Re: dovecot ssl error message from my own connections
"Connection reset by peer" means client breaks connection, not server. Client expects non-SSL connection? Client somehow fails over to non-SSL? STARTTLS where TLS expected? Client fails to verify server certificate? Or you use misconfigured imap-proxy? Have a look at *client* logs. You may try "openssl s_client -connect server:port -showcerts" on client side. 30.03.2019 15:20, Esteban L via dovecot wrote: > Hello all, > > Just a minor thing. Not a big deal, because everything works fine, and > I feel secure with my setup. > > But, I get this error message pretty much throughout the day/night, > which appears to come from my own mail clients (desktop or mobile). > I would like to resolve it, because it must me something (that is not > good--that I may not understand), that may have other ramifications. > > So, here it is. > > date time myserver dovecot: imap-login: Debug: SSL error: SSL_read() > syscall failed: Connection reset by peer > > > Anyone have a suggestion of what this might hint to, other than obvious > SSL. I tried parsing through various logs, but the most I find is just > this single line. > > I can produce it, whenever I close my email client. > > Thanks in advance.
Re: dovecot ssl error message from my own connections
Thanks! I will have a look. -Original Message- From: @lbutlr via dovecot Reply-to: "@lbutlr" To: Davide Marchi via dovecot Subject: Re: dovecot ssl error message from my own connections Date: Sat, 30 Mar 2019 06:28:06 -0600 On 30 Mar 2019, at 06:20, Esteban L via dovecot wrote: > date time myserver dovecot: imap-login: Debug: SSL error: SSL_read() > syscall failed: Connection reset by peer I don't get that particular message, but in general Debug messages are informational, not errors or warnings. Seems like the likely cause is you MUA is not closing out the session properly. Start looking for "dovecot.*Debug" in your logs and you're going to see a lot of lines (so many that i have them logged into a separate file).
Re: dovecot ssl error message from my own connections
Opps, forgot that important requirment! sorry Dovecot 2.2.27 -Original Message- From: Aki Tuomi Reply-to: Aki Tuomi To: este...@little-beak.com, Esteban L via dovecot Subject: Re: dovecot ssl error message from my own connections Date: Sat, 30 Mar 2019 14:25:41 +0200 (EET) > On 30 March 2019 14:20 Esteban L via dovecot < dovecot@dovecot.org> > wrote: > > > Hello all, > > Just a minor thing. Not a big deal, because everything works fine, > and > I feel secure with my setup. > > But, I get this error message pretty much throughout the day/night, > which appears to come from my own mail clients (desktop or mobile). > I would like to resolve it, because it must me something (that is not > good--that I may not understand), that may have other ramifications. > > So, here it is. > > date time myserver dovecot: imap-login: Debug: SSL error: SSL_read() > syscall failed: Connection reset by peer > > > Anyone have a suggestion of what this might hint to, other than > obvious > SSL. I tried parsing through various logs, but the most I find is > just > this single line. > > I can produce it, whenever I close my email client. > > Thanks in advance. Which version of dovecot is this? --- Aki Tuomi
Re: dovecot ssl error message from my own connections
On 30 Mar 2019, at 06:20, Esteban L via dovecot wrote: > date time myserver dovecot: imap-login: Debug: SSL error: SSL_read() > syscall failed: Connection reset by peer I don't get that particular message, but in general Debug messages are informational, not errors or warnings. Seems like the likely cause is you MUA is not closing out the session properly. Start looking for "dovecot.*Debug" in your logs and you're going to see a lot of lines (so many that i have them logged into a separate file). -- There is something to be said for grace and respect but humour alway helps - Toby Morris
Re: dovecot ssl error message from my own connections
On 30 March 2019 14:20 Esteban L via dovecot < dovecot@dovecot.org> wrote: Hello all, Just a minor thing. Not a big deal, because everything works fine, and I feel secure with my setup. But, I get this error message pretty much throughout the day/night, which appears to come from my own mail clients (desktop or mobile). I would like to resolve it, because it must me something (that is not good--that I may not understand), that may have other ramifications. So, here it is. date time myserver dovecot: imap-login: Debug: SSL error: SSL_read() syscall failed: Connection reset by peer Anyone have a suggestion of what this might hint to, other than obvious SSL. I tried parsing through various logs, but the most I find is just this single line. I can produce it, whenever I close my email client. Thanks in advance. Which version of dovecot is this? --- Aki Tuomi
dovecot ssl error message from my own connections
Hello all, Just a minor thing. Not a big deal, because everything works fine, and I feel secure with my setup. But, I get this error message pretty much throughout the day/night, which appears to come from my own mail clients (desktop or mobile). I would like to resolve it, because it must me something (that is not good--that I may not understand), that may have other ramifications. So, here it is. date time myserver dovecot: imap-login: Debug: SSL error: SSL_read() syscall failed: Connection reset by peer Anyone have a suggestion of what this might hint to, other than obvious SSL. I tried parsing through various logs, but the most I find is just this single line. I can produce it, whenever I close my email client. Thanks in advance.
[Dovecot] SSL/TLS handshake stays forever without timeout
Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. Thanks,
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
On 01/14/2014 04:42 PM morrison wrote: Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. Thanks, Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): CONNECTED(0003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more. * BYE Disconnected for inactivity. closed real3m0.377s user0m0.016s sys 0m0.000s As you can see, Dovecot closed the connection after three minutes. Regards, Pascal -- The trapper recommends today: fabaceae.1401...@localdomain.org
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Am 14.01.2014 20:26, schrieb Pascal Volk: Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): CONNECTED(0003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more. * BYE Disconnected for inactivity. closed real3m0.377s user0m0.016s sys 0m0.000s As you can see, Dovecot closed the connection after three minutes did you read the This will make our mail server vulnerable to DOS attack 3 minutes is *way too long* in case of a DOS attack if no single byte data is received there is no reason not to close the connection at least after 30 seconds signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Hi Pascal Am 14.01.14 20:26 schrieb Pascal Volk: On 01/14/2014 04:42 PM morrison wrote: Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. Regards, Adrian.
