CONTENT
- CHANGES
Szukaj
#top Przydatne informacje¶
- Przydatne informacje
- Timeout
- Load Balancing with HAProxy
- Dovecot behind HAProxy
- TLS SNI
- SNI config
- SNI check
- Protocol Secure
- Remove Service Version Information
- Add HTTP Response Headers Security
- TLS Secure
- Disable SSLv2/SSLv3 Protocols
- Disable weak Cipher Suites
- Disable RC4 CipherSuite
- Disable Anonymous CipherSuite
- Disable SSL Compression
- Set custom DH parameters
- Avoid certificates with Signature Algorithm: SHA1
- mail_uid,mail_gid
- dovecot 1.* (CentOS 5.*)
- dovecot 2.* (CentOS 6.*)
#top Timeout¶
Zobacz także Timeout dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Timeout dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także Timeout dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję Timeout)
#top Load Balancing with HAProxy¶
Zobacz także Load Balancing with HAProxy dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Load Balancing with HAProxy dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także Load Balancing with HAProxy dla: pgpool | PostgreSQL | MySQL | Firebird
Więcej informacji w analogicznym zagadnieniu: Dovecot behind HAProxy
#top Dovecot behind HAProxy¶
Zobacz także Dovecot behind HAProxy dla: HAProxy (HAProxy)
W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 1143 i przekierowywuje je do Dovecot na port 10143:
Plik konfiguracyjny /etc/dovecot/conf.d/10-master.conf:
haproxy_trusted_networks = 10.41.0.58/32 haproxy_timeout = 30 service imap-login { [...] inet_listener imap_haproxy { port = 10143 haproxy = yes } [...] }
Aby w logach access serwera Dovecot zamiast adresu serwera Proxy zapisywany był adres klienta łączącego się poprzez Proxy niezbędne jest wprowadzenie powyższych zmian w konfiguracji serwera Dovecot.
Po zalogowaniu się z hosta o adresie 10.0.0.3 do serwera Dovecot po protokole IMAP o adresie 10.41.0.58 w logach powinny pojawiać się informacje analogiczne do poniższych:
Plik z logami /var/log/haproxy/haproxy0.log:
Dla porównania poniżej informacje jakie powinny pojawiać się w logach w przypadku zastosowania połączenia HAProxy do Dovecot na port 143 (w logach serwera Dovecot będzie pojawiać się jako adres IP klienta adres serwera HAProxy):
Plik z logami /var/log/haproxy/haproxy0.log:
Po zalogowaniu się z hosta o adresie 10.0.0.3 do serwera Dovecot po protokole IMAP o adresie 10.41.0.58 w logach powinny pojawiać się informacje analogiczne do poniższych:
Plik z logami /var/log/haproxy/haproxy0.log:
Mar 13 23:41:18 localhost.localdomain haproxy-1.8[3670]: ::ffff:10.0.0.3:58083 [13/Mar/2018:23:41:16.013] public_imap bknd_cen060x64_imap/host_cen060x64 1/1/2858 4393 -- 1/1/0/0/0 0/0Plik z logami /var/log/mail/mail.log:
Mar 13 23:41:16 cen06x64 dovecot: imap-login: Login: user=<admin@cen06x64.xen.wbcd.pl>, method=PLAIN, rip=::ffff:10.0.0.3, lip=::ffff:10.41.0.58, mpid=8423, TLS, session=<uYPe9FJn4+IAAAAAAAAAAAAA//8KAAAD> Mar 13 23:41:18 cen06x64 dovecot: imap(admin@cen06x64.xen.wbcd.pl): Logged out in=236 out=2493
Dla porównania poniżej informacje jakie powinny pojawiać się w logach w przypadku zastosowania połączenia HAProxy do Dovecot na port 143 (w logach serwera Dovecot będzie pojawiać się jako adres IP klienta adres serwera HAProxy):
Plik z logami /var/log/haproxy/haproxy0.log:
Mar 13 23:41:26 localhost.localdomain haproxy-1.8[3670]: ::ffff:10.0.0.3:57746 [13/Mar/2018:23:41:23.872] public_imap2 bknd_cen060x64_imap2/host_cen060x64 1/145/2412 4393 -- 1/1/0/0/0 0/0Plik z logami /var/log/mail/mail.log:
Mar 13 23:41:24 cen06x64 dovecot: imap-login: Login: user=<admin@cen06x64.xen.wbcd.pl>, method=PLAIN, rip=10.41.0.58, lip=10.41.0.58, mpid=8429, TLS, session=<SEJW9VJna+cKKQAj> Mar 13 23:41:26 cen06x64 dovecot: imap(admin@cen06x64.xen.wbcd.pl): Logged out in=236 out=2493
#top TLS SNI¶
Zobacz także TLS SNI dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także TLS SNI dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także TLS SNI dla: pgpool | PostgreSQL | MySQL | Firebird
Dokumentacja Dovecot: Multiple SSL certificates (Dovecot 1.*) | Multiple SSL certificates (Dovecot 2.*)
Dokumentacja Dovecot: TLS SNI (Server Name Indication) support (Dovecot 1.*) | TLS SNI (Server Name Indication) support (Dovecot 2.*)
Dokumentacja Dovecot: TLS SNI Client Support (Dovecot 1.*) | TLS SNI Client Support (Dovecot 2.*)
Dovecot 1.*
Multiple SSL certificates
This requires v2.0.
