Issue 6562 in k9mail: Certificate error when no SSLv3 support on server.

[k9m...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium Product-k9mail

New issue 6562 by jeff.gus...@gmail.com: Certificate error when no SSLv3
support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

I turned off SSLv2 and SSLv3 in dovecot, but now I get a certificate error
in K-9

What steps will reproduce the problem?
1. Install dovecot server.
2. Remove SSLv3 support in the SSL/TLS configuration.
3. K-9 stops talking to IMAP server.

What do you expect to have happen?
K-9 should use TLS instead of SSLv3

What do you see instead?
Certificate error

What version of K-9 are you using?
v5.001

What is your device and what version of Android are you using?
Samsung Galaxy S5 with 4.4.2

Is your email account a POP account, Exchange Account or an IMAP account?
IMAP (dovecot server)


--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[k9m...@googlecode.com]

Comment #1 on issue 6562 by cointrav...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Same here with Nexus 5 and dovecot.
It does check for new emails though, just hope it's not doing it on
insecure connection.

[k9m...@googlecode.com]

Comment #2 on issue 6562 by cointrav...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

I get a similar error with default email client too.

[k9m...@googlecode.com]

Comment #3 on issue 6562 by scorp...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Same here. Galaxy Note 3 ... and it has stopped working since they
deactivated SSLv3 on the server side. My provider's instructions say that
TLS should be used instead ... but K9 doesn't seem to be able to handle
that and keeps trying SSLv3 handshakes ...?

Screenshot attached (sorry, it's in German).



Attachments:
tempFileForShare.jpg 525 KB

[k9m...@googlecode.com]

Comment #4 on issue 6562 by jsteele...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

The report from the original submitter and most of the subsequent comments
(except #3) lack any detail to be able to guess what the problem is. You
encountered a certificate error? What does the error say? Presuming the
error appeared in the notification bar: What happens when you click on the
error notification? (It should take you to the server settings.) What
happens when you tap "Next" on the server settings dialog?

Screenshots can sometimes be helpful. Regarding the screenshot in comment
#3:

(The following is a re-post of comment #4 from issue 6238. The user there
was also running dovecot.)

A handshake failure alert indicates that the server was unable to find an
acceptable set of security parameters given the options offered by K-9 Mail.

If you have access to OpenSSL (must be version 1.0.1 or higher, as used in
Android, and which supports TLS 1.2), then you could use it to test the
server's response using the same parameters as K-9 Mail. The (long) command
would be:

$ openssl s_client -no_ssl2 -cipher
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5
-connect <host>:<port>

If the server is using STARTTLS rather that SSL/TLS, then add " -starttls
imap" or " -starttls pop3" to the command.

A successful connection should print out the SSL-Session parameters used
and an initial server response.

If an error occurs (presumably the same error that K-9 Mail encountered),
then try again, but force TLS 1.0 only by adding " -no_tls1_1 -no_tls1_2"
to the command.

If that succeeds, then your problem is likely the same as in issue 6537
and issue 6519: the server is buggy and is not properly handling the TLS
negotiation.

However, if that command fails, try eliminating the cipher list:

$ openssl s_client -no_ssl2 -connect <host>:<port>

If that succeeds, then make note of what cipher was selected in the
SSL_Session parameters. It's likely the cipher is an insecure one which is
not made available in K-9 Mail.

Alternatively, you could identify the server and port/protocol used and
allow others to perform the tests for you. Any other details about the
server version or the SSL library version used could be helpful as well.

The fact that the alert message refers to sslv3 even when the server only
uses TLS is a red herring. That particular alert message was first
implemented in SSLv3 but is still applicable to TLS -- the OpenSSL library
chooses to call it an sslv3 alert in all instances.

[k9m...@googlecode.com]

Comment #5 on issue 6562 by jeff.gus...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

This is the only one that worked for me:

openssl s_client -tls1_2 -connect hostname:imaps

This did not:
openssl s_client -tls1_1 -connect hostname:imaps

Neither did:
openssl s_client -tls1 -connect hostname:imaps

This command only worked for postfix, but not dovecot:

openssl s_client -no_ssl2 -cipher
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5

-connect hostname:smtps

So it appears that dovecot is limiting something and therefore the
configuration is wrong in some way. Here is the config:

ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM



Attachments:
Screenshot_2014-10-21-15-07-15.png 215 KB

[k9m...@googlecode.com]

Comment #6 on issue 6562 by jeff.gus...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Works:
openssl s_client -debug -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1 -connect
hostname:imaps

Does not work:
openssl s_client -debug -no_ssl2 -no_ssl3 -no_tls1_1 -no_tls1_2 -connect
hostname:imaps

Does not work:
openssl s_client -no_ssl2 -no_ssl3 -no_tls1_2 -no_tls1 -connect
hostname:imaps

So it appears that my dovecot config only accepts TLSv1.2, but K9 mail
doesn't like that. Can I dump out something more specific?

