Hi! You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it.
Aki On 11.12.2018 11.58, Marco Fioretti wrote: > hello, and some update > short version: the error is still there, but I have some more data to > share, thanks in advance for further advice > > first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is > not an obsolete version. > second... at the moment I can send email through postfix on the same > server, with the > same certificates (almost: I still have to fix some stuff, but is NOT > related to SSL/TLS, e.g > reverse DNS). > > However, running openssl as requested returns "no peer certificate > available", and when > I connect with mutt to dovecot I still get the "no shared cipher" > error. These are the permissions > on the certificate files: > > ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem > /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem > -r--------. 1 root root 3546 Dec 7 11:59 > /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem > -r--------. 1 root root 1704 Dec 7 11:59 > /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem > > output of openssl, dovecot -n, its current SSL settings and excerpt of > the log file are all below. > > openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 > CONNECTED(00000003) > 140141825717912:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:769: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 305 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1544521696 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > current SSL dovecot settings in conf.d/10-ssl.conf > > ssl = yes > > ssl_prefer_server_ciphers = yes > > ssl_dh_parameters_length = 2048 > > sl_min_protocol = TLSv1.2 > > ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem > ssl_key = </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem > > ssl_cipher_list = ALL > > output of dovecot -n: > > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release > 7.6.1810 (Core) ext4 > # Hostname: SERVER NAME > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > mail_location = maildir:/var/mail/mymail_storage/base/ > passdb { > args = /etc/imap.v_users > driver = passwd-file > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > ssl = required > userdb { > args = /etc/imap.v_users > driver = passwd-file > } > verbose_ssl = yes > > > > > > this is the error message I get by when I tried to connect with mutt: > > > Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) > starting up for imap, pop3, lmtp (core dumps disabled) > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, > ret=1: before/accept initialization [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: SSLv2/v3 read client hello A > [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: > where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: > SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello: > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands > haking: SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher, > session=<H8roHLp86psvNZ88> > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from > directory: /usr/lib64/dovecot/auth > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret > from /var/run/dovecot/auth-token-secret.dat > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file > /etc/imap.v_users: Read 1 users in 0 secs