subject:"\[Dovecot\] IPv6 SSL"

Re: [Dovecot] IPv6 SSL

2012-10-06 Thread Luigi Rosa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sean Kamath said the following on 06/10/12 07:44:

 Oct  6 07:13:44 mail dovecot: imap-login: Login:
 user=lr...@hypertrek.info, method=CRAM-MD5, rip=10.0.0.155,
 lip=10.0.0.254, mpid=17812, TLS, session=LZhzDV3LMQAKE0Ob
 
 And do you have a PTR record for 10.0.0.254?

No, no PTR o other DNS entry for that address.

No entry of that address in /etc/hosts on the Linux with Thunderbird or on the
Linux with Dovecot.




Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

The past was erased, the erasure was forgotten, the lie became truth.
   --George Orwell, 1984
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBv0LsACgkQ3kWu7Tfl6ZRTUgCgh1epu40NUiZ6CPlBrcFZezt/
nMYAnjUS5IxodwJfW7o9pJHfKoVCc9xK
=8O4T
-END PGP SIGNATURE-

Re: [Dovecot] IPv6 SSL

2012-10-06 Thread Patrick Westenberg

Can you provide the output of doveconf -n?

Regards
Patrick

Re: [Dovecot] IPv6 SSL

2012-10-06 Thread Luigi Rosa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick Westenberg said the following on 06/10/12 09:29:
 Can you provide the output of doveconf -n?


Sure, here it is:


# 2.1.10: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-308.1.1.el5.centos.plus x86_64 CentOS release 5.8 (Final)
auth_cache_negative_ttl = 0
auth_cache_size = 100 k
auth_cache_ttl = 8 hours
auth_mechanisms = plain login digest-md5 cram-md5
auth_verbose = yes
base_dir = /var/run/dovecot/
login_greeting = Ready.
login_trusted_networks = 10.0.0.0/24
mail_plugins =  stats
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  stats_refresh = 10s
  stats_track_cmds = yes
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}
service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
}
service pop3-login {
  inet_listener pop3 {
port = 110
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
service stats {
  fifo_listener stats-mail {
mode = 0666
  }
}
ssl_cert = /etc/path/to/file.crt
ssl_key = /etc/path/to/file.key
ssl_parameters_regenerate = 202 hours
syslog_facility = local5
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = sieve
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins =  stats imap_stats
}
protocol pop3 {
  pop3_client_workarounds = outlook-no-nuls
  pop3_uidl_format = %08Xu%08Xv
}






Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

I will tell you a great secret, Captain. Perhaps the greatest of all
time. The molecules of your body are the same molecules that make up
this station and the nebula outside, that burn inside the stars
themselves. We are star stuff, we are the universe made manifest,
trying to figure itself out. As we have both learned, sometimes
the universe requires a change of perspective.
--Delenn, Distant Star, Babylon 5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBv538ACgkQ3kWu7Tfl6ZRsYACgzxbZjPbuiAKDNmMPphmiL1Li
UuYAnAopP2AJE6GYyNRhBVYmUuFBqdkG
=62M+
-END PGP SIGNATURE-

Re: [Dovecot] IPv6 SSL

2012-10-06 Thread Patrick Westenberg


Hi Luigi,

with regard to SSL my configuration is much more simple and it works 
fine with IPv4 and IPv6. But you have of course to use a hostname 
matching the certificates common name.



# 2.1.6: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.5
auth_mechanisms = plain login
director_mail_servers = 172.17.1.1 172.17.1.2
director_servers = 172.17.1.3 172.17.1.4
lmtp_proxy = yes
log_path = /var/log/dovecot.log
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacati   on subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy includ 
e variables body enotify 
environment mailbox date ihave

protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
user = dovecot
  }
}
service director {
  fifo_listener login/proxy-notify {
mode = 0666
  }
  inet_listener {
address = 172.17.1.3
port = 9090
  }
  unix_listener director-userdb {
mode = 0600
  }
  unix_listener login/director {
mode = 0666
  }
}
service imap-login {
  executable = imap-login director
}
service lmtp {
  inet_listener lmtp {
address = 172.17.1.3
port = 24
  }
}
service managesieve-login {
  executable = managesieve-login director
  inet_listener sieve {
port = 4190
  }
}
service pop3-login {
  executable = pop3-login director
}
ssl_cert = /etc/ssl/certs/imap.xxx.de.crt
ssl_key = /etc/ssl/private/imap.xxx.key
protocol !smtp {
  passdb {
args = proxy=y nopassword=y starttls=any-cert
driver = static
  }
}
protocol smtp {
  passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
  }
  userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
  }
}
protocol lmtp {
  auth_socket_path = director-userdb
}

Regards
Patrick

Re: [Dovecot] IPv6 SSL

2012-10-06 Thread Patrick Lists


On 10/06/2012 12:02 PM, Patrick Westenberg wrote:

Hi Luigi,

with regard to SSL my configuration is much more simple and it works
fine with IPv4 and IPv6. But you have of course to use a hostname
matching the certificates common name.