[k9m...@googlecode.com]

Comment #7 on issue 6562 by cointrav...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

I added this to my dovecot config as suggested everywhere

ssl_protocols = !SSLv3 !SSLv2

[k9m...@googlecode.com]

Comment #8 on issue 6562 by scorp...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Hi again (same guy as in comment #3) ... The problem has all of a sudden
disappeared for me. This suggests that indeed there was a problem with my
provider's mail server?? K9 works tip top for me now and I haven't changed
anything on my side. /shrugs :)

[k9m...@googlecode.com]

Comment #9 on issue 6562 by fritz.mi...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

> What happens when you tap "Next" on the server settings dialog?

The inbox opens without any new e-mails and an status message is
shown "certificate error". If you tap that, you get back to step one.

[k9m...@googlecode.com]

Comment #10 on issue 6562 by jsteele...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Regarding comment #5:

> ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM

Your cipher list is pretty restrictive and may not be what you intended:

> $ openssl ciphers
> -v 'ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM'
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
> Mac=AEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> Enc=AESGCM(256) Mac=AEAD
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256)
> Mac=SHA384
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
> Mac=SHA384
> DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256)
> Mac=AEAD
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256)
> Mac=AEAD
> DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256)
> Mac=SHA256
> DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256)
> Mac=SHA256
> ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256)
> Mac=AEAD
> ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH
> Enc=AESGCM(256) Mac=AEAD
> ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)
> Mac=SHA384
> ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
> Mac=SHA384
> AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256)
> Mac=AEAD
> AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256)
> Mac=SHA256
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
> Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> Enc=AESGCM(128) Mac=AEAD
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128)
> Mac=SHA256
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
> Mac=SHA256
> DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128)
> Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128)
> Mac=AEAD
> DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128)
> Mac=SHA256
> DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128)
> Mac=SHA256
> ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128)
> Mac=AEAD
> ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH
> Enc=AESGCM(128) Mac=AEAD
> ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)
> Mac=SHA256
> ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
> Mac=SHA256
> AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128)
> Mac=AEAD
> AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)
> Mac=SHA256

The list ends up being new cipher suites added to TLSv1.2. None of these
ciphers is available in Android 4.4 (API 19). They are available in
Android 5.0, but only about 8 of them are enabled by default:

http://developer.android.com/reference/javax/net/ssl/SSLSocket.html

In all likelihood, you don't want to disable *all* SSLv3 ciphers, but
instead want to disable the SSLv3 protocol, as mentioned in comment #7.

[k9m...@googlecode.com]

Comment #11 on issue 6562 by jeff.gus...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Oh, okay. I fixed it:
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL


Now this works:

openssl s_client -no_ssl2 -cipher
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5

-connect hostname:imaps

and the rest of them also work:
Works:
openssl s_client -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1 -connect
hostname:imaps
openssl s_client -no_ssl2 -no_ssl3 -no_tls1_1 -no_tls1_2 -connect
hostname:imaps

openssl s_client -no_ssl2 -no_ssl3 -no_tls1_2 -no_tls1 -connect
hostname:imaps

But K9 mail still does not like the configuration

[k9m...@googlecode.com]

Comment #12 on issue 6562 by cointrav...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

There is no more certificate warning after I changed incoming mail settings
from STARTTLS 145 to SSH/TLS 993

[k9m...@googlecode.com]

Comment #13 on issue 6562 by jsteele...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Regarding Comment #11:

> But K9 mail still does not like the configuration

Specifics, please. Is it the same error as in the screenshot of comment
#5? In other words -- "SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure"?

Without seeing the network traffic, I don't know what the server would see
as different between using the long openssl command with all the ciphers
versus what K-9 Mail is doing.

If you wish to provide a capture of the network traffic using tshark on the
server (included as part of the wireshark package):

# tshark -i eth0 -f 'port 993' -w tmp.pcap

(^C to end capture. Next, convert to text:)

# tshark -r tmp.pcap -V -d tcp.port==993,ssl -O ssl > packet-log.txt

Adjust the interface (-i), port (993), and output file (packet-log.txt) as
needed. Anonymize the file as desired (IP addresses, certificate data --
if any).

