[kdepim-users] Does anyone use KMail + Akonadi with perdition proxy server and does it actually work?

Martin Steigerwald ms at teamix.de
Tue Aug 13 13:22:58 BST 2013 

Hi!

So I tried using KDEPIM 2 in the company as well, after people here told me that it works for them just fine with IMAP.

Sorry, if this sounds partly like a rant. But if you had seen what I had seen with KMail in our enterprise infrastructure, I bet you would feel like ranting too. I try to keep it reasonable still.



And I got basically a denial of service attack onto our perdition proxy server that is located before our Zimbra server when I access it with two Akonadi IMAP clients (one laptop, one workstation).

Bug 322199 - akonadi_imap spams perdition log when two clients are active and gets restarted all the time
https://bugs.kde.org/322199

Bug 322200 - limit restarts of crashing resources
https://bugs.kde.org/322200


Does anyone use KMail + Akonadi with several clients and Perdition and does it work?


Today I tried to work-around it by accessing our Zimbra server directly without the proxy from my workstation, but I did not find anyway to make it accept the SSL certificate:

kio_http(4958)/kssl KTcpSocket::showSslErrors: "Der Name des Hosts ist keiner aus der Liste der für dieses Zertifikat gültigen Hosts"
kio_http(4959)/kssl KTcpSocket::showSslErrors: "Der Name des Hosts ist keiner aus der Liste der für dieses Zertifikat gültigen Hosts"
kio_http(4959)/kssl KTcpSocket::showSslErrors: "Das Zertifikat des Ausstellers eines lokal gefundenen Zertifikats kann nicht gefunden werden"
kio_http(4959)/kssl KTcpSocket::showSslErrors: "Das oberste Zertifikat der Zertifizierungsstelle ist für diesen Fall nicht vertrauenswürdig"
kio_http(4959)/kssl KTcpSocket::showSslErrors: "Keines der Zertifikate kann verifiziert werden"
kio_http(4959)/kssl KIO::TCPSlaveBase::TcpSlaveBasePrivate::startTLSInternal: Cipher info -   advertised SSL protocol version 32  negotiated SSL protocol version 32  authenticationMethod: "RSA"  encryptionMethod: "AES"  keyExchangeMethod: "ECDH"  name: "ECDHE-RSA-AES256-SHA384"  supportedBits: 256  usedBits: 256
kio_http(4958)/kssl KTcpSocket::showSslErrors: "Das Zertifikat des Ausstellers eines lokal gefundenen Zertifikats kann nicht gefunden werden"
kio_http(4958)/kssl KTcpSocket::showSslErrors: "Das oberste Zertifikat der Zertifizierungsstelle ist für diesen Fall nicht vertrauenswürdig"
kio_http(4958)/kssl KTcpSocket::showSslErrors: "Keines der Zertifikate kann verifiziert werden"

(in short: domain of certificate is outdated, domain was changed... still other clients allow to accept the certificate nonetheless.)


I added any and all PEM files from the Zimbra server in Systemsettings/SSL to no avail as it didn't ask me whether I still want to accept the certificate.


Then I tried a perdition proxy locally on my workstation so that each client uses another perdition instance.

Then Akonadi IMAP just hung on retrieving folder list.

That is with a perdition setup that worked just fine in Icedove.



Aside from that even in the case it basically worked - with one client at a time that is - KMail become unresponsive with "Retrieving folder/mail contents" message after a while.

KMail 1 worked with this setup.


At the moment KMail + Akonadi is not only almost unusable with our infrastructure, its even dangerous to it. Thats why a iptables rule on the proxy server blocks out IMAP access from my workstation. FOr a good reason that is.


Any hints and ideas?


I am even tired of reporting bugs if issues like the above perdition log spamming due to hundreds of thousands of Akonadi IMAP crashes and newly opened IMAP connections are consider "not a major bug". If almost all my other crash / correctness related bug reports have been ignored for now. I understand the situation, but currently at least for our infrastructure KMail + Akonadi are not even remotely enterprise ready.

To anyone telling me this is stable software that can just be setup like old KMail or Thunderbird or any other IMAP client and then it will just works... no its not, at least not in general. It seems to work for some... but it doesn't seem to work with setups where KMail 1 just worked fine before.


Its just good that the Zimbra web client basically provides almost all the features I need. For reading and signing encrypted mails I think I will either setup Icedove or claws mail or maybe if it can do it: Trojíta.

Ciao,
-- 
Martin Steigerwald - teamix GmbH - http://www.teamix.de
gpg: 19E3 8D42 896F D004 08AC A0CA 1E10 C593 0399 AE90
_______________________________________________
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users

More information about the kdepim-users mailing list