Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Joseph Tam]

Charles Marcus  wrote:


2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login:
Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143

Not a huge number, but enough to be concerning...

Could this just be from cached junk from some clients, and they will
resolve themselves over time?


Short answer: maybe.  I got these errors when I switched from a self-signed
to CA signed cert, and the client had an open mail session:

Feb 22 02:10:32 imap-login: Disconnected (no auth attempts in 0
secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS: SSL_read() failed:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca: SSL alert number 48, session=

Not quite the same as your's, but if you call the client up and ask them
to restart their mail client, I'm fairly confident these will go away,
as for my user.

You might get some weirdness if for some reason the client does not have
the intermediate CAs cached.  I ran into this problem with our certs --
some RH distributions did have the intermediate CA certs in its store.

Joseph Tam 

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Reindl Harald]

Am 18.04.2014 22:12, schrieb Charles Marcus:
> Ahh... I'm sure we have some older clients that are still configured to use a 
> different hostname...
> 
> So, if the new certs are for mail.example.com, and a client tries to connect 
> using a different hostname, like
> imap.example.com, would that result in these kinds of errors?

yes

and that is why nobody should provide more than one hostname for mailservers
there is no gain and it ends where you are now

would you have not wasted the time for different DNS records instead
just provide and communicate mail.your-primardy-domain.tld all the
years before TLS now would be a no-brainer



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] Hash Verification with doveadm

[wid]

You could try a newer Dovecot from wheezy-backports. Your command works in my
Dovecot 2.2.12.



--
View this message in context: 
http://dovecot.2317879.n4.nabble.com/Hash-Verification-with-doveadm-tp47571p47572.html
Sent from the Dovecot mailing list archive at Nabble.com.

[Dovecot] Hash Verification with doveadm

[Andreas Krischer - AKbyte]

Hello!

I have a problem with the doveadm tool. I’m trying to verify a hash from my 
MySQL-Db with the following command:

doveadm pw -p '123' -t 
'{SHA512-CRYPT}$6$e3TLkiahfHFv29/J$8etBEtmbh06B72kc1TpetT/k8aHkQrJAPQVpTGDYuzyHZX4MwU2PeL2cIupNEoUUGt6SLB0N7xNqbbqp/5OZo.'

I'm expecting that it says verified or not, but it prompts for a password, so 
the „-p“ parameter does not work. I need this, because I want to use the 
verification in a shell script and for that it have to work without a prompt.

I hope you guess what my problem is :)

My configuration:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.41-042stab078.27 i686 Debian 7.4 reiserfs
auth_mechanisms = plain login
mail_location = maildir:/var/vmail/%d/%n/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = " imap sieve pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}
ssl_cert = 

signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 4:41 PM, Markus Schönhaber  
wrote:
The errors indicate that a client didn't like your certificate for 
some reason. One of the possible reasons surely is a CN in the 
certificate that doesn't match the name of the server the client 
thinks he's connecting to. So the answer to your question is very 
likely "yes". 


Thanks for  the confirmation...

I'm think I'm going to simply remove that DNS entry and deal with a few 
support phone calls...


--

Best regards,

Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Markus Schönhaber]

18.04.2014 22:12, Charles Marcus:

> On 4/18/2014 3:57 PM, Charles Marcus  wrote:
>> Everything seems to be working, BUT... I'm now seeing some of these 
>> errors, that were not showing up in the logs before:
>>
>> 2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: 
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
>> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
>> certificate: SSL alert number 42, rip=24.126.163.180, lport=143
>> 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: 
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
>> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
>> certificate: SSL alert number 42, rip=98.66.176.115, lport=143
>>
>> !2 total in the last 25 minutes since flipping the switch.
>>
>> and there have been two of these:
>>
>> 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: 
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: 
>> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
>> alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
>>
>> Not a huge number, but enough to be concerning...
> 
> Ahh... I'm sure we have some older clients that are still configured to 
> use a different hostname...
> 
> So, if the new certs are for mail.example.com, and a client tries to 
> connect using a different hostname, like imap.example.com, would that 
> result in these kinds of errors?

