Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Charles Marcus wrote: 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143 Not a huge number, but enough to be concerning... Could this just be from cached junk from some clients, and they will resolve themselves over time? Short answer: maybe. I got these errors when I switched from a self-signed to CA signed cert, and the client had an open mail session: Feb 22 02:10:32 imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session= Not quite the same as your's, but if you call the client up and ask them to restart their mail client, I'm fairly confident these will go away, as for my user. You might get some weirdness if for some reason the client does not have the intermediate CAs cached. I ran into this problem with our certs -- some RH distributions did have the intermediate CA certs in its store. Joseph Tam
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Am 18.04.2014 22:12, schrieb Charles Marcus: > Ahh... I'm sure we have some older clients that are still configured to use a > different hostname... > > So, if the new certs are for mail.example.com, and a client tries to connect > using a different hostname, like > imap.example.com, would that result in these kinds of errors? yes and that is why nobody should provide more than one hostname for mailservers there is no gain and it ends where you are now would you have not wasted the time for different DNS records instead just provide and communicate mail.your-primardy-domain.tld all the years before TLS now would be a no-brainer signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Hash Verification with doveadm
You could try a newer Dovecot from wheezy-backports. Your command works in my Dovecot 2.2.12. -- View this message in context: http://dovecot.2317879.n4.nabble.com/Hash-Verification-with-doveadm-tp47571p47572.html Sent from the Dovecot mailing list archive at Nabble.com.
[Dovecot] Hash Verification with doveadm
Hello! I have a problem with the doveadm tool. I’m trying to verify a hash from my MySQL-Db with the following command: doveadm pw -p '123' -t '{SHA512-CRYPT}$6$e3TLkiahfHFv29/J$8etBEtmbh06B72kc1TpetT/k8aHkQrJAPQVpTGDYuzyHZX4MwU2PeL2cIupNEoUUGt6SLB0N7xNqbbqp/5OZo.' I'm expecting that it says verified or not, but it prompts for a password, so the „-p“ parameter does not work. I need this, because I want to use the verification in a shell script and for that it have to work without a prompt. I hope you guess what my problem is :) My configuration: # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.41-042stab078.27 i686 Debian 7.4 reiserfs auth_mechanisms = plain login mail_location = maildir:/var/vmail/%d/%n/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap sieve pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl_cert = signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
On 4/18/2014 4:41 PM, Markus Schönhaber wrote: The errors indicate that a client didn't like your certificate for some reason. One of the possible reasons surely is a CN in the certificate that doesn't match the name of the server the client thinks he's connecting to. So the answer to your question is very likely "yes". Thanks for the confirmation... I'm think I'm going to simply remove that DNS entry and deal with a few support phone calls... -- Best regards, Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6224 | 678.514.6299 fax
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
18.04.2014 22:12, Charles Marcus: > On 4/18/2014 3:57 PM, Charles Marcus wrote: >> Everything seems to be working, BUT... I'm now seeing some of these >> errors, that were not showing up in the logs before: >> >> 2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: >> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() >> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> certificate: SSL alert number 42, rip=24.126.163.180, lport=143 >> 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: >> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() >> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> certificate: SSL alert number 42, rip=98.66.176.115, lport=143 >> >> !2 total in the last 25 minutes since flipping the switch. >> >> and there have been two of these: >> >> 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: >> Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: >> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 >> alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143 >> >> Not a huge number, but enough to be concerning... > > Ahh... I'm sure we have some older clients that are still configured to > use a different hostname... > > So, if the new certs are for mail.example.com, and a client tries to > connect using a different hostname, like imap.example.com, would that > result in these kinds of errors? The errors indicate that a client didn't like your certificate for some reason. One of the possible reasons surely is a CN in the certificate that doesn't match the name of the server the client thinks he's connecting to. So the answer to your question is very likely "yes". -- Regards mks
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Il 18/04/2014 22:08, Charles Marcus ha scritto: On 4/18/2014 3:32 PM, Alessandro Menti wrote: 2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of the file, paste the contents of /etc/ssl/ourNewCerts /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts /mail.ourdomain.com.crt should contain the certificate for mail.ourdomain.com and the intermediate RapidSSL certificate (in that order); The Intermediate file already contained 2 certs... so, after I added it to mine, it now contains 3 certs... Is that right? That's right. Regards, Alessandro Menti
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
On 4/18/2014 3:57 PM, Charles Marcus wrote: Everything seems to be working, BUT... I'm now seeing some of these errors, that were not showing up in the logs before: 2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=24.126.163.180, lport=143 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=98.66.176.115, lport=143 !2 total in the last 25 minutes since flipping the switch. and there have been two of these: 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143 Not a huge number, but enough to be concerning... Ahh... I'm sure we have some older clients that are still configured to use a different hostname... So, if the new certs are for mail.example.com, and a client tries to connect using a different hostname, like imap.example.com, would that result in these kinds of errors?
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
On 4/18/2014 3:32 PM, Alessandro Menti wrote: 2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of the file, paste the contents of /etc/ssl/ourNewCerts /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts /mail.ourdomain.com.crt should contain the certificate for mail.ourdomain.com and the intermediate RapidSSL certificate (in that order); The Intermediate file already contained 2 certs... so, after I added it to mine, it now contains 3 certs... Is that right? Thanks, I appreciate the help...
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Thanks Markus and Oscar... On 4/18/2014 3:29 PM, Markus Schönhaber wrote: Aside from the missing indirection (use ... = before) the documentation indicates that ssl_ca is only used for client certificate verification and has nothing to do with the certificate chain of your server certificate. Yeah, the < was in the config, dunno how it got stripped from my post - or maybe I manually typed those - yeah, I think I did... Instead, cat your new server certificate together with the CA certificates into one file and point ssl_cert to this file (see "Chained SSL certificates" in http://wiki2.dovecot.org/SSL/DovecotConfiguration ). Ok, did that and made the config change and restarted dovecot. Everything seems to be working, BUT... I'm now seeing some of these errors, that were not showing up in the logs before: 2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=24.126.163.180, lport=143 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=98.66.176.115, lport=143 !2 total in the last 25 minutes since flipping the switch. and there have been two of these: 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143 Not a huge number, but enough to be concerning... Could this just be from cached junk from some clients, and they will resolve themselves over time? -- Best regards, Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6224 | 678.514.6299 fax
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Il 18/04/2014 19:57, Charles Marcus ha scritto: Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following dovecot config: ssl = required ssl_cert = Hi Charles, the RapidSSL documentation is wrong: 1) as you noted, you should use "ssl_cert" instead of "ssl_cert_file", and so on; 2) the file paths should be prefixed by "<", otherwise Dovecot will not read the files; 3) the "ssl_ca" setting is *not* used to make Dovecot reference intermediate certificates in the trust chain - it is used to specify trusted CAs in case you want to perform TLS client certificate authentication, which I suppose you do not want to do. You should: 1) make a backup copy of /etc/ssl/ourNewCerts/mail.ourdomain.com.crt; 2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of the file, paste the contents of /etc/ssl/ourNewCerts /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts /mail.ourdomain.com.crt should contain the certificate for mail.ourdomain.com and the intermediate RapidSSL certificate (in that order); 3) use the following settings: ssl = required ssl_cert =
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
18.04.2014 19:57, Charles Marcus: > Ok, been wanting to do this for a while, and I after the Heartbleed > fiasco, the boss finally agreed to let me buy some real certs... > > Until now, we've been using self-signed certs with the following dovecot > config: > > ssl = required > ssl_cert = ssl_key = > Now, I've created new keys/certs and the CSR, got the new certs from > RapidSSL (and also downloaded their Intermediate bundle), saved > everything per their instructions, which say to reference them as follows: > > ssl = required > ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt > > But my current config doesn't have the _file for the variable names, and > the wiki doesn't use them, so I'm planning on setting these to: > > ssl = required > ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt > > Anyone else ever used RapidSSL certs? Does this look correct? Yes. No. Aside from the missing indirection (use ... = http://wiki2.dovecot.org/SSL/DovecotConfiguration ). -- Regards mks
Re: [Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
On 18/04/2014 1:57 PM, Charles Marcus wrote: But my current config doesn't have the _file for the variable names, and the wiki doesn't use them, so I'm planning on setting these to: ssl = required ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt http://wiki2.dovecot.org/SSL/DovecotConfiguration Note "Chained SSL certificates" section
[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following dovecot config: ssl = required ssl_cert = Now, I've created new keys/certs and the CSR, got the new certs from RapidSSL (and also downloaded their Intermediate bundle), saved everything per their instructions, which say to reference them as follows: ssl = required ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt But my current config doesn't have the _file for the variable names, and the wiki doesn't use them, so I'm planning on setting these to: ssl = required ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt Anyone else ever used RapidSSL certs? Does this look correct? Thanks, Charles
[Dovecot] doveadm auth and the "nologin" extra field
Hello, Still busy with details... Considering, as in my previous example, a password_query returning '!' or NULL for the "nologin" column, depending on an account's status (suspended or not). Let's consider a suspended user "some.user". In the case of a successful authentication, one has: sh-3.2# doveadm auth test some.user goodpassword; echo $? passdb: some.user auth succeeded extra fields: user=some.user nologin 0 On the other hand, in the case of an authentication failure: sh-3.2# doveadm auth test some.user badpassword; echo $? passdb: some.user auth failed extra fields: user=some.user nologin=! 77 So, this is similar to what happens in a connection (pop3, imap...): when present, the nologin info is always taken into account, even in the case of an authentication failure. Again, this may raise some concerns about the consistency of such a behavior. Is this guaranteed to always behave that way, because of some rationale I'm currently missing, or does it go about some overlooked combination, liable to be inadvertently "corrected" in the future? I haven't been able to find a definitive answer in the wiki or in the code about such matters. This is particularly important in the case of doveadm, since its output requires parsing for extracting such informations (the exit code alone isn't sufficient); should above behavior be changed without notice, and a script could suddenly take the worst decisions... BTW, why: nologin in the first output, and: nologin=! in the second output? TIA, Axel