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Am 14.01.2014 20:38 schrieb Adrian Zaugg: This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. same here with dovecot-2.2.10 $ date; telnet imaphost 143 Di 14. Jan 21:57:59 CET 2014 IMAP dialog . starttls . OK Begin TLS negotiation now. ... now it's 23:53 ant the tcp connection is still established. in contrast: postfix-2.11 $ date; telnet mx 25; date Di 14. Jan 23:42:45 CET 2014 SMTP dialog ... starttls 220 2.0.0 Ready to start TLS Connection closed by foreign host. Di 14. Jan 23:48:10 CET 2014 looks like postfix handle the timeout smarter. Andreas
Re: [Dovecot] ssl-params regeneration with dovecot 2.2.7
Am 05.11.2013 20:01, schrieb Frank Elsner: after switching from version 2.2.6 to 2.2.7 I miss the loglines which say: ssl-params: Generating SSL parameters ssl-params: SSL parameters regeneration completed What's going on? No more logging or no regeneration? it is intentional i guess http://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0 ssl-params: Added ssl_dh_parameters_length removed ssl_parameters_regenerate setting ssl-params: Added ssl_dh_parameters_length removed ssl_parameters_regenerate setting. ssl_parameters_regenerate was based on some text from GNUTLS documentation a long time ago, but there's really not much point in doing it. Ideally we should also support openssl dhparam input files, but for now there's the ssl_dh_parameters_length setting that can be used to specify the wanted DH parameters length. If the current ssl-parameters.dat has a different length, it's regenerated. We should probably at some point support also built-in DH parameters which are returned while the ssl-params runs. Original-Nachricht Betreff: Re: [Dovecot] DH parameter length too small? Datum: Sat, 2 Nov 2013 15:28:33 +0200 Von: Timo Sirainen t...@iki.fi Antwort an: Dovecot Mailing List dovecot@dovecot.org An: Jörg Lübbert j.luebb...@kaladix.org Kopie (CC): Dovecot Mailing List dovecot@dovecot.org On 14.10.2013, at 19.08, Jörg Lübbert j.luebb...@kaladix.org wrote: from my understanding, using 1024bit DH parameters results in a not sufficiently secure key exchange for DH(E). Therefore I think it would be advisable to have parameters of at least 2048bit . In fact, I would see a great benefit in chosing parameter length arbitrarily. I also do not see the benefit of parameter regeneration. What were the design goals here? http://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0 signature.asc Description: OpenPGP digital signature
[Dovecot] ssl-params regeneration with dovecot 2.2.7
Hello, after switching from version 2.2.7 to 2.2.7 I miss the loglines which say: ssl-params: Generating SSL parameters ssl-params: SSL parameters regeneration completed The configuration has not been changed and reads: | # 2.2.7: /usr/local/dovecot/etc/dovecot/dovecot.conf | # OS: Linux 2.6.35.14-106.fc14.i686.PAE i686 Fedora release 14 (Laughlin) ext3 | auth_mechanisms = plain login | default_vsz_limit = 512 M | first_valid_uid = 200 | last_valid_uid = 65534 | listen = * | lmtp_save_to_detail_mailbox = yes | login_greeting = c64.shuttle.de - IMAPs Service (dovecot) ready. | login_log_format_elements = %u %r %c | mail_location = maildir:/var/spool/mail/%u | mail_log_prefix = %Us(%u,%r): | mail_plugin_dir = /usr/dovecot/lib/dovecot/ | mail_plugins = notify quota fts fts_squat | namespace inbox { |inbox = yes |list = yes |location = |mailbox Drafts { | special_use = \Drafts |} |mailbox Gesendet { | special_use = \Sent |} |mailbox SPAM { | special_use = \Junk |} |mailbox Sent { | special_use = \Sent |} |mailbox Trash { | special_use = \Trash |} |prefix = |subscriptions = yes |type = private | } | passdb { |args = dovecot |driver = pam | } | plugin { |fts = squat |fts_squat = partial=4 full=10 |mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append |mail_log_fields = uid box from subject msgid size flags |mail_log_group_events = yes |quota = maildir:User quota |quota_rule = *:storage=2G |quota_rule2 = Trash:storage=+100M | } | postmaster_address = postmas...@moltke28.b.shuttle.de | protocols = imap | service anvil { |client_limit = 1027 | } | service auth { |unix_listener auth-client { | group = exim | mode = 0660 | user = exim |} | } | service imap-login { |inet_listener imap { | port = 143 |} |inet_listener imaps { | port = 993 | ssl = yes |} |process_limit = 512 |process_min_avail = 10 | } | service imap-postlogin { |executable = script-login /usr/local/sbin/dovecot-imap-post-login | } | service imap { |executable = imap imap-postlogin | } | service lmtp { |inet_listener lmtp { | address = 0.0.0.0 | port = 24 |} | } | service pop3-login { |inet_listener pop3 { | port = 110 |} |inet_listener pop3s { | port = 995 | ssl = yes |} | } | service pop3 { |process_limit = 1024 | } | ssl_cert = /usr/local/etc/c64.shuttle.de.CRT | ssl_key = /usr/local/etc/c64.shuttle.de-dovecot.KEY | ssl_parameters_regenerate = 1 hours | userdb { |driver = passwd | } | verbose_proctitle = yes | protocol lmtp { |mail_plugins = notify quota fts fts_squat | } | protocol lda { |mail_plugins = notify quota fts fts_squat | } | protocol imap { |imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags |imap_logout_format = [%i/%o] |mail_max_userip_connections = 0 |mail_plugins = notify quota fts fts_squat quota mail_log imap_quota listescape fts fts_squat | } What's going on? No more logging or no regeneration? Greetings, Frank Elsner
Re: [Dovecot] ssl-params regeneration with dovecot 2.2.7
On Tue, 5 Nov 2013 20:01:54 +0100 Frank Elsner wrote: Hello, after switching from version 2.2.7 to 2.2.7 I miss the loglines which say: Sorry, typo. Should read after switching from version 2.2.6 to 2.2.7 ^ --Frank
Re: [Dovecot] SSL with startssl.com certificates