With v1.x you need to use multiple instances with multiple configurations.
Dovecot 2.*
With client TLS SNI (Server Name Indication) support
It is important to note that having multiple SSL certificates per IP will not be compatible with all clients, especially mobile ones. It is a TLS SNI limitation. See SSL/SNIClientSupport for list of clients known to (not) support SNI.
Multiple SSL certificates
This requires v2.0.
With v1.x you need to use multiple instances with multiple configurations.
Dovecot 2.*
With client TLS SNI (Server Name Indication) support
It is important to note that having multiple SSL certificates per IP will not be compatible with all clients, especially mobile ones. It is a TLS SNI limitation. See SSL/SNIClientSupport for list of clients known to (not) support SNI.
Zgodnie z powyższymi informacjami obsługa wielu certyfikatów przez Dovecot w wersji 1.* wymaga uruchomienia wielu instancji serwera Dovecot. Obsługa TLS SNI jest dostępna w Dovecot od wersji 2.*.
#top SNI config¶
Zobacz także SNI config dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także SNI config dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także SNI config dla: pgpool | PostgreSQL | MySQL | Firebird
EXAMPLES
/etc/dovecot/conf.d/10-ssl.conf
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf #ssl_cert = </etc/pki/dovecot/certs/dovecot.pem #ssl_key = </etc/pki/dovecot/private/dovecot.pem ssl_cert = </etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem ssl_key = </etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem local_name cen06x64a.xen.wbcd.pl { ssl_cert = </etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem ssl_key = </etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem } local_name cen06x64b.xen.wbcd.pl { ssl_cert = </etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem ssl_key = </etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem } local_name cen06x64c.xen.wbcd.pl { ssl_cert = </etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem ssl_key = </etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem }
#top SNI check¶
Zobacz także SNI check dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także SNI check dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także SNI check dla: pgpool | PostgreSQL | MySQL | Firebird
Testy obsługi funkcjonalności TLS SNI w Dovecot przeprowadzono z użyciem narzędzia imapcmds z opcją
--SNI
w której argumencie umieszczano kolejno domeny dostępne w certyfikatach skonfigurowanych w local_name odpowiedzialnych za obsługę połączeń SSL.
