I use Offlineimap to download mails from various accounts to my machine where. After my last Debian upgrade, when running
offlineimap, I got the following error for one of my accounts:
Establishing connection to imap.redacted.ch:993 (redacted-Remote) ERROR: Unknown SSL protocol connecting to host 'imap.redacted.ch' for repository 'redacted-Remote'. OpenSSL responded: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727) *** Finished account 'redacted' in 0:00 ERROR: Exceptions occurred during the run!
If you have the following error, let me save you some time with your favorite search engine: The reason is that "newer" versions of OpenSSL fend of a TLS attack called FREAK (Factoring RSA Export Keys). When you get this
openimap error, it means that you're encrypting the connection to your mail server with TLS whilst using a key smaller than 768 bytes. This connection can be attacked and is therefore considered unsafe. That's why OpenSSL will terminate this connection by default instead of trusting it. Read more about this attack on a blog post on openssl.org from 2015.
If you own the mail server yourself or have some kind of authority over it, please don't use the workaround I'm proposing here, but upgrade your mail servers security. As mentioned above, OpenSSL wrote about and fixed this issue in 2015 - so it's about time for sysadmins to follow up on this.
In my case, I don't have authority over the mail server in question (it is an Outlook server of a big corporation). If you're in the same boat, the 'fix' is simple: Ignore the error by falling back to an old authentication scheme
tls1_2. For that, open your
.offlineimaprc configuration file, go to the section
[Repository yourServer-Remote] and add a line
ssl_version=tls1_2. The full entry will look like this:
[Repository redacted-Remote] type = IMAP remotehost = imap.redacted.ch remoteuser = firstname.lastname@example.org remotepass = ... ssl_version=tls1_2 [more customizations]
Good luck and enjoy reading mails from insecure servers^^
If you're curious about my mail setup, let me elaborate a little on that: After downloading emails with Offlineimap, I read and answer them using Mu4e and Emacs. This is by far the best email setup that I have worked with in 20 years of using email on a daily basis. You can find my Mu4e Emacs configuration here: https://github.com/munen/emacs.d/#mail