You could add additional hostnames in the certificate by specifying them 
in SubjectAltName. I use that so my certificate works with both the 
public FQDN going over the Internet as well as the internal hostname 
when using a VPN or on the local LAN.


Regards,
Patrick

[Dovecot] IPv6 SSL

2012-10-05 Thread Luigi Rosa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
I have a dual stack server with Dovecot 2.1.10 listening on v4 and v6

Dovecot has a Comodo SSL certificate issued via NameCheap that works as
expected with IPv4

in 10-ssl.conf I have enabled these configuraction directives:

ssl = yes
ssl_cert =  /path/to/file.crt
ssl_key =  /path/to/file.key
ssl_parameters_regenerate = 202 hours


If I connect to Dovecot using the IPv6 address of the server with Thunderbird
15.0.1 uising CRAM-MD5 averything is ok.

If I enable SSL _and_ IPv6 on Thunderbird I get this error:

Oct  5 20:05:04 mail dovecot: imap-login: Disconnected (no auth attempts in 1
secs): user=, rip=2001:470:1f09:203:fdbf:508e:4a29:56c5,
lip=2001:470:1f09:203::badd:ecaf, TLS: SSL_read() failed: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48,
session=ZcMRtlPLqgAgAQRwHwkCA/2/UI5KKVbF




Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

I will tell you a great secret, Captain. Perhaps the greatest of all
time. The molecules of your body are the same molecules that make up
this station and the nebula outside, that burn inside the stars
themselves. We are star stuff, we are the universe made manifest,
trying to figure itself out. As we have both learned, sometimes
the universe requires a change of perspective.
--Delenn, Distant Star, Babylon 5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBvI50ACgkQ3kWu7Tfl6ZRBSACfRkp4FYpWaEZUQhIh0t6Vfs/I
JbcAoKGZ769yogYS7faCXKvPTuhQiHA8
=jxCB
-END PGP SIGNATURE-

Re: [Dovecot] IPv6 SSL

2012-10-05 Thread Nick Rosier




Luigi Rosa wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
I have a dual stack server with Dovecot 2.1.10 listening on v4 and v6

Dovecot has a Comodo SSL certificate issued via NameCheap that works as
expected with IPv4

in 10-ssl.conf I have enabled these configuraction directives:

ssl = yes
ssl_cert =  /path/to/file.crt
ssl_key =  /path/to/file.key
ssl_parameters_regenerate = 202 hours


If I connect to Dovecot using the IPv6 address of the server with Thunderbird
15.0.1 uising CRAM-MD5 averything is ok.
If I enable SSL _and_ IPv6 on Thunderbird I get this error:
How do you enable this in Thunderbird? If by enabling IPv6 you mean 
you put in the IPv6 address in stead of the hostname, that's probably 
where you're wrong. The certificate contains your hostname, not the 
IP-address so the hostname verification check fails if you insert the 
IPv6 address (i.e. hostname.tld != 
2001:470:1f09:203:fdbf:508e:4a29:56c5so your connection fails).
I've verified this by changing the hostname to IPv6 in Thunderbird and 
got the same error as you do. You would get the same error if you 
configure the IPv4 address in TB.

Oct  5 20:05:04 mail dovecot: imap-login: Disconnected (no auth attempts in 1
secs): user=, rip=2001:470:1f09:203:fdbf:508e:4a29:56c5,
lip=2001:470:1f09:203::badd:ecaf, TLS: SSL_read() failed: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48,
session=ZcMRtlPLqgAgAQRwHwkCA/2/UI5KKVbF

This is a valid connection when I use the hostname:

2012-10-04T18:07:51.614187+02:00 mail dovecot: imap-login: Login: 
user=user@domain, method=CRAM-MD5, rip=::::, 
lip=::::, mpid=58179, TLS, TLSv1 with cipher RC4-MD5 
(128/128 bits)


Configure your DNS so your hostname points to both the IPv6 and IPv4 
address. Your client will take take whichever protocol is preferred 
(IPv4 or IPv6).


