[SOLVED] POP3S: Auth for user failed!

gears · Post by **gears** » 18 Nov 2016, 21:49

Inbound pop mail fetch started failing today. I'm assuming something changed or was upgraded at the POP server that broke compatibility. Credentials have been confirmed working through a webmail portal which does list the emails OTRS is no longer able to fetch. Telnetting the server on pop3s port 995 from the OTRS system does establish a connection so network connectivity appears functional. An older post for a similar problem at viewtopic.php?t=22732 referenced replacing the POP3S fetch method with POP3TLS from github. Any input on that or suggestions would be appreciated. Thanks

[Fri Nov 18 09:36:02 2016][Error][Kernel::System::MailAccount::POP3S::_Fetch][154] POP3S: Auth for user ***** failed!

Backend ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri Nov 18 09:23:27 2016 Message: POP3S: Auth for user ***** failed! Traceback (21678): Module: Kernel::System::MailAccount::POP3S::_Fetch (v1.12) Line: 154 Module: Kernel::System::MailAccount::POP3S::Fetch (v1.12) Line: 106 Module: Kernel::System::MailAccount::MailAccountFetch (v1.16) Line: 386 Module: Kernel::Modules::AdminMailAccount::Run (v1.23) Line: 63 Module: Kernel::System::Web::InterfaceAgent::Run (v1.58.2.1) Line: 853 Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46 Module: (eval) (v1.89.2.1) Line: 204 Module: ModPerl::RegistryCooker::run (v1.89.2.1) Line: 204 Module: ModPerl::RegistryCooker::default_handler (v1.89.2.1) Line: 170 Module: ModPerl::Registry::handler (v1.99) Line: 31

OTRS 3.0.11
Debian 6.0.3 / Linux 2.6.32-5-amd64
Apache 2.2.16
mysql Ver 14.14 Distrib 5.1.49

/opt/otrs/bin# ./otrs.CheckModules.pl
o CGI............................ok (v3.50)
o Crypt::PasswdMD5...............ok (v1.3)
o CSS::Minifier..................ok (v0.01)
o Date::Format...................ok (v2.24)
o Date::Pcalc....................ok (v1.2)
o DBI............................ok (v1.612)
o DBD::mysql.....................ok (v4.016)
o Digest::MD5....................ok (v2.39)
o Digest::SHA::PurePerl..........ok (v5.48)
o Encode::HanExtra...............Not installed! (Optional - Required to handle mails with several Chinese character sets.)
o GD.............................ok (v2.39)
o GD::Text....................ok (v0.86)
o GD::Graph...................ok (v1.44)
o GD::Graph::lines............ok (v1.15)
o GD::Text::Align.............ok (v1.18)
o IO::Scalar.....................ok (v2.110)
o IO::Wrap.......................ok (v2.110)
o JavaScript::Minifier...........ok (v1.05)
o JSON...........................ok (v2.50)
o JSON::PP....................ok (v2.27103)
o JSON::XS....................ok (v2.29)
o LWP::UserAgent.................ok (v5.835)
o Mail::Internet.................ok (v2.07)
o Mail::POP3Client...............ok (v2.18 )
o IO::Socket::SSL.............ok (v1.33)
o MIME::Base64...................ok (v3.08)
o MIME::Tools....................ok (v5.428)
o ModPerl::Util..................ok (v2.000004)
o Apache::DBI.................ok (v1.09)
o Apache2::Reload.............ok (v0.11)
o Net::DNS.......................ok (v0.66)
o Net::POP3......................ok (v2.29)
o Net::IMAP::Simple..............ok (v1.2017)
o Net::IMAP::Simple::SSL......ok (v1.3)
o Net::SMTP......................ok (v2.31)
o Authen::SASL................ok (v2.15)
o Net::SMTP::SSL..............ok (v1.01)
o Net::SMTP::TLS::ButMaintainedok (v0.17)
o Net::LDAP......................ok (v0.4001)
o PDF::API2......................ok (v0.73)
o Compress::Zlib..............ok (v2.02)
o SOAP::Lite.....................Not installed! (Optional - Required for the SOAP interface.)
o Text::CSV......................ok (v1.21)
o Text::CSV_PP................ok (v1.29)
o Text::CSV_XS................Not installed! (Optional - Optional, install it for faster CSV handling.)
o XML::Parser....................ok (v2.36)

gears · Post by **gears** » 19 Nov 2016, 02:52

I see "OTRS can now fetch email also over POP3/TLS connections" in the 3.3 release notes. Will find out if we can make it through updating from 3.0.11 to 3.3 with the system intact and retry the fetch with pop3tls.

**Update #1** same problem with pop3s, pop3tls, imaps, or imaptls after upgrading to otrs 3.3.16. It's looking like this may be an underlying problem with the outdated Debian 6 rather than OTRS, openssl diagnostics are not giving the expected result testing either port 995 or 993 which the mail server is confirmed to be functional on with other clients at the same location.

:~# openssl s_client -verify -showcerts -connect *****.net:995
verify depth is 0
CONNECTED(00000003)
write:errno=104

# openssl s_client -msg -tls1 -verify -showcerts -connect ****.net:995
verify depth is 0
CONNECTED(00000003)
>>> TLS 1.0 Handshake [length 0050], ClientHello

<<< TLS 1.0 Handshake [length 0035], ServerHello

<<< TLS 1.0 Handshake [length 0cb3], Certificate

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
>>> TLS 1.0 Alert [length 0002], fatal unknown_ca
02 30
2379:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:988:

UPDATE #2: POP3S is working again after updating from Debian 6.0.10 squeeze to 7.11 wheezy and OTRS 3.0.11 to 5.0.14. Fairly certain this was an OS key exchange problem unrelated to OTRS.