Dovecot STARTTLS fails using fetchmail

I currently try to get my own mail server up and running. So far everything seems fine as I am able to connect to this mailserver using thunderbird. The only thing I have to do is accepting my own (self-signed) certificate.

Now as everything seems to work I tried to integrate it into my local fetchmailrc to automatically sync my local mailbox with my mailserver. To do so I added the following lines to my fetchmailrc:

poll mail.rueckerlmail.com with proto IMAP uidl
user '[email protected]' there with password 'superSecretPassword' is 'sebastian' here with options keep sslproto TLS1

running the fetchmail services gives the following error messages:

Apr  2 13:59:40 sebastian-UX31A fetchmail[32760]: mail.rueckerlmail.com: upgrade to TLS failed.
Apr  2 13:59:40 sebastian-UX31A fetchmail[32760]: Unknown login or authentication error on [email protected]@mail.rueckerlmail.com
Apr  2 13:59:40 sebastian-UX31A fetchmail[32760]: socket error while fetching from [email protected]@mail.rueckerlmail.com
Apr  2 13:59:40 sebastian-UX31A fetchmail[32760]: Query status=2 (SOCKET)

Within the mail server this generates a disconnect as strattls could not be astablished:

Apr  2 11:47:58 guest-mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=91.23.79.47, lip=10.1.1.3, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<JIc9Z7wSpABbF08v>

Looking at the connetion establishment using wireshark just gives me that the severs sends a RST,ACK after fetchmail sent the first packet belonging to the strattls handshake (the first one that is kind of cryptic and not readable for humans).

I assume it is an issue with my fetchmail configuration as I am able to connect manually using openssl:

$ openssl s_client -starttls imap -connect mail.rueckerlmail.com:143
CONNECTED(00000003)
depth=0 C = DE, ST = Bayern, O = sebastianrueckerl.com, OU = mail, CN = sebastianrueckerl.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Bayern, O = sebastianrueckerl.com, OU = mail, CN = sebastianrueckerl.com
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
   i:/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGkDCCBHigAwIBAgIJAJHwjBRHNgfnMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
BAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xHjAcBgNVBAoMFXNlYmFzdGlhbnJ1ZWNr
ZXJsLmNvbTENMAsGA1UECwwEbWFpbDEeMBwGA1UEAwwVc2ViYXN0aWFucnVlY2tl
cmwuY29tMB4XDTE1MDMwMzE2NTcwMVoXDTE2MDMwMjE2NTcwMVowbTELMAkGA1UE
BhMCREUxDzANBgNVBAgMBkJheWVybjEeMBwGA1UECgwVc2ViYXN0aWFucnVlY2tl
cmwuY29tMQ0wCwYDVQQLDARtYWlsMR4wHAYDVQQDDBVzZWJhc3RpYW5ydWVja2Vy
bC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCYwTtLOuld1x9f
I2BSp3TkTllQSvIh7y82QuNCgyImv1Pa8PB0pcZTSjJvjETi0xNXt9UjpPU+488O
AfIWN/5A8FCg6RTgpas1HhzZkCXocVdQyNrhSpdl9v7+o7geftlrfKmwydq7/KVd
xpCglhXnVG4syr/K66/kWwD/l3zqLcJv+sewn9OPW6EGmG1AV3sls9sxlh+UFW++
/l6PUgzZ3kTJCWtUI16yPYs+vld5kGcxK8rvHKYq1mkOxYHiyuTOS9gcrfbBltol
x7mhMtF1d0qWzxj3JqtMtsUjmfByiMGpHRyEyef9V0nQCld9NKqY47Xcywb+ij01
9+fnldNgT+tunI464YtIZd+oR/JPF98FJQuZXvmQuHn7hnbSgeC1uK39gViOo4aS
OtiH8sXsnKcCboF6OIx7RDz33iWSHLflcRfULLqB7nd5cEu0F7D+lmqCbznEFBxQ
+S7Y8BxerMO8p3yikuyVKodkLP9GxcHeV5xg1xl2hI2Lh8HZDUlkRzAwbfDoNNe+
CH53Kk9eLaiW7GqIMNg2O76do53SWpjcOdDDrc3YDivkH5yun6ufCX42Q0Ma4a9t
b2OvvMyX1zpW+4z4J6xhmjMoiY4tla36mvsDTFjy6+7LgyCrJ5FtRRkd8kwOlx+w
yUmVpJgTNscG+7eugbLfADANZpWAGQIDAQABo4IBMTCCAS0wggEpBgNVHREEggEg
MIIBHIIVc2ViYXN0aWFucnVlY2tlcmwuY29tghptYWlsLnNlYmFzdGlhbnJ1ZWNr
ZXJsLmNvbYIWc2ViYXN0aWFuLXJ1ZWNrZXJsLmNvbYIbbWFpbC5zZWJhc3RpYW4t
cnVlY2tlcmwuY29tghRzZWJhc3RpYW5ydWVja2VybC5kZYIZbWFpbC5zZWJhc3Rp
YW5ydWVja2VybC5kZYIVc2ViYXN0aWFuLXJ1ZWNrZXJsLmRlghptYWlsLnNlYmFz
dGlhbi1ydWVja2VybC5kZYIPcnVlY2tlcmxtYWlsLmRlghRtYWlsLnJ1ZWNrZXJs
bWFpbC5kZYIQcnVlY2tlcmxtYWlsLmNvbYIVbWFpbC5ydWVja2VybG1haWwuY29t
MA0GCSqGSIb3DQEBCwUAA4ICAQBo7AAa4Ge6YyY/aoeaIO4RVPLXZq/GHiuj00Nr
71H+gElRhP/wF8u+0I3mSee89KUec7jrvILO4Xxa0ExGVk4QJyp/XYKvnxbvPV3B
7i/GIZ9q9n4UIQu0RfqyeVC/HgsK+9Gv2BGowVea53sx3KmsIrpMpNaVVb7IGg8w
/lNvQolwUllz5Q1C0fxbVYoGhh7I1JDaBzLXvrf/+A57J1fj8Pylm9rt+fDr6NoQ
YK/BE1/lYh2hjC6CeAtHo4+gHOzCyEaKQUOqqZV5gbwoFxmdxgUfxwrweIwOwavX
vGlE4vnUO1Vw86FFGrhoVFSdLlF8N3y15uEMIlADpxD4XOnw4cSyZEA/XtkkVG56
sABs1a+bixS3oN24tU06ZtXiwepBiaAD/ZcFwrYabwIIxTlqLRWhfsiEuvq4eEF6
nG1Z5t3zv00CxCFiMJefgREHh4F067i7dGJF/M/RD7bBm38lg5/+Oob32vMvS5jO
3Us1Mu8p2qZ+BbdSR8/vVe5JkYc4n3/gb7fivjB71c9vbbuIVrkQdU6/9dDwC1Qy
WYu2Z95yoAX4VAQJR7ONsPKeKnhsS0N60Muf4pfwL2WsLnBbbx4X4Z3u5hmtJLrg
vq+ZUGX/FlSbWf++Basxa365pejEK+rfkGeWfxOtRxhRou9MetvnkQVByDtfD/IZ
yN/oPA==
-----END CERTIFICATE-----
subject=/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
issuer=/C=DE/ST=Bayern/O=sebastianrueckerl.com/OU=mail/CN=sebastianrueckerl.com
---
No client certificate CA names sent
---
SSL handshake has read 3100 bytes and written 521 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: A3B45487475A4919A25987354D59EF4FBBC0AA6F93F56FB00B770AB20DE6CB21
    Session-ID-ctx: 
    Master-Key: B9906033114E2F90F1E2084E4BCFCE642E6E552829FC5104184BD87A979274D4F2E683154162E6E1F01BF1C421E8D2B0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ed 48 27 9b a3 4a 82 06-7c 3c 10 92 7e 41 42 e9   .H'..J..|<..~AB.
    0010 - 63 d9 8d 84 2e 94 4f 3d-fd 19 91 82 7b df 8c f8   c.....O=....{...
    0020 - dc 18 5a 2d 22 be be f7-d9 7c de 4b e2 e6 73 ae   ..Z-"....|.K..s.
    0030 - 19 87 bd b3 5e 0f c0 1b-b1 13 b6 bd 99 de 5b 81   ....^.........[.
    0040 - 23 c7 c2 2a ac 86 85 ef-66 cd 7b c0 b0 92 ae 6d   #..*....f.{....m
    0050 - ee 96 87 d5 d8 88 45 f9-03 59 ab af fa 06 cd bc   ......E..Y......
    0060 - fc 36 16 13 f1 4b 57 df-6e ac 49 d0 bd 9a 53 03   .6...KW.n.I...S.
    0070 - 16 8d c6 86 70 e0 36 b8-61 dc 16 8d 97 dc 9c b0   ....p.6.a.......
    0080 - 7f 7e ae 34 5e a5 89 51-4a 1c 36 c1 46 dd 70 5e   .~.4^..QJ.6.F.p^
    0090 - 81 3b 19 bd f7 11 50 c0-58 eb 54 b4 f2 bf 4e a6   .;....P.X.T...N.