Two separate captures -- one using the long openssl command and one using
K-9 Mail -- might reveal what, if anything, is different.

[k9m...@googlecode.com]

Comment #14 on issue 6562 by Bernhard...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Hy guys,

i have the "same" issue on my SMTP server Exim4.82 with salsauthd using
gnutls.
With Exim4.72 i had absoloutely no problems, after upgrading to exim4.82 in
Ubuntu 14.04 my server prints that it was not able to negotiate a proper
TLS_Handshake_Chipher

I´ll provide logs from my server, and i will try to provide logcat output
from my Cyanogenmod M11 4.4.4 later.

Kind regards,
elrippo

[k9m...@googlecode.com]

Comment #15 on issue 6562 by lioxa...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Dovecot configuration "ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL" works
well with K9 5.001 on Android 4.1.
But "ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL" does not.
However Thunderbird works well with disabled SSLv3 cipher.

Following command does not work with disabled SSLv3 ciphers

openssl s_client -no_ssl2 -cipher
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:RC4-SHA:RC4-MD5

-connect hostname:smtps

However "openssl s_client -no_ssl2 -no_ssl3 -connect hostname:smtps" works
well with disabled SSLv3 ciphers. So, if i do not use any cipher then
openssl finds correct cipher. But if i use any cipher from your list and
server disables SSLv3 ciphers then there is not connection.

And there is not Dovecot problem. Exim with the same settings works in the
same way.

Server # openssl version
OpenSSL 1.0.1j 15 Oct 2014

It looks like using K9 is possible only if SSLv3 ciphers are supported by
server.

[k9m...@googlecode.com]

Comment #16 on issue 6562 by Bernhard...@gmail.com: Certificate error when

no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Hy guys,

so i can defenitely confirm that this is an K9 issue.
All other clients can live with TLSv1 support, K9 unfortunately can not.
The only possible connection to my exim4 server goes with
tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0

1.) So i can provide a scrennshot when trying to connect with smpt ->
please find the file attached.

2.) Please find attached the K9 error output when trying to send a mail via
smpt submission STARTTLS with LOGIN on port 587

K9-Mail version: 5.001
Device make: Sony
Device model: Xperia Z1 Compact
Android version: 4.4.4

com.fsck.k9.mail.CertificateValidationException: Connection closed by peer
at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:414)
at
com.fsck.k9.mail.transport.SmtpTransport.sendMessageTo(SmtpTransport.java:504)
at
com.fsck.k9.mail.transport.SmtpTransport.sendMessage(SmtpTransport.java:495)
at
com.fsck.k9.controller.MessagingController.sendPendingMessagesSynchronous(MessagingController.java:3563)
at
com.fsck.k9.controller.MessagingController$20.run(MessagingController.java:3314)
at
com.fsck.k9.controller.MessagingController.run(MessagingController.java:435)
at java.lang.Thread.run(Thread.java:841)
Caused by: javax.net.ssl.SSLException: Connection closed by peer
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native
Method)
at
com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
at
com.android.org.conscrypt.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:661)
at
com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:632)
at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:284)
... 6 more

Kind regards,
elrippo


Attachments:
Screenshot_2014-10-29-20-42-36.png 146 KB

[k9m...@googlecode.com]

Comment #17 on issue 6562 by volker.g...@googlemail.com: Certificate error

when no SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

For me works the:

openssl s_client -no_ssl2 -connect <host>:<port>

command, but how do I modify the openssl options in K9 mail?

[k9m...@googlecode.com]

Comment #18 on issue 6562 by gathe...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

I was able to replicate this behaviour when Dovecot used a 512-bit RSA
private key. Switching to a more secure one, such as one with 2048-bits
avoided the problem.

George

[k9m...@googlecode.com]

Comment #19 on issue 6562 by jropal...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

I am seeing the same problem when attempting to connect to a dovecot server
that has SSLv3 disabled from K9 4.804 on Cyanogenmod 7.

Add SSLv3 back to the server and K9 is fine again.

Later K9s (e.g., 5.002) also work fine to the same server when SSLv3 is
disabled.

Please can TLSv1.2 be added to the K9 4.8 branch so that this branch is no
longer dependent on SSLv3?

Many thanks.

[k9m...@googlecode.com]

Comment #20 on issue 6562 by roflt...@gmail.com: Certificate error when no

SSLv3 support on server.
https://code.google.com/p/k9mail/issues/detail?id=6562

Still seeing the same problem on Dovecot 2.2.13 and K-9 5.006.