Bonjour Markus, > - Have you checked that port 12345 as specified below is open/forwarded > and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
Yes of course: tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 22025/dovecot tcp6 0 0 :::12345 :::* LISTEN 22025/dovecot > - Did you retrace your steps and have you verified that synchronisation > works with ssl disabled? This dovecot is working well with my email client and web mail interface, I would prefer not to start playing with this config file ... > - Did you verify your certificate files (e.g., "openssl verify -verbose > -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")? yes: openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt /etc/ssl/certs/key.crt: OK > Personally, I prefer to use a single, specialised tool to manage > certificates/encryption (which in my case is stunnel); all other > programs are set up using (link-)local ip addresses only. If everything > but encryption works with your setup, this might be a possible > "workaround". (Apart from that, stunnel debug mode is very detailed and > can help you to rule out problems with the certificates/connections > between two nodes.) > And once the latter works but the dovecot setup below still does not, it > would also point to a problem with certificate handling by dovecot > (could be library related). This morning logs: Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > KR, Markus Thx > Am 06.02.2017 um 07:36 schrieb Thierry: >> Hi Aki, >> >> I do not have any error message but (on both server): >> >> doveadm replicator status '*' >> doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) >> failed: Connection refused >> >> Thx >> >> >> Le vendredi 3 février 2017 à 17:09:52, vous écriviez : >> >>> Please keep responses in list. rm -f >>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. >> >>> On 2017-02-03 17:00, Thierry wrote: >>>> Hi, >>>> >>>> I have removed the '<' : >>>> >>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>>> >>>> But now: >>>> >>>> doveadm: Error: Corrupted SSL parameters file in state_dir: >>>> ssl-parameters.dat - disabling SSL 360 >>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>> doveadm: Error: Corrupted SSL parameters file in state_dir: >>>> ssl-parameters.dat - disabling SSL 360 >>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>> >>>> Any idea ? >>>> >>>> Thx >>>> >>>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name. >>>>> Aki >>>>> On 2017-02-03 15:13, Thierry wrote: >>>>>> Hi, >>>>>> >>>>>> I have made change: >>>>>> >>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>> ssl = required >>>>>> verbose_ssl = no >>>>>> ssl_key = </etc/ssl/private/private.key >>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem >>>>>> >>>>>> >>>>>> # Create a listener for doveadm-server >>>>>> service doveadm { >>>>>> user = vmail >>>>>> inet_listener { >>>>>> port = 12345 >>>>>> ssl= yes >>>>>> } >>>>>> } >>>>>> >>>>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # >>>>>> use doveadm_port >>>>>> >>>>>> And now: >>>>>> >>>>>> Feb 03 14:11:16 doveadm(us...@domain.ltd): Error: sync: Couldn't >>>>>> initialize SSL context: Can't load CA certs from directory : >>>>>> error:02001024:system library:fopen:File name too long >>>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in >>>>>> state_dir: ssl-parameters.dat - disabling SSL 360 >>>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, >>>>>> disabling SSL >>>>>> >>>>>> Thx for your support >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez : >>>>>> >>>>>>> Hello, >>>>>>> On 02/03/2017 08:51 AM, Thierry wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Still working with my dsync pb. >>>>>>>> I have done a clone (vmware) of my email server. >>>>>>>> Today I have two strictly identical emails servers (server1 >>>>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>>>>>>> >>>>>>>> The ssl config on my both server: >>>>>>>> >>>>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>>>> ssl = required >>>>>>>> verbose_ssl = no >>>>>>>> ssl_key = </etc/ssl/private/private.key >>>>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >>>>>>> I think it should be ssl_client_ca_file = >>>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. >>>>>>>> This config is working for my email client and my email web >>>>>>>> interface ... >>>>>>>> >>>>>>>> Are they on the right order ? >>>>>>>> >>>>>>>> mail_replica = tcps:serv...@domain.ltd and tcps:serv...@domain.ltd >>>>>>>> >>>>>>>> There is trafic on my iptables rules on my both servers: >>>>>>>> >>>>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 >>>>>>>> 0.0.0.0/0 tcp dpt:4711 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> My error message from server1 (main server): >>>>>>>> >>>>>>>> Feb 03 08:38:08 doveadm(us...@domain.ltd): Error: sync: Couldn't >>>>>>>> initialize SSL context: Can't verify remote server certs without >>>>>>>> trusted CAs (ssl_client_ca_* settings) >>>>>>>> Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't >>>>>>>> initialize SSL context: Can't verify remote server certs without >>>>>>>> trusted CAs (ssl_client_ca_* settings) >>>>>>>> Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't >>>>>>>> initialize SSL context: Can't verify remote server certs without >>>>>>>> trusted CAs (ssl_client_ca_* settings) >>>>>>>> Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't >>>>>>>> initialize SSL context: Can't verify remote server certs without >>>>>>>> trusted CAs (ssl_client_ca_* settings) >>>>>>>> >>>>>>>> No logs from server2 >>>>>>>> >>>>>>>> Any ideas ? >>>>>>>> >>>>>>>> Thx for your support >>>>>>>> >>>>>>>> >> >> -- Cordialement, Thierry e-mail : lenai...@maelenn.org