    Start Time: 1427976380
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
. OK Pre-login capabilities listed, post-login capabilities have more.

After this connection establishment everything works fine and I am able to login as expected:

A0003 login [email protected] superSecretPassword
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE
A0003 OK Logged in

I do not know what else I can try to make it run, but it seems as this is a fetchmail related problem. If you have any idea what to try I would be happy to do so and give you all the needed output/log data/information. Thank you for your help.

Edit:

As requested the output of dovecot -n:

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.18.6-vs2.3.7.3-beng x86_64 Debian 7.8 
auth_mechanisms = plain login
listen = 10.1.1.3
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
  separator = /
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = [email protected]
protocols = " imap sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth_dovecot {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    mode = 0600
    user = vmail
  }
}
ssl_cert = </etc/postfix/ssl/ssl.crt
ssl_cipher_list = ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNull:@STRENGTH
ssl_key = </etc/postfix/ssl/ssl.key
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

You are probably using a version of fetchmail that does not support TLSv1.1 or higher yet.

The following line in your Dovecot config disallows TLSv1 server-side:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1

Client-side, you need at least Fetchmail 6.4 (currently not released yet):

Fetchmail can now use SSLv3, or TLSv1.1 or a newer TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with STARTTLS).

-- https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS

If you're using Debian, you could also try their fetchmail package 6.3.23-2 (currently only in testing/unstable, I did not try it myself):

fetchmail (6.3.26-2) unstable; urgency=low

[...]

  • Version OpenSSL build dependency for TLSv1.2 support.

-- http://metadata.ftp-master.debian.org/changelogs/main/f/fetchmail/unstable_changelog

More on the error message Dovecot gave you:

SSL23_GET_SERVER_HELLO:unknown protocol

This error [..] can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).

-- https://stackoverflow.com/a/15168180