On Oct 9, 2013, at 11:36 PM, Noel Butler wrote: I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? Yes, neither TLS nor IMAPS will connect. tried pop3 TLS ? pop3s? I have not. My next step will be setting up a non-dovecot IMAP server and test the same certificates there. and when you test, use -CAfile /path/to/(startssl's)CA.pem When I do that, I get: $ openssl s_client -t -CAfile /usr/local/share/certs/ca-root-nss.crt -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify return:1 depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA verify return:1 depth=0 /description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify return:1 --- …. lots snipped New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4098 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: C9D4AF8FA11CF6EF00E367BC1B45BA465668AEAE595BF3925FC679C7816CE023 Session-ID-ctx: Master-Key: AA0B04AB1C93688C089349A0137D99B5E65303F58A322397509284AE224B37149F76C8C1CD2A7BAC12BEA8E190468598 Key-Arg : None Start Time: 1381428914 Timeout : 300 (sec) Verify return code: 0 (ok) All looks good? I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login But that's OK, right? On 10/10/2013 10:51, Dan Langille wrote: On Oct 9, 2013, at 6:33 PM, Noel Butler wrote: On 10/10/2013 06:09, Eliezer Croitoru wrote: I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine. I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration. One avenue I will purse: if I swap from 4096 to 2048, why does it work? Here is a connection with a 4096 cert: $ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Here is it with a 2048 cert: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmas...@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority The only thing I change in the configuration is: # MY KEYS #ssl_cert = /usr/local/etc/ssl/dovecot.pem #ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key # My 2048 key ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key Current configuration is: # doveconf -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid =
Re: [Dovecot] SSL with startssl.com certificates
On Oct 9, 2013, at 11:43 PM, Noel Butler wrote: On 10/10/2013 13:36, Noel Butler wrote: I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s? and when you test, use -CAfile /path/to/(startssl's)CA.pem I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login bugger.. stupid webmail... as I was trying to say, IIRC type login is required for ssl ,at least with winblow sclients, try adding the above and see what goes. plain is preferred, but that's because TLS is preferred. To be clear, I am using this now: auth_mechanisms = plain login use the local - int- ca cert.pem I have all three in there. and remove the ssl_ca option Removed. Restarted dovecot. Mail on the Macbook reports: There may be a problem with the mail server or network. Verify the settings for account “Langille” or try again. The server returned the error: Mail was unable to connect to server “test1.langille.org” using SSL on port 993. Verify that this server supports SSL and that your account settings are correct. /var/log/maillog shows: Oct 10 18:25:19 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=98.111.147.220, lip=199.233.228.197, session=5fLNH2foGABib5Pc Oct 10 18:25:19 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=98.111.147.220, lip=199.233.228.197, session=5gDPH2fokABib5Pc I should have four separate IMAP instances ready later today. -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
On Oct 10, 2013, at 2:26 PM, Dan Langille wrote: On Oct 9, 2013, at 11:43 PM, Noel Butler wrote: On 10/10/2013 13:36, Noel Butler wrote: I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s? and when you test, use -CAfile /path/to/(startssl's)CA.pem I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login bugger.. stupid webmail... as I was trying to say, IIRC type login is required for ssl ,at least with winblow sclients, try adding the above and see what goes. plain is preferred, but that's because TLS is preferred. To be clear, I am using this now: auth_mechanisms = plain login use the local - int- ca cert.pem I have all three in there. and remove the ssl_ca option Removed. Restarted dovecot. Mail on the Macbook reports: There may be a problem with the mail server or network. Verify the settings for account “Langille” or try again. The server returned the error: Mail was unable to connect to server “test1.langille.org” using SSL on port 993. Verify that this server supports SSL and that your account settings are correct. /var/log/maillog shows: Oct 10 18:25:19 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=98.111.147.220, lip=199.233.228.197, session=5fLNH2foGABib5Pc Oct 10 18:25:19 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=98.111.147.220, lip=199.233.228.197, session=5gDPH2fokABib5Pc I should have four separate IMAP instances ready later today. I created those instances. But the new StartCOM 4096-bit cert I created works just fine. So why did the original problem cert fail? I tried it on the new server. It failed there two. Exact same configuration. One cert works. The other cert fails. So what's different? The anomaly has been found. First, the cause of the problem is something I did. The problem cert is 4098-bits. Two more than the usual 4096-bits. DOH. I must give credit to StartCOM. They pointed out this difference just now. And you can see yourself here: http://dan.langille.org/2013/10/10/one-startcom-cert-works-the-other-does-not/ I'll be raising a bug with Apple. My thanks for the help. My apologies for the noise. -- Dan Langille - http://langille.org
[Dovecot] dovecot: ssl-params
