European Open Root Server Network

Fix Kmail IMAP SSL Storm in Gentoo / Ubuntu

Symptoms

After a while (minutes) KMail (respectively akonadi_imap_resource which belongs to the ebuild kdepim-runtime) starts pounding the imaps (IMAP over SSL/TLS) service. In my IMAP log (cyrus imapd) I see Matrix-style messages these:

[..]
Jan 21 17:05:24 atlantis imaps[1626]: accepted connection
Jan 21 17:05:24 atlantis imaps[1626]: SSL_accept() incomplete -> wait
Jan 21 17:05:24 atlantis imaps[58466]: accepted connection
Jan 21 17:05:24 atlantis imaps[1627]: accepted connection
Jan 21 17:05:24 atlantis imaps[1628]: SSL_accept() succeeded -> done
Jan 21 17:05:24 atlantis imaps[58466]: SSL_accept() incomplete -> wait
Jan 21 17:05:24 atlantis imaps[1625]: accepted connection
Jan 21 17:05:24 atlantis imaps[1626]: SSL_accept() succeeded -> done
[..]

On the client side you may notice remarkable traffic "backgroundnoise". I had a constant 500kbit/s just from these handshakes.

Problem

The Akonadi-resource seems to have a problem with the SSL/TLS fallback. See KDE Bug 316840 .

Solution

It's said to be fixed in KDE 4.12.0

Fix for Versions < 4.12.0 in Gentoo

Create a user patch from the patch provided by Christian Mollekopf for the ebuild of kdepimlibs (kdepimlibs-4.11.2-r1 at the time of writing):

# mkdir -p /etc/portage/patches/kde-base/kdepimlibs-4.11.2-r1
# wget -0 /etc/portage/patches/kde-base/kdepimlibs-4.11.2-r1/imap-ssl-storm.patch http://bugsfiles.kde.org/attachment.cgi?id=83637

and recompile kdepimlibs:

# emerge -1 kdepimlibs

Now stop KMail and akonadi:

$ akonadictl stop

As soon akonadi is gone, you can start KMail which now hopefully works and behaves as intended.

Important: If you include the version in the directory name, keep in mind to rename the directory of the patch any time the version of kdepim bumps until release 4.12 (where it should be fixed).

As an alternative you may save the patch in /etc/portage/patches/kde-base/kdepimlibs/ and emerge will try to apply the patch to any version you compile (including 4.12.x). So remember to remove it when no longer needed.

Fix for Versions < 4.12.0 in Ubuntu

We ned to patch the package kdepimlibs-kio-plugins (Version 4.11.3 in Saucy Salamander/13.10 at the time of writing):

Install the build tools:

# apt-get install build-essential

Get the source of the package and its build dependencies:

# apt-get build-dep kdepimlibs-kio-plugins
$ apt-get source kdepimlibs-kio-plugins

Get and apply the patch:

$ cd kdepimlibs-4.11.3/
$ wget -O imap-ssl-storm.patch http://bugsfiles.kde.org/attachment.cgi?id=83637
$ patch  -p1 < imap-ssl-storm.patch

Commit the changes to the package..

$ dpkg-source --commit

and build it.

$ dpkg-buildpackage

You can now install the package which has been generated:

$ cd ..
# dpkg -i  kdepimlibs-kio-plugins_4.11.3-0ubuntu0.1_amd64.deb