Actually, managesieve DOES use starttls, and does use the same config as rest of Dovecot does, unless you override it of course.
But other than that, you're right. Aki > On 15/12/2022 09:49 EET Christian Mack <christian.m...@uni-konstanz.de> wrote: > > > Hello > > This test only states, that you can connect to IMAP Port 143 with > STARTTLS and use your certificate there. > It does not show, if your managesieve Port 4190 uses that certificate too. > Managesieve does not use STARTTLS, and has its own configurations. > > I suspect, that in your certificate you do not have the private IP as > alternate name included, as you try to reach 10.0.0.91:4190, not > mydomain.com:4190. > > > Kind regards, > Christian Mack > > Am 14.12.22 um 21:48 schrieb co...@colinlikesfood.com: > > > > > > Thank you for this. I am not using self-signed, I am using letsencrypt > > as a CA, the certs are installed where certbot put them. > > > > I tried the example from https://wiki2.dovecot.org/TestInstallation, > > using openssl s_client, and I achieved the following (lots of data > > replaced with "...") > > > > I have not changed anything else since your last reply, I am honestly > > not sure what rc config has to do with certs (google has not given me a > > result that seems to apply). Does the below help confirm my certs are > > properly installed and that i can connect to dovecot over tls and pass > > my credentials? > > > > ----- > > > > root@mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap > > CONNECTED(00000004) > > depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 > > verify return:1 > > depth=1 C = US, O = Let's Encrypt, CN = R3 > > verify return:1 > > depth=0 CN = mydomain.com > > verify return:1 > > --- > > Certificate chain > > ... > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > .. > > -----END CERTIFICATE----- > > .. > > --- > > No client certificate CA names sent > > Peer signing digest: SHA256 > > Peer signature type: RSA-PSS > > Server Temp Key: X25519, 253 bits > > --- > > SSL handshake has read 4922 bytes and written 426 bytes > > Verification: OK > > --- > > .. > > .. > > .. > > --- > > read R BLOCK > > a login m...@mydomain.com MyPass > > * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT > > SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT > > MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS > > LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES > > WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY > > PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE > > a OK Logged in > > a OK Logged in > > b select inbox > > * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) > > * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] > > Flags permitted. > > * 35 EXISTS > > * 0 RECENT > > * OK [UNSEEN 18] First unseen. > > * OK [UIDVALIDITY 1669149589] UIDs valid > > * OK [UIDNEXT 255] Predicted next UID > > * OK [HIGHESTMODSEQ 615] Highest > > b OK [READ-WRITE] Select completed (0.001 + 0.000 secs). > > c list "" * > > * LIST (\HasNoChildren \Marked \Trash) "/" Trash > > * LIST (\HasNoChildren \UnMarked \Junk) "/" Junk > > * LIST (\HasNoChildren \Marked \Sent) "/" Sent > > * LIST (\HasNoChildren \Drafts) "/" Drafts > > * LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports > > * LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts > > * LIST (\HasChildren) "/" INBOX > > c OK List completed (0.001 + 0.000 secs). > > > > On 2022-11-23 14:49, PGNet Dev wrote: > > > >>> i don't understand why it can't connect, this seems to work fine: > >> > >> fine ? > >> > >> you're manually overriding at least one problem with your certs/config > >> > >>> ... > >>> - Status: The certificate is NOT trusted. The name in the certificate > >>> does not match the expected. > >>> *** PKI verification of server certificate failed... > >>> Host 10.0.0.91 (sieve) has never been contacted before. > >>> Its certificate is valid for 10.0.0.91. > >>> Are you sure you want to trust it? (y/N): y > >>> ... > >> > >> it appears that you're using a self-signed cert? are your trusted > >> certs defined and correctly chained? if not explicitly defined, did > >> you correctly add you certs to system ssl dirs, and ensure hashes are > >> correct? > >> > >> demonstrate first that you can connect to dovecot over tls with a cmd > >> line client, without ignoring or overriding your cert problems > >> > >> including any client/server cert verification requirements you've > >> turned on in dovecot config > >> > >> once you've passed the correct certs, then demonstrate that you can > >> authenticate in the same session with any password/credentials you've set > >> > >> once that all works, make sure you've got those certs correctly set up > >> in your rc config > > > > > > -- > Christian Mack > Universität Konstanz > Kommunikations-, Informations-, Medienzentrum (KIM) > Abteilung IT-Dienste Forschung, Lehre, Infrastruktur > 78457 Konstanz > +49 7531 88-4416