The errors indicate that a client didn't like your certificate for some
reason. One of the possible reasons surely is a CN in the certificate
that doesn't match the name of the server the client thinks he's
connecting to.

So the answer to your question is very likely "yes".

-- 
Regards
  mks

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Alessandro Menti]

Il 18/04/2014 22:08, Charles Marcus ha scritto:

On 4/18/2014 3:32 PM, Alessandro Menti  wrote:

2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of
   the file, paste the contents of /etc/ssl/ourNewCerts
   /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts
   /mail.ourdomain.com.crt should contain the certificate for
   mail.ourdomain.com and the intermediate RapidSSL certificate (in
   that order);


The Intermediate file already contained 2 certs... so, after I added it
to mine, it now contains 3 certs...

Is that right?

That's right.

Regards,
Alessandro Menti

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 3:57 PM, Charles Marcus  wrote:
Everything seems to be working, BUT... I'm now seeing some of these 
errors, that were not showing up in the logs before:


2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate: SSL alert number 42, rip=24.126.163.180, lport=143
2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate: SSL alert number 42, rip=98.66.176.115, lport=143


!2 total in the last 25 minutes since flipping the switch.

and there have been two of these:

2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: 
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143


Not a huge number, but enough to be concerning...


Ahh... I'm sure we have some older clients that are still configured to 
use a different hostname...


So, if the new certs are for mail.example.com, and a client tries to 
connect using a different hostname, like imap.example.com, would that 
result in these kinds of errors?

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 3:32 PM, Alessandro Menti  wrote:

2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of
   the file, paste the contents of /etc/ssl/ourNewCerts
   /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts
   /mail.ourdomain.com.crt should contain the certificate for
   mail.ourdomain.com and the intermediate RapidSSL certificate (in
   that order); 


The Intermediate file already contained 2 certs... so, after I added it 
to mine, it now contains 3 certs...


Is that right?

Thanks, I appreciate the help...

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

Thanks Markus and Oscar...

On 4/18/2014 3:29 PM, Markus Schönhaber  
wrote:
Aside from the missing indirection (use ... = before) the documentation indicates that ssl_ca is only used for 
client certificate verification and has nothing to do with the 
certificate chain of your server certificate.


Yeah, the < was in the config, dunno how it got stripped from my post - 
or maybe I manually typed those - yeah, I think I did...


Instead, cat your new server certificate together with the CA 
certificates into one file and point ssl_cert to this file (see 
"Chained SSL certificates" in 
http://wiki2.dovecot.org/SSL/DovecotConfiguration ). 


Ok, did that and made the config change and restarted dovecot.

Everything seems to be working, BUT... I'm now seeing some of these 
errors, that were not showing up in the logs before:


2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate: SSL alert number 42, rip=24.126.163.180, lport=143
2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate: SSL alert number 42, rip=98.66.176.115, lport=143


!2 total in the last 25 minutes since flipping the switch.

and there have been two of these:

2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: 
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143


Not a huge number, but enough to be concerning...

Could this just be from cached junk from some clients, and they will 
resolve themselves over time?


--

Best regards,

Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Alessandro Menti]

Il 18/04/2014 19:57, Charles Marcus ha scritto:

Hi all,

Ok, been wanting to do this for a while, and I after the Heartbleed
fiasco, the boss finally agreed to let me buy some real certs...

Until now, we've been using self-signed certs with the following dovecot
config:

ssl = required
ssl_cert = 
Hi Charles,
the RapidSSL documentation is wrong:
1) as you noted, you should use "ssl_cert" instead of "ssl_cert_file",
   and so on;
2) the file paths should be prefixed by "<", otherwise Dovecot will not
   read the files;
3) the "ssl_ca" setting is *not* used to make Dovecot reference
   intermediate certificates in the trust chain - it is used to specify
   trusted CAs in case you want to perform TLS client certificate
   authentication, which I suppose you do not want to do.