Hello *, what is the reason for this strange behaviour? May I ignore it? Oct 8 19:32:20 seymour dovecot: ssl-params: Generating SSL parameters Oct 8 19:32:29 seymour dovecot: ssl-params: SSL parameters regeneration completed Oct 9 07:01:05 seymour dovecot: ssl-params: Generating SSL parameters Oct 9 07:01:06 seymour dovecot: imap-login: Login: frank, 192.168.28.1, TLS Oct 9 07:01:06 seymour dovecot: ssl-params: SSL parameters regeneration completed Oct 9 07:01:07 seymour dovecot: ssl-params: Error: epoll_ctl(del, 7) failed: No such file or directory Oct 9 07:01:07 seymour dovecot: ssl-params: Error: epoll_ctl(del, 8) failed: No such file or directory Kind regards, Frank Elsner
Re: [Dovecot] SSL with startssl.com certificates
On Oct 6, 2013, at 5:06 PM, Reindl Harald wrote: Am 06.10.2013 22:42, schrieb Dan Langille: I have Thunderbird working just fine on my Macbook. But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are: Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=Ux8HRBjo7QBib5Pc Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far. Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1 and mail.app is working even with *self signed* certificates and dovecot 2.2 you only have to accept / import the certificate proven by a testserver all day long It seems that the test server is not testing this particular situation. so i assume the problem exists between chair and keyboard Turns out, this assumption is incorrect. Just saying…. -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
Am 09.10.2013 21:06, schrieb Dan Langille: On Oct 6, 2013, at 5:06 PM, Reindl Harald wrote: and mail.app is working even with *self signed* certificates and dovecot 2.2 you only have to accept / import the certificate proven by a testserver all day long It seems that the test server is not testing this particular situation. it is not the servers job to accept the cert the particular server makes it even harder as defaults ssl_cipher_list = EECDH-AES256:EECDH-AES:DHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-AES256:EDH-AES128:EDH-AES:EECDH-RC4:DHE-RC4:EDH-RC4:AES256-SHA:AES128-SHA:TLSv1+HIGH:HIGH:RC4+MEDIUM:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2:!PSK:@STRENGTH ssl_prefer_server_ciphers = yes so i assume the problem exists between chair and keyboard Turns out, this assumption is incorrect. Just saying imap-login: OK: i...@testserver.rhsoft.net, 91.118.73.200, CRAM-MD5, TLSv1 with cipher DHE-RSA-AES256-SHA * dovecot 2.2.6 / openssl-1.0.1e * self signed certificate * 4096 Bit (recently changed from 2048 bit and had to be again accepted by the user) * Apple OSX Mail.app it's not the job of the server to accept the cert period signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 09/13/2013 02:59 PM, Dan Langille wrote: *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do... Eliezer
Re: [Dovecot] SSL with startssl.com certificates
Am 09.10.2013 21:27, schrieb Eliezer Croitoru: On 09/13/2013 02:59 PM, Dan Langille wrote: *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do... it is much more clear that there is no username if the client refuses the SSL handshake because it does not like the cert or the offered ssl-ciphers user= is pretty normal in a lot of cases * ssl cert not accepted and not allowed by the user in case of untrusted * no cipher the client accpets * no auth-mech the client accepts offered by the server so how do *you* imagine to see a username in the log? signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 10/09/2013 10:31 PM, Reindl Harald wrote: Am 09.10.2013 21:27, schrieb Eliezer Croitoru: On 09/13/2013 02:59 PM, Dan Langille wrote: *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do... it is much more clear that there is no username if the client refuses the SSL handshake because it does not like the cert or the offered ssl-ciphers user= is pretty normal in a lot of cases * ssl cert not accepted and not allowed by the user in case of untrusted * no cipher the client accpets * no auth-mech the client accepts offered by the server so how do *you* imagine to see a username in the log? I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more.. This way their service would give much more... I am just still unsure How long would it take to write the docs that exalain all the mentioned above: there is a SSL hirarcy and StarSSL uses this hirarchy which you need to understand and then the next thing to do is to answer a question or two to make sure you understand that everything is OK with the service etc. A basic openssl client into a ssl port should be sufficent but in a case of a special client that verifies two way key it's another story. Hope there was a solution in the upper part of the thread. Eliezer
Re: [Dovecot] SSL with startssl.com certificates
Am 09.10.2013 21:45, schrieb Eliezer Croitoru: On 10/09/2013 10:31 PM, Reindl Harald wrote: Am 09.10.2013 21:27, schrieb Eliezer Croitoru: On 09/13/2013 02:59 PM, Dan Langille wrote: *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do... it is much more clear that there is no username if the client refuses the SSL handshake because it does not like the cert or the offered ssl-ciphers user= is pretty normal in a lot of cases * ssl cert not accepted and not allowed by the user in case of untrusted * no cipher the client accpets * no auth-mech the client accepts offered by the server so how do *you* imagine to see a username in the log? I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more.. not their job and not part of the problem * your client accepts a certificate * your client does not accept your certificate in case it does not *you* as enduser have to accept/import the servers cert http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1 http://www.startssl.com/?app=25#31 if someone does not know what a intermediate CA he needs to RTFM or *read* messages of his