imapcmds --syserrors -w 5 --half-open --SNI=localhost --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 9E:75:C7:62:18:2D:C1:FE:BD:44:C6:20:42:71:7C:03:13:79:EB:A3:6D:46:61:87:08:76:B2:43:69:E7:6A:D3 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 3e45b36cea4255ec24bb5d39 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'localhost' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191571086 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.187, auth=0.000, quit=0.001, comm=0.001, summ=0.492, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 66:A4:75:8A:CC:84:70:21:08:76:86:7E:29:43:0A:3F:CE:BA:D0:7F:6B:68:29:1B:A0:69:77:DF:A7:BB:20:40 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 0f574397eeb34c6a8bcd1212 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate match 'cen06x64.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570973 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.049, bann=0.000, starttls=0.001, socktls=0.184, auth=0.000, quit=0.004, comm=0.001, summ=0.642, result=0:DONE OK Logout completed. [
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64a.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 1D:16:AE:B2:A7:24:C8:03:54:C3:1F:38:E1:C2:D9:0D:AA:AA:60:AB:59:DA:89:49:96:AF:7A:08:AE:FC:1B:D2 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA1 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 9861f1a7c2d10bcb26008651 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate match 'cen06x64a.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Not Before: 2016/10/22 15:19:08 imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Not After : 2017/10/22 15:19:08 imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Cert expired days -136 [d] (11754284 [s])) imapcmds: CERT[0]:VERIFY: X509v3 Subject Alternative Name: (not critical) imapcmds: CERT[0]:VERIFY: DNSname: cen06x64a.xen.wbcd.pl, DNSname: cen06x64a1.xen.wbcd.pl, DNSname: cen06x64a2.xen.wbcd.pl, DNSname: cen06x64a3.xen.wbcd.pl, imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC imapcmds: X.509: Signature Algorithm: RSA-SHA256 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: X.509: Validity: Not Before: 2016/10/22 15:19:08 imapcmds: X.509: Validity: Not After : 2017/10/22 15:19:08 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits) imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64a.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64a1.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64a2.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64a3.xen.wbcd.pl imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:TRUE imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: 1a5cce486a4a17011bff569faca1ea92 imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: f7c43368b465380de6dce2927aeb8eafdbf8c217 imapcmds: X.509: Extensions: Other Information: Public Key Id: 6c48de9abfe7b2e36010176f97cf7d1fea386058 imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.128, auth=0.000, quit=0.001, comm=0.004, summ=0.540, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64a1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: E9:F2:44:9B:F5:90:B0:84:9A:33:16:B8:72:60:4B:2C:90:40:93:62:40:5F:82:30:A6:FD:1B:68:99:6F:5A:CA imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': d1d767bf30caf085ab849c4f imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64a1.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570940 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.181, auth=0.000, quit=0.002, comm=0.001, summ=0.641, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64a2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 43:65:25:BA:0F:F6:05:4C:F9:73:9D:48:54:90:23:4D:25:A9:90:9F:80:F8:AF:2B:0A:A7:15:41:E1:FA:6A:B6 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': dd51f482411920ed81d04b6b imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64a2.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570926 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.203, auth=0.000, quit=0.001, comm=0.001, summ=0.592, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64a3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: D2:44:73:E5:3F:7F:05:A3:79:7E:08:BD:DB:D2:BF:08:5D:AA:07:4B:60:17:C1:55:D7:C6:6E:ED:C0:7F:CF:74 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 38f57604b5f32be0e01c6de2 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64a3.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570912 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.203, auth=0.000, quit=0.001, comm=0.001, summ=0.533, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64b.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 60:86:3F:D6:DF:AF:A1:04:50:BC:79:B4:B8:4C:25:9B:54:5D:FE:9E:07:9E:47:46:04:9C:9F:12:8A:D1:74:EC imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA1 imapcmds: TLS:LAYER: Channel binding 'tls-unique': b3650d1b99039477cf87187c imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate match 'cen06x64b.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Not Before: 2016/10/22 15:19:11 imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Not After : 2017/10/22 15:19:11 imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Cert expired days -136 [d] (11754339 [s])) imapcmds: CERT[0]:VERIFY: X509v3 Subject Alternative Name: (not critical) imapcmds: CERT[0]:VERIFY: DNSname: cen06x64b.xen.wbcd.pl, DNSname: cen06x64b1.xen.wbcd.pl, DNSname: cen06x64b2.xen.wbcd.pl, DNSname: cen06x64b3.xen.wbcd.pl, imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E imapcmds: X.509: Signature Algorithm: RSA-SHA256 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: X.509: Validity: Not Before: 2016/10/22 15:19:11 imapcmds: X.509: Validity: Not After : 2017/10/22 15:19:11 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits) imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64b.