You should:
1) make a backup copy of /etc/ssl/ourNewCerts/mail.ourdomain.com.crt;
2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of
   the file, paste the contents of /etc/ssl/ourNewCerts
   /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts
   /mail.ourdomain.com.crt should contain the certificate for
   mail.ourdomain.com and the intermediate RapidSSL certificate (in
   that order);
3) use the following settings:
ssl = required
ssl_cert = 

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Markus Schönhaber]

18.04.2014 19:57, Charles Marcus:

> Ok, been wanting to do this for a while, and I after the Heartbleed 
> fiasco, the boss finally agreed to let me buy some real certs...
> 
> Until now, we've been using self-signed certs with the following dovecot 
> config:
> 
> ssl = required
> ssl_cert =  ssl_key =  
> Now, I've created new keys/certs and the CSR, got the new certs from 
> RapidSSL (and also downloaded their Intermediate bundle), saved 
> everything per their instructions, which say to reference them as follows:
> 
> ssl = required
> ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
> ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
> ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
> 
> But my current config doesn't have the _file for the variable names, and 
> the wiki doesn't use them, so I'm planning on setting these to:
> 
> ssl = required
> ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
> ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
> ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
> 
> Anyone else ever used RapidSSL certs? Does this look correct?

Yes. No.
Aside from the missing indirection (use ... = http://wiki2.dovecot.org/SSL/DovecotConfiguration ).

-- 
Regards
  mks

Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Oscar del Rio]

On 18/04/2014 1:57 PM, Charles Marcus wrote:



But my current config doesn't have the _file for the variable names, 
and the wiki doesn't use them, so I'm planning on setting these to:


ssl = required
ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt




http://wiki2.dovecot.org/SSL/DovecotConfiguration
Note "Chained SSL certificates" section

[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

Hi all,

Ok, been wanting to do this for a while, and I after the Heartbleed 
fiasco, the boss finally agreed to let me buy some real certs...


Until now, we've been using self-signed certs with the following dovecot 
config:


ssl = required
ssl_cert = Now, I've created new keys/certs and the CSR, got the new certs from 
RapidSSL (and also downloaded their Intermediate bundle), saved 
everything per their instructions, which say to reference them as follows:


ssl = required
ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt

But my current config doesn't have the _file for the variable names, and 
the wiki doesn't use them, so I'm planning on setting these to:


ssl = required
ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt

Anyone else ever used RapidSSL certs? Does this look correct?

Thanks,

Charles

[Dovecot] doveadm auth and the "nologin" extra field

[Axel Luttgens]

Hello,

Still busy with details...

Considering, as in my previous example, a password_query returning '!' or NULL 
for the "nologin" column, depending on an account's status (suspended or not).

Let's consider a suspended user "some.user".

In the case of a successful authentication, one has:

sh-3.2# doveadm auth test some.user goodpassword; echo $?
passdb: some.user auth succeeded
extra fields:
  user=some.user
  nologin
0

On the other hand, in the case of an authentication failure:

sh-3.2# doveadm auth test some.user badpassword; echo $?
passdb: some.user auth failed
extra fields:
  user=some.user
  nologin=!
77

So, this is similar to what happens in a connection (pop3, imap...): when 
present, the nologin info is always taken into account, even in the case of an 
authentication failure.

Again, this may raise some concerns about the consistency of such a behavior.
Is this guaranteed to always behave that way, because of some rationale I'm 
currently missing, or does it go about some overlooked combination, liable to 
be inadvertently "corrected" in the future?
I haven't been able to find a definitive answer in the wiki or in the code 
about such matters.

This is particularly important in the case of doveadm, since its output 
requires parsing for extracting such informations (the exit code alone isn't 
sufficient); should above behavior be changed without notice, and a script 
could suddenly take the worst decisions...

BTW, why:
  nologin
in the first output, and:
  nologin=!
in the second output?


TIA,
Axel