client or buy by all major clients acepted certificates but that all has less to do with your blunty it is very clear that there is nothing that the client tries to do showing that you have zero expierience how a client handshake works - it does not send usernames or even passwords until it is not satisfied with the negotiation of auth-mechs and ssl-handshake signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 10/09/2013 10:55 PM, Reindl Harald wrote: Am 09.10.2013 21:45, schrieb Eliezer Croitoru: On 10/09/2013 10:31 PM, Reindl Harald wrote: Am 09.10.2013 21:27, schrieb Eliezer Croitoru: On 09/13/2013 02:59 PM, Dan Langille wrote: *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do... it is much more clear that there is no username if the client refuses the SSL handshake because it does not like the cert or the offered ssl-ciphers user= is pretty normal in a lot of cases * ssl cert not accepted and not allowed by the user in case of untrusted * no cipher the client accpets * no auth-mech the client accepts offered by the server so how do *you* imagine to see a username in the log? I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more.. not their job and not part of the problem * your client accepts a certificate * your client does not accept your certificate in case it does not *you* as enduser have to accept/import the servers cert http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1 http://www.startssl.com/?app=25#31 if someone does not know what a intermediate CA he needs to RTFM or *read* messages of his client or buy by all major clients acepted certificates but that all has less to do with your blunty it is very clear that there is nothing that the client tries to do showing that you have zero expierience how a client handshake works - it does not send usernames or even passwords until it is not satisfied with the negotiation of auth-mechs and ssl-handshake I Would try to use StartSSL with squid and I will see if the docs in squid ssl-bump explains the subject in a way I can understand. As Dan explained his major problem is with specific encryption cypher in a very specific size.. I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? Thanks, Eliezer
Re: [Dovecot] SSL with startssl.com certificates
Am 09.10.2013 22:09, schrieb Eliezer Croitoru: On 10/09/2013 10:55 PM, Reindl Harald wrote: Am 09.10.2013 21:45, schrieb Eliezer Croitoru: On 10/09/2013 10:31 PM, Reindl Harald wrote: Am 09.10.2013 21:27, schrieb Eliezer Croitoru: On 09/13/2013 02:59 PM, Dan Langille wrote: *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL How about tring to use a username to identify the user?? it is very clear that there is nothing that the client tries to do... it is much more clear that there is no username if the client refuses the SSL handshake because it does not like the cert or the offered ssl-ciphers user= is pretty normal in a lot of cases * ssl cert not accepted and not allowed by the user in case of untrusted * no cipher the client accpets * no auth-mech the client accepts offered by the server so how do *you* imagine to see a username in the log? I expect that StarSSL will put a good configuration examples for Apache Postfix Dovecot Exim nginx and more.. not their job and not part of the problem * your client accepts a certificate * your client does not accept your certificate in case it does not *you* as enduser have to accept/import the servers cert http://stackoverflow.com/questions/10879370/startssl-class-1-certificate-not-accepted-by-browser-weblogic-10-0-1 http://www.startssl.com/?app=25#31 if someone does not know what a intermediate CA he needs to RTFM or *read* messages of his client or buy by all major clients acepted certificates but that all has less to do with your blunty it is very clear that there is nothing that the client tries to do showing that you have zero expierience how a client handshake works - it does not send usernames or even passwords until it is not satisfied with the negotiation of auth-mechs and ssl-handshake I Would try to use StartSSL with squid and I will see if the docs in squid ssl-bump explains the subject in a way I can understand RTFM http://www.startssl.com/?app=25 or go to http://www.thawte.com/ As Dan explained his major problem is with specific encryption cypher in a very specific size.. I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? why in the world should it take more than 1 second? and even if - how does this matter? signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 10/09/2013 11:15 PM, Reindl Harald wrote: why in the world should it take more than 1 second? and even if - how does this matter? The dovecot daemon waited only 1 second for responnse.. and if there is a 900 Mhz client like many devices that uses android how long it would take to encypt end decrypt over Mobile network a 4k encryption without any assisting crypt cards?? Eliezer
Re: [Dovecot] SSL with startssl.com certificates
Am 09.10.2013 23:09, schrieb Eliezer Croitoru: On 10/09/2013 11:15 PM, Reindl Harald wrote: why in the world should it take more than 1 second? and even if - how does this matter? The dovecot daemon waited only 1 second for responnse.. says who? the *client* closed the connection within one second because it did not accept cert/ciphers/auth-mechs and if there is a 900 Mhz client like many devices that uses android how long it would take to encypt end decrypt over Mobile network a 4k encryption without any assisting crypt cards?? you need to understand basics for assumptions encypt/decrypt what amount of data? for the handshake - meaningless signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 10/10/2013 06:09, Eliezer Croitoru wrote: I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine.