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64b1.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64b2.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64b3.xen.wbcd.pl imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:TRUE imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: 1db22bfd4327c1e1f37c327e9a96c715 imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: f161f7706787e83d517333f855e8fd25114f3a52 imapcmds: X.509: Extensions: Other Information: Public Key Id: 3660ac9d4c5a6a61d50b275b3c43edc13b3211c7 imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.226, auth=0.000, quit=0.002, comm=0.001, summ=0.500, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64b1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 7A:6A:93:82:8B:FB:91:C5:29:13:6A:A3:1B:6C:32:4F:96:7A:3A:14:A0:64:C4:D0:39:DA:7F:69:ED:A4:4B:3D imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 3ff2cffca1928c2130e8d121 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64b1.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570877 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.186, auth=0.000, quit=0.001, comm=0.001, summ=0.552, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64b2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 76:88:A3:C7:A7:81:BB:E4:7E:98:FA:BD:40:F6:A8:57:22:BA:8A:8C:F8:18:8F:19:AC:8A:3A:1C:25:F9:CF:94 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 508c1955f2e02bf798374820 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64b2.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570804 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.002, socktls=0.188, auth=0.000, quit=0.002, comm=0.001, summ=0.636, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64b3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: C8:6F:57:DB:A1:E8:8E:2D:2F:97:F1:72:39:84:CE:17:93:78:EE:20:08:27:40:08:87:DD:D6:7D:D4:99:D3:3C imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': fbdf4f990a7f85f93bef16c9 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64b3.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570791 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.002, socktls=0.209, auth=0.000, quit=0.001, comm=0.002, summ=0.537, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64c.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: B1:F5:9B:2C:37:45:BE:46:FA:70:52:A1:CB:46:C1:33:D7:35:F3:19:8D:C2:CC:15:91:F8:B1:C5:8B:B0:BE:A5 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA1 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 0ab33fbfa1d961ae12b3883e imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate match 'cen06x64c.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Not Before: 2016/10/22 15:19:13 imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Not After : 2017/10/22 15:19:13 imapcmds: CERT[0]:VERIFY: CERT:DATE:CRIT Validity: Cert expired days -136 [d] (11754459 [s])) imapcmds: CERT[0]:VERIFY: X509v3 Subject Alternative Name: (not critical) imapcmds: CERT[0]:VERIFY: DNSname: cen06x64c.xen.wbcd.pl, DNSname: cen06x64c1.xen.wbcd.pl, DNSname: cen06x64c2.xen.wbcd.pl, DNSname: cen06x64c3.xen.wbcd.pl, imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA imapcmds: X.509: Signature Algorithm: RSA-SHA256 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl imapcmds: X.509: Validity: Not Before: 2016/10/22 15:19:13 imapcmds: X.509: Validity: Not After : 2017/10/22 15:19:13 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits) imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64c.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64c1.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64c2.xen.wbcd.pl imapcmds: X.509: Extensions: Subject Alternative Name: (not critical) DNSname: cen06x64c3.xen.wbcd.pl imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:TRUE imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: 72db0baf6df9351e770d829a4928f8c7 imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: f021c346ede355b729cc4376c013e2c29a10e473 imapcmds: X.509: Extensions: Other Information: Public Key Id: a1d0f0fe5bb9cff07136e2392c7a601723bfb879 imap://10.41.0.58:143/ dnsq=0.000, conn=0.002, bann=0.000, starttls=0.001, socktls=0.131, auth=0.000, quit=0.001, comm=0.002, summ=0.477, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64c1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 39:60:E7:82:85:8F:71:E7:73:E3:3A:B8:8D:8C:6B:36:EE:82:6C:00:72:75:21:17:12:93:7A:30:4D:3D:AD:DF imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 2b5a35e1a38d8149f7d48293 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64c1.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570764 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.199, auth=0.000, quit=0.001, comm=0.001, summ=0.603, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64c2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: 8B:18:D7:B1:F2:A7:6E:0E:27:EB:15:45:7D:2A:0D:6C:65:E6:55:36:5F:76:A3:54:6F:64:73:BE:74:E5:77:41 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 492aca1b95978dffca552fbc imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64c2.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570751 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.189, auth=0.000, quit=0.001, comm=0.001, summ=0.461, result=0:DONE OK Logout completed.
