I use Offlineimap to download mails from various accounts
to my machine where. After my last Debian upgrade, when running
offlineimap, I got the following error for one of my accounts:
Establishing connection to imap.redacted.ch:993 (redacted-Remote) ERROR: Unknown SSL protocol connecting to host 'imap.redacted.ch' for repository 'redacted-Remote'. OpenSSL responded: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727) ERROR: Exceptions occurred during the run!
If you have the following error, let me save you some time with your
favorite search engine: The reason is that "newer" versions of OpenSSL
fend of a TLS attack called FREAK (Factoring RSA Export Keys). When
you get this openimap error, it means that you're encrypting the
connection to your mail server with TLS whilst using a key smaller
than 768 bytes. This connection can be attacked and is therefore
considered unsafe. That's why OpenSSL will terminate this connection
by default instead of trusting it. Read more about this attack on a
blog post on openssl.org from 2015.
If you own the mail server yourself or have some kind of authority over it, please don't use the workaround I'm proposing here, but upgrade your mail servers security. As mentioned above, OpenSSL wrote about and fixed this issue in 2015 - so it's about time for sysadmins to follow up on this.
In my case, I
don't have authority over the mail server in question (it is an
Outlook server of a big corporation). If you're in the same boat, the
'fix' is simple: Ignore the error by falling back to an old
authentication scheme tls1_2. For that, open your .offlineimaprc
configuration file, go to the section [Repository yourServer-Remote]
and add a line ssl_version=tls1_2. The full entry will look like this:
[Repository redacted-Remote] type = IMAP remotehost = imap.redacted.ch remoteuser = me@redacted.ch remotepass = ... ssl_version=tls1_2 [more customizations]
Good luck and enjoy reading mails from insecure servers^^
If you're curious about my mail setup, let me elaborate a little on that: After downloading emails with Offlineimap, I read and answer them using Mu4e and Emacs. This is by far the best email setup that I have worked with in 20 years of using email on a daily basis. You can find my Mu4e Emacs configuration here: https://github.com/munen/emacs.d/#mail