Re: [Dovecot] SSL with startssl.com certificates
On Oct 9, 2013, at 6:33 PM, Noel Butler wrote: On 10/10/2013 06:09, Eliezer Croitoru wrote: I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine. I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration. One avenue I will purse: if I swap from 4096 to 2048, why does it work? Here is a connection with a 4096 cert: $ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Here is it with a 2048 cert: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmas...@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority The only thing I change in the configuration is: # MY KEYS #ssl_cert = /usr/local/etc/ssl/dovecot.pem #ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key # My 2048 key ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key Current configuration is: # doveconf -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=SHA512-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 } } ssl_ca = /usr/local/etc/ssl/sub.class2.server.ca.pem ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s? and when you test, use -CAfile /path/to/(startssl's)CA.pem I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login On 10/10/2013 10:51, Dan Langille wrote: On Oct 9, 2013, at 6:33 PM, Noel Butler wrote: On 10/10/2013 06:09, Eliezer Croitoru wrote: I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine. I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration. One avenue I will purse: if I swap from 4096 to 2048, why does it work? Here is a connection with a 4096 cert: $ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Here is it with a 2048 cert: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmas...@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority The only thing I change in the configuration is: # MY KEYS #ssl_cert = /usr/local/etc/ssl/dovecot.pem #ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key # My 2048 key ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key Current configuration is: # doveconf -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=SHA512-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 } } ssl_ca = /usr/local/etc/ssl/sub.class2.server.ca.pem ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes
Re: [Dovecot] SSL with startssl.com certificates
On 10/10/2013 13:36, Noel Butler wrote: I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s? and when you test, use -CAfile /path/to/(startssl's)CA.pem I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login bugger.. stupid webmail... as I was trying to say, IIRC type login is required for ssl ,at least with winblow sclients, try adding the above and see what goes. plain is preferred, but that's because TLS is preferred. use the local - int- ca cert.pem and remove the ssl_ca option
Re: [Dovecot] SSL with startssl.com certificates
On 2013-10-07 13:57, Bruno Tréguier wrote: Le 06/10/2013 à 22:42, Dan Langille a écrit : After a long delay, I'm ready to tackle this again. [...] Testing via the command line gives: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 Ok, this is fine, and different from the result you were getting a few weeks ago. Your cert chain is ok, it seems. The errornum=19:self signed certificate in certificate chain is a normal errot, due to the fact that you didn't tell openssl where to find a list of valid root certs. All looks good. /var/log/maillog shows: Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=dan, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=fYUwEhjoVgBib5Pc Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691 I have Thunderbird working just fine on my Macbook. But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are: Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=Ux8HRBjo7QBib5Pc Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far. Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1. Well, sorry but no further suggestions as far as I'm concerned then, except that some people tend to think that mail.app is pretty crappy and behaves quite strangely in certain situations... I have given up. As much as I'd like to solve this problem, I must move on. I will resort to self-signed certificates.[1] I had hoped to resolve the issue so that others can use the solution. My thanks to those that have offered suggestions and help. [1] - FYI, I am the only user of this IMAP server. -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
On Oct 8, 2013, at 8:59 AM, Dan Langille wrote: On 2013-10-07 13:57, Bruno Tréguier wrote: Le 06/10/2013 à 22:42, Dan Langille a écrit : After a long delay, I'm ready to tackle this again. [...] Testing via the command line gives: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 Ok, this is fine, and different from the result you were getting a few weeks ago. Your cert chain is ok, it seems. The errornum=19:self signed certificate in certificate chain is a normal errot, due to the fact that you didn't tell openssl where to find a list of valid root certs. All looks good. /var/log/maillog shows: Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=dan, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=fYUwEhjoVgBib5Pc Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691 I have Thunderbird working just fine on my Macbook. But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are: Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=Ux8HRBjo7QBib5Pc Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far. Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1. Well, sorry but no further suggestions as far as I'm concerned then, except that some people tend to think that mail.app is pretty crappy and behaves quite strangely in certain situations... I have given up. As much as I'd like to solve this problem, I must move on. I will resort to self-signed certificates.[1] I had hoped to resolve the issue so that others can use the solution. My thanks to those that have offered suggestions and help. [1] - FYI, I am the only user of this IMAP server. The problem *may* be with 4096 bit certificates. I've been able to connect with a 2048-bit, but not with a 4096-bit. More testing to be done. -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
On 2013-10-06 17:06, Reindl Harald wrote: Am 06.10.2013 22:42, schrieb Dan Langille: I have Thunderbird working just fine on my Macbook. But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are: Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=Ux8HRBjo7QBib5Pc Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far. Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1 and mail.app is working even with *self signed* certificates and dovecot 2.2 you only have to accept / import the certificate proven by a testserver all day long so i assume the problem exists between chair and keyboard It is something I am doing. Without a doubt. Clearly, there is something unique about this situation which is not going well. I want to discover the problem so others do not encounter it in future. -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