imapcmds --syserrors -w 5 --half-open --SNI=cen06x64c3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo noop imap://10.41.0.58:143/
imapcmds: Resolving 10.41.0.58 ... 10.41.0.58 Success imapcmds: Connecting to 10.41.0.58[10.41.0.58]:143 ... Success imapcmds: TLS:LAYER: Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP384R1)-(AES-256-GCM)-(AEAD) imapcmds: TLS:LAYER: Session ID: D5:E1:0A:0E:6A:70:D8:C4:A0:E5:5F:E3:4C:CC:24:01:0C:35:D0:C3:C4:28:5B:2B:67:E7:EA:D5:15:22:B4:F3 imapcmds: TLS:LAYER: Ephemeral EC Diffie-Hellman parameters imapcmds: TLS:LAYER: Using curve: SECP384R1 imapcmds: TLS:LAYER: Curve size: 384 bits imapcmds: TLS:LAYER: Cipher Suite: ECDHE_RSA_AES_256_GCM_SHA384 imapcmds: TLS:LAYER: Version: TLS1.2 imapcmds: TLS:LAYER: Key Exchange: ECDHE-RSA imapcmds: TLS:LAYER: Cipher: AES-256-GCM imapcmds: TLS:LAYER: MAC: AEAD imapcmds: TLS:LAYER: Compression: NULL imapcmds: TLS:LAYER: Server Signature: RSA-SHA256 imapcmds: TLS:LAYER: Channel binding 'tls-unique': 277a88802c06eaedb6aa1d95 imapcmds: CERT:VERIFY: Peer's certificate issuer is unknown imapcmds: CERT:VERIFY: Peer's certificate is NOT trusted imapcmds: CERT[0]:VERIFY: The hostname in the certificate does NOT match 'cen06x64c3.xen.wbcd.pl' imapcmds: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not Before: 2014/04/04 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Not After : 2024/04/01 22:33:09 imapcmds: CERT[0]:VERIFY: CERT:DATE:OK Validity: Cert expire after 2217 [d] (191570739 [s])) imapcmds: X.509: Version: 3 imapcmds: X.509: Serial Number (hex): 0A imapcmds: X.509: Signature Algorithm: RSA-SHA1 imapcmds: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl imapcmds: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl imapcmds: X.509: Validity: Not Before: 2014/04/04 22:33:09 imapcmds: X.509: Validity: Not After : 2024/04/01 22:33:09 imapcmds: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits) imapcmds: X.509: Extensions: Basic Constraints: (not critical) CA:FALSE imapcmds: X.509: Extensions: Key usage: (not critical) Digital signature. imapcmds: X.509: Extensions: Key usage: (not critical) Key encipherment. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Server. imapcmds: X.509: Extensions: Key purpose OIDs:(not critical) TLS WWW Client. imapcmds: X.509: Extensions: Other Information: MD5 fingerprint: f319a7e502fc326c5f5d5714015cf52b imapcmds: X.509: Extensions: Other Information: SHA-1 fingerprint: dd12d6735c1e4c42570f1d58b687457f90403c5e imapcmds: X.509: Extensions: Other Information: Public Key Id: f060fc3fc9ff5616ba3f8d81fe279acea3b2ae0a imap://10.41.0.58:143/ dnsq=0.000, conn=0.001, bann=0.000, starttls=0.001, socktls=0.261, auth=0.000, quit=0.001, comm=0.002, summ=0.602, result=0:DONE OK Logout completed.
#top Protocol Secure¶
Zobacz także Protocol Secure dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Protocol Secure dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Protocol Secure dla: pgpool | PostgreSQL | MySQL | Firebird
#top Remove Service Version Information¶
Zobacz także Remove Service Version Information dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Remove Service Version Information dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Remove Service Version Information dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję Banner)
#top Add HTTP Response Headers Security¶
Zobacz także Add HTTP Response Headers Security dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Add HTTP Response Headers Security dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Add HTTP Response Headers Security dla: pgpool | PostgreSQL | MySQL | Firebird
Niedotyczy! Zalecana konfiguracja dotyczy serwerów obsługujących protokół HTTP.
#top TLS Secure¶
Zobacz także TLS Secure dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także TLS Secure dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także TLS Secure dla: pgpool | PostgreSQL | MySQL | Firebird
#top Disable SSLv2/SSLv3 Protocols¶
Zobacz także Disable SSLv2/SSLv3 Protocols dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable SSLv2/SSLv3 Protocols dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable SSLv2/SSLv3 Protocols dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS Protocols)
Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566)
Vulnerability Summary for CVE-2014-3566
#top Disable weak Cipher Suites¶
Zobacz także Disable weak Cipher Suites dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable weak Cipher Suites dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable weak Cipher Suites dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS CipherSuite)
MITRE CVE dictionary (CVE-2015-2808)
Vulnerability Summary for CVE-2015-2808
Ivan Ristic Mitigating the BEAST attack on TLS
#top Disable RC4 CipherSuite¶
Zobacz także Disable RC4 CipherSuite dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable RC4 CipherSuite dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable RC4 CipherSuite dla: pgpool | PostgreSQL | MySQL | Firebird
Więcej informacji w analogicznym zagadnieniu: Disable weak Cipher Suites
#top Disable Anonymous CipherSuite¶
Zobacz także Disable Anonymous CipherSuite dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable Anonymous CipherSuite dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable Anonymous CipherSuite dla: pgpool | PostgreSQL | MySQL | Firebird
Więcej informacji w analogicznym zagadnieniu: Disable weak Cipher Suites
#top Disable SSL Compression¶
Zobacz także Disable SSL Compression dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable SSL Compression dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable SSL Compression dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS Compression)
The CRIME attack uses SSL Compression
Bug 857051 - (CRIME, CVE-2012-4929) CVE-2012-4929 SSL/TLS CRIME attack against HTTPS
The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.
Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:
and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.
Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.
CVE-2012-4929 SSL/TLS CRIME attack against HTTPS
The MITRE CVE dictionary describes this issue as:
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.
Vulnerability Summary for CVE-2009-1891
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
#top Set custom DH parameters¶
Zobacz także Set custom DH parameters dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Set custom DH parameters dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Set custom DH parameters dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS Cert/Key File)
#top Avoid certificates with Signature Algorithm: SHA1¶
Zobacz także Avoid certificates with Signature Algorithm: SHA1 dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Avoid certificates with Signature Algorithm: SHA1 dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Avoid certificates with Signature Algorithm: SHA1 dla: pgpool | PostgreSQL | MySQL | Firebird
Mozilla plans to phase out support of SHA-1 hash algorithm
After Jan. 1, 2016, Firefox will present an "Untrusted Connection" error when a newly issued SHA-1 certificate is encountered, and after Jan. 1, 2017, Firefox will present an "Untrusted Connection" error whenever a SHA-1 certificate is encountered at all, according to a Tuesday post.
SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.
SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.
Mozilla Security Blog
Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.
SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.
SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.
#top mail_uid,mail_gid¶
Opcje konfiguracyjne
mail_uid
oraz mail_gid
określają uid oraz gid użytkownika w systemie na uprawnieniach którego będą wykonywane operacje związane z zarządzaniem skrzynką pocztową oraz wiadomościami w skrzynce. Natomiast opcje konfiguracyjne first_valid_uid
oraz first_valid_gid
określają pierwszy prawidłowy uid oraz gid użytkownika w systemie, który może zostać użyty jako identyfikator użytkownika oraz grupy. Domyślnie opcja first_valid_gid
nie jest restrykcyjna i pozwala na stosowanie dowolnego gid jako identyfikator grupy użytkownika w systemie. Natomiast opcja first_valid_uid
domyślnie jest nieco bardziej restrykcyjna i nie pozwala na stosowanie uid użytkownika w systemie poniżej wartości 500
, efektem czego może być zaobserwowanie w logach serwera pocztowego poniższego komunikatu:Couldn't drop privileges: Mail access for users with UID 450 not permitted (see first_valid_uid in config file)
Zgodnie z informacją w komunikacie należy sprawdzić konfigurację opcji
first_valid_uid
. Domyślna wartość #first_valid_uid = 500
nie pozwala na stosowanie jako mail_uid
wartości mniejszych niż 500
dlatego należy w zależności od wersji serwera Dovecot w odpowiednim pliku ustawić wartość first_valid_uid
na najmniejszą stosowaną wartość wykorzystywaną jako uid.#top dovecot 1.* (CentOS 5.*)¶
W serwerze Dovecot w wersji 1.* (CentOS 5.*) powyższe opcje znajdują się w pliku
/etc/dovecot.conf
:# System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. <doc/wiki/UserIds.txt> #mail_uid = #mail_gid = mail_uid = 450 mail_gid = 450
# Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. #first_valid_uid = 500 #last_valid_uid = 0 first_valid_uid = 450 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. #first_valid_gid = 1 #last_valid_gid = 0
#top dovecot 2.* (CentOS 6.*)¶
W serwerze Dovecot w wersji 2.* (CentOS 5.*) powyższe opcje znajdują się w pliku
/etc/dovecot/conf.d/10-mail.conf
:# System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. <doc/wiki/UserIds.txt> #mail_uid = #mail_gid = mail_uid = 450 mail_gid = 450
# Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. #first_valid_uid = 500 #last_valid_uid = 0 first_valid_uid = 450 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. #first_valid_gid = 1 #last_valid_gid = 0
Zmodyfikowany ostatnio: 2018/04/11 23:28:37 (6 lat temu),
textsize: 81,6 kB,
htmlsize: 102 kB
Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...
Dodaj komentarzKomentarze użytkowników