02d4d3ba59e526a0fd commit, tries to be more flexible when loading certs from the default CA file and path. Thanks!

lefcha on Nov 13, 2019