Le 06/10/2013 à 22:42, Dan Langille a écrit : After a long delay, I'm ready to tackle this again. [...] Testing via the command line gives: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 Ok, this is fine, and different from the result you were getting a few weeks ago. Your cert chain is ok, it seems. The errornum=19:self signed certificate in certificate chain is a normal errot, due to the fact that you didn't tell openssl where to find a list of valid root certs. All looks good. /var/log/maillog shows: Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=dan, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=fYUwEhjoVgBib5Pc Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691 I have Thunderbird working just fine on my Macbook. But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are: Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=Ux8HRBjo7QBib5Pc Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far. Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1. Well, sorry but no further suggestions as far as I'm concerned then, except that some people tend to think that mail.app is pretty crappy and behaves quite strangely in certain situations... Best regards, Bruno -- - Service Hydrographique et Oceanographique de la Marine - DMGS/INF - 13, rue du Chatellier - CS 92803 - 29228 Brest Cedex 2, FRANCE - Phone: +33 2 98 22 17 49 - Email: bruno.tregu...@shom.fr
Re: [Dovecot] SSL with startssl.com certificates
On Sep 17, 2013, at 10:59 AM, Bruno Tréguier wrote: Le 17/09/2013 à 16:32, Dan Langille a écrit : $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=27:certificate not trusted verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=21:unable to verify the first certificate verify return:1 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. Somewhere, somehow, there is something vastly different and not working. Hi, Something is definitely wrong with your certificate chain. The first certificate listed in your chain (depth 2) should be StartCom's root CA, bearing CN = StartCom Certification Authority, the 2nd one (depth 1) should be the intermediate cert, bearing CN = StartCom Class 1 Primary Intermediate Server CA and the last one (depth 0) should be yours. You told in an earlier message that you had put the 3 certs (yours, then the intermediate, and then the root) in your crt file. Is it still the case ? If not, you really *must* do it, even if you find it makes no difference. Maybe there's another problem somewhere else, but this chain is a prerequisite for many clients to work. After a long delay, I'm ready to tackle this again. This is my configuration: # dovecot -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=SHA512-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 port = 0 } inet_listener imaps { address = 199.233.228.197 } } ssl_cert = /usr/local/etc/ssl/dovecot.pem ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes /usr/local/etc/ssl/dovecot.pem was created via: cat imaps.unixathome.org.crt sub.class2.server.ca.pem ca.pem dovecot.pem All the certs are startssl.com certs. Testing via the command line gives: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIHsjCCBpqgAwIBAgIDAaiZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMDA2MTIzODI3 WhcNMTUxMDA2MjA1NzI4WjCBsjEZMBcGA1UEDRMQVndoZEppMHNMSFAzQkR0UTEL MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEOMAwGA1UEBxMFTWVk aWExGDAWBgNVBAoTD0RhbmllbCBMYW5naWxsZTEdMBsGA1UEAxMUaW1hcHMudW5p eGF0aG9tZS5vcmcxKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAdW5peGF0aG9t ZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQLgy4N8rCnhZS5t uwA0/4gTmMNdNflfwUgWGGUoeOC3qcodt2EitcnuhLfvDJORrpZtxKYYK0SMAlJt RHg+DTp+9mSCicDWjoxOcc1WbUUkAiFdkL155LtMEd2xSB/NaEbjeone86ln5erz 4BLJqiaaubOkhAwXrJy/Owfp6RUbqEKUToGI1bF+q5EFFGqh3rO7/3Gpx0qihScx 6sGa04CgqhT0G6JOw6zJ5zJE0PSX4U/S7nAJCA/ktXNU3v23Jd+RYIOqrmuyHnf6 dISQH8HQKr83L3D3Yq64GCadvf0Nv/xrxc/4UO2mpiZlZppf+8Q+vTgfwl98OH62 mqdUM8hspGMAtRGmt8ccB73ukmqHvY9QJEGNNvx181VlTTcAygi/R5LiEtwFewAj Zk4QvC4O3O3Rxl6VKfEgmoO93EXFfbVylv7MQqs6NKGeIdMgBpcxdsrlXo8ofVCz uIQvJV8G8mlejP/RstZAoGxtUP5BRrLbcke3q77l6d6DYrTAhb7SgxP31AYrSknj I+sCNb5IJvrrZe9lZt8OYlm3Yog8wjiTCgeBlytes7L95Dr0Xn8jZk4Dzg59HbO4 AIlSVdMistZatAvM9QFBPUdt36dyNkFOGpAtNblfmV3pB1Wyz0LlxhS2n3XFxSJB ZgHvBYV891UoSm6julSzeE2i/6liIQIDAQABo4IC8zCCAu8wCQYDVR0TBAIwADAL BgNVHQ8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1Ud
Re: [Dovecot] SSL with startssl.com certificates
Am 06.10.2013 22:42, schrieb Dan Langille: I have Thunderbird working just fine on my Macbook. But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are: Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=Ux8HRBjo7QBib5Pc Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far. Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1 and mail.app is working even with *self signed* certificates and dovecot 2.2 you only have to accept / import the certificate proven by a testserver all day long so i assume the problem exists between chair and keyboard signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-16 20:28, Noel Butler wrote: On Mon, 2013-09-16 at 10:10 -0400, Dan Langille wrote: On Sep 14, 2013, at 10:36 PM, Noel Butler wrote: On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote: Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. Well, its likely an Apple fault, after all their implementation of pop3 has been known to be broken for many many many years, but still after all these years are incapable of finding a developer to fix it by inserting a QUIT after its done everything. Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. I thank you for your help though. We have a workaround, which is good enough for my particular situation: self-signed certificates. However, that solution is not ideal for most people. It is for that reason that I'm willing to keep hacking at this if others have further ideas / suggestions. -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. # dovecot -n # 2.1.16: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes disable_plaintext_auth = no first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 port = 0 } } ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
On Tue, 17 Sep 2013 09:01:49 -0400 Dan Langille articulated: On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. # dovecot -n # 2.1.16: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes disable_plaintext_auth = no first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 port = 0 } } ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } Show the entire dump from when you first attempt to make a connection to the start of message transmission. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __
Re: [Dovecot] SSL with startssl.com certificates
