Dovecot 2.0.9
So I am trying to get my Outlook 2010 client to use TLS with Dovecot.
The Outlook error that I get is:
Log onto incoming mail server (IMAP): A secure connection to the server
cannot be established.
I have set the port to 143,993,995 none of them work, and the security to
TLS.
I have all of the certificates in the full chain installed on my machine and
when viewing them they all show This certificate is OK.
I have turned on Outlook logging and am seeing this:
C:\PROGRA~2\MICROS~2\Office14\OUTLMIME.DLLIMAP: 14:48:40 [db]
Intializing connection [131383B0]
IMAP: 14:48:40 [db] Setting internal codepage to 1200
IMAP: 14:48:40 [db] Connecting to 'mail.mydomain.com' on port 143.
IMAP: 14:48:40 [db] OnNotify: asOld = 0, asNew = 2, ae = 0
IMAP: 14:48:40 [db] srv_name = mail.mydomain.com srv_addr =
174.46.198.101:143
IMAP: 14:48:40 [db] OnNotify: asOld = 2, asNew = 3, ae = 1
IMAP: 14:48:40 [db] OnNotify: asOld = 3, asNew = 4, ae = 0
IMAP: 14:48:40 [db] OnNotify: asOld = 4, asNew = 5, ae = 2
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 4
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 14:48:40 [rx] * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.ß- not seeing the STARTTLS
capability here.
IMAP: 14:48:40 [tx] sx59 CAPABILITY
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 14:48:40 [rx] * CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN
AUTH=LOGIN
IMAP: 14:48:40 [rx] sx59 OK Capability completed.
IMAP: 14:48:40 [db] ERROR: A secure connection to the server cannot be
established., hr=0x800CCCE1
IMAP: 14:48:40 [db] Connection to 'mail.mydomain.com' closed.
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 0, ae = 5
From a windows 7 client if I do a telnet mail.mydomain.com 143 I get:
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN]
Dovecot ready. ß--- do not see STARTTLS in the capability list.
Same windows client:
C:\OpenSSL-Win64\binopenssl.exe s_client -connect mail.mydomain.com:993
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(018C)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate ß--- Yes I see
this and it may be an issue, but this certificate exist and is valid.
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-BEGIN CERTIFICATE-
MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=
-END CERTIFICATE-
subject=/OU=Domain Control Validated/OU=COMODO SSL
Wildcard/CN=*.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5169 bytes and written 497 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384
Session-ID:
281D21C81FA6E7656B9CA2BD13590DDE0094CC8FA43FFD31DFEEDEC74F2511BF
Session-ID-ctx:
Master-Key:
AF36CFDBBAA955270A48E2E9740F671299511DA1B3EEAFFAEC582E100DE519EC7CBC612ED686
DBBBFE06B9D6E535B837
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
- 1d 2a e7 fd 94 9d a2 84-90 52 32 2f e7 89 28 59
.*...R2/..(Y
0010 - 12 d5 b3 56 0e a7 71 c4-84 53 01 ec 95 97 59 4e
...V..q..SYN
0020 - ac 17 3f 3f dc b6 b0 db-0f 47 0c 88 5a c2 7b a7
..??.G..Z.{.
0030 - d0 73 ff 19 ec 6f cd 67-d5 58 3e cd 91 eb 79 90
.s...o.g.X...y.
0040 - 76 a9 d9 f2 17 dc da c4-bd ba 69 b4 11 c7 65 f9
v.i...e.
0050 - 71 42 01 3b bd 6f a5 3a-9f 34 48 36 9e 31 4e 1c
qB.;.o.:.4H6.1N.
0060 - 93 24 75 7f 8a c6 7f 7a-4c cd 93 bd 92 4c 9d 7f
.$uzLL..
0070 - df 47 11 3e 93 11 73 8e-09 5c ef 85 e2 aa bc 77
.G...s..\.w
0080 - eb 29 fa c6 30 5b 27 de-50 98 47 7b 55 f0 84 91