Rgds,
N.


Ciao,
luigi

- -- 
/

+--[Luigi Rosa]--
\

I will tell you a great secret, Captain. Perhaps the greatest of all
time. The molecules of your body are the same molecules that make up
this station and the nebula outside, that burn inside the stars
themselves. We are star stuff, we are the universe made manifest,
trying to figure itself out. As we have both learned, sometimes
the universe requires a change of perspective.
 --Delenn, Distant Star, Babylon 5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -http://www.enigmail.net/

iEYEARECAAYFAlBvI50ACgkQ3kWu7Tfl6ZRBSACfRkp4FYpWaEZUQhIh0t6Vfs/I
JbcAoKGZ769yogYS7faCXKvPTuhQiHA8
=jxCB
-END PGP SIGNATURE-

Re: [Dovecot] IPv6 SSL

2012-10-05 Thread Luigi Rosa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nick Rosier said the following on 05/10/12 22:47:

 How do you enable this in Thunderbird? If by enabling IPv6 you mean you
 put in the IPv6 address in stead of the hostname, that's probably where
 you're wrong. The certificate contains your hostname, not the IP-address
 so the hostname verification check fails if you insert the IPv6 address
 (i.e. hostname.tld != 2001:470:1f09:203:fdbf:508e:4a29:56c5so your
 connection fails).

Good point. But does not explain why it works if I put the IPv4 address of the
server (the local LAN IPv4, not the public IPv4).

 I've verified this by changing the hostname to IPv6 in Thunderbird and
 got the same error as you do. You would get the same error if you
 configure the IPv4 address in TB.

The server I am referring to has 2 NICs one with a public IP and the other
with a local IP address (10.0.0.254)

If I put 10.0.0.254 instead of the IPv6 address I can successfully connect
using TLS:

Oct  6 07:13:44 mail dovecot: imap-login: Login: user=lr...@hypertrek.info,
method=CRAM-MD5, rip=10.0.0.155, lip=10.0.0.254, mpid=17812, TLS,
session=LZhzDV3LMQAKE0Ob


 Configure your DNS so your hostname points to both the IPv6 and IPv4
 address. Your client will take take whichever protocol is preferred (IPv4
 or IPv6).

Thunderbird uses IPv4 as mail protocol, I wanted to test IPv6...


Thank you for your help


Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

Success is 99% failure.
--Soichiro Honda
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBvv4kACgkQ3kWu7Tfl6ZQp2wCgvXPgRGANlAIaVkMvXZHIThYE
OiwAoIOqIMD+3mT1znMl6lCCbHanwBta
=B/r2
-END PGP SIGNATURE-

Re: [Dovecot] IPv6 SSL

2012-10-05 Thread Sean Kamath


On Oct 5, 2012, at 10:20 PM, Luigi Rosa li...@luigirosa.com wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Nick Rosier said the following on 05/10/12 22:47:
 
 How do you enable this in Thunderbird? If by enabling IPv6 you mean you
 put in the IPv6 address in stead of the hostname, that's probably where
 you're wrong. The certificate contains your hostname, not the IP-address
 so the hostname verification check fails if you insert the IPv6 address
 (i.e. hostname.tld != 2001:470:1f09:203:fdbf:508e:4a29:56c5so your
 connection fails).
 
 Good point. But does not explain why it works if I put the IPv4 address of the
 server (the local LAN IPv4, not the public IPv4).
 
 I've verified this by changing the hostname to IPv6 in Thunderbird and
 got the same error as you do. You would get the same error if you
 configure the IPv4 address in TB.
 
 The server I am referring to has 2 NICs one with a public IP and the other
 with a local IP address (10.0.0.254)
 
 If I put 10.0.0.254 instead of the IPv6 address I can successfully connect
 using TLS:
 
 Oct  6 07:13:44 mail dovecot: imap-login: Login: user=lr...@hypertrek.info,
 method=CRAM-MD5, rip=10.0.0.155, lip=10.0.0.254, mpid=17812, TLS,
 session=LZhzDV3LMQAKE0Ob

And do you have a PTR record for 10.0.0.254?

Sean

Re: [Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

[Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

Re: [Dovecot] IPv6 SSL

9 matches

Site Navigation

Mail list logo

Footer information