Am 17.09.2013 15:01, schrieb Dan Langille: On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. and you surely have ssl = yes in your configuration? dovecot -n does not show it here too while it is there *what* says telnet your-server 143 if it is configured correctly you see STARTTLS in the capabilities if you do not see it than the problem is a completlöy different one * OK [CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN AUTH=SCRAM-SHA-1] signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-17 09:08, Jerry wrote: On Tue, 17 Sep 2013 09:01:49 -0400 Dan Langille articulated: On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. # dovecot -n # 2.1.16: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes disable_plaintext_auth = no first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 port = 0 } } ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } Show the entire dump from when you first attempt to make a connection to the start of message transmission. 13:22:17.985508 IP 166.137.85.50.51685 199.233.228.197.143: Flags [S], seq 2703590158, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 773682446 ecr 0,sackOK,eol], length 0 EH.@?.@.3._...U2.%.Z... ..u. 13:22:17.985579 IP 199.233.228.197.143 166.137.85.50.51685: Flags [S.], seq 2030926149, ack 2703590159, win 65535, options [mss 1370,nop,wscale 6,sackOK,TS val 2484342793 ecr 773682446], length 0 yE.%..w..Z... ... ..u. 13:22:18.066507 IP 166.137.85.50.51685 199.233.228.197.143: Flags [.], ack 1, win 8232, options [nop,nop,TS val 773682522 ecr 2484342793], length 0 yF.. (U2.%..y ..uZ... 13:22:18.093983 IP 199.233.228.197.143 166.137.85.50.51685: Flags [P.], seq 1:113, ack 1, win 1039, options [nop,nop,TS val 2484342901 ecr 773682522], length 112 yF.%..R...U2y ...u..uZ* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 13:22:18.224227 IP 166.137.85.50.51685 199.233.228.197.143: Flags [.], ack 113, win 8225, options [nop,nop,TS val 773682659 ecr 2484342901], length 0 y... !.9..U2.%..y ..uu It was after this that the login details were passsed. That was in plain text, and omitted from this paste. 13:22:18.245486 IP 199.233.228.197.143 166.137.85.50.51685: Flags [P.], seq 113:432, ack 32, win 1039, options [nop,nop,TS val 2484343053 ecr 773682667], length 319 y..%..U2y ..u.1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in 13:22:18.311309 IP 166.137.85.50.51685 199.233.228.197.143: Flags [.], ack 432, win 8205, options [nop,nop,TS val 773682774 ecr 2484343053], length 0 3.s...U2.%..y ..vV... 13:22:18.384236 IP 166.137.85.50.51685 199.233.228.197.143: Flags [P.], seq 32:121, ack 432, win 8205, options [nop,nop,TS val 773682824 ecr 2484343053], length 89 .!..3.6...U2.%..y 2 ID (name iPhone Mail version 10B350 os iOS os-version 6.1.4 (10B350)) 13:22:18.384634 IP 199.233.228.197.143 166.137.85.50.51685: Flags [P.], seq 432:462, ack 121, win 1039, options [nop,nop,TS val 2484343192 ecr 773682824], length 30 z..%..U2y ..v.* ID NIL 2 OK ID completed. 13:22:18.455096 IP 166.137.85.50.51685 199.233.228.197.143: Flags [.], ack 462, win 8204, options [nop,nop,TS val 773682899 ecr 2484343192], length 0 {... ..f..U2.%..y ..v. 13:22:18.464945 IP 166.137.85.50.51685 199.233.228.197.143: Flags [P.], seq 121:136, ack 462, win 8204, options [nop,nop,TS val 773682901 ecr 2484343192], length 15 {... .U2.%..y ..v.3 LIST * -- Dan Langille -
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-17 09:26, Reindl Harald wrote: Am 17.09.2013 15:01, schrieb Dan Langille: On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. and you surely have ssl = yes in your configuration? dovecot -n does not show it here too while it is there I do. dovecot -n does not show it here too while it is there *what* says telnet your-server 143 $ telnet imaps.unixathome.org 143 Trying 199.233.228.197... Connected to imaps.unixathome.org. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. if it is configured correctly you see STARTTLS in the capabilities if you do not see it than the problem is a completlöy different one * OK [CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN AUTH=SCRAM-SHA-1] -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-17 10:05, Reindl Harald wrote: Am 17.09.2013 15:57, schrieb Dan Langille: On 2013-09-17 09:26, Reindl Harald wrote: Am 17.09.2013 15:01, schrieb Dan Langille: On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. and you surely have ssl = yes in your configuration? dovecot -n does not show it here too while it is there I do. dovecot -n does not show it here too while it is there *what* says telnet your-server 143 $ telnet imaps.unixathome.org 143 Trying 199.233.228.197... Connected to imaps.unixathome.org. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. if it is configured correctly you see STARTTLS in the capabilities if you do not see it than the problem is a completlöy different one * OK [CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN AUTH=SCRAM-SHA-1] may i suggest that you try a different mail client? pretty sure that this is one of the uncountable cases where Apple devices are failing At present, I am using dovecot-1.2.17 on another server with a certificate from StartCom: $ openssl s_client -connect nyi.unixathome.org:993 -quiet depth=0 /description=khACEsbS0LZ8es5F/C=US/CN=nyi.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=khACEsbS0LZ8es5F/C=US/CN=nyi.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=27:certificate not trusted verify return:1 depth=0 /description=khACEsbS0LZ8es5F/C=US/CN=nyi.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=21:unable to verify the first certificate verify return:1 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. The server which fails me is running 2.1.16 (was 2.2 before this morning) $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=27:certificate not trusted verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=21:unable to verify the first certificate verify return:1 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. Somewhere, somehow, there is something vastly different and not working. -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
Am 17.09.2013 15:57, schrieb Dan Langille: On 2013-09-17 09:26, Reindl Harald wrote: Am 17.09.2013 15:01, schrieb Dan Langille: On 2013-09-17 08:43, Reindl Harald wrote: Am 17.09.2013 14:39, schrieb Dan Langille: On 2013-09-16 20:28, Noel Butler wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 It seems that TLS is not supported by my client. Pity. iPhone is the worst mail client on this planet but for sure supports TLS Apple is here the same as Microsoft * remove the account completly * add it again and it will detect that encryption is available Done. But tcpdump is still showing me plain text. and you surely have ssl = yes in your configuration? dovecot -n does not show it here too while it is there I do. dovecot -n does not show it here too while it is there *what* says telnet your-server 143 $ telnet imaps.unixathome.org 143 Trying 199.233.228.197... Connected to imaps.unixathome.org. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. if it is configured correctly you see STARTTLS in the capabilities if you do not see it than the problem is a completlöy different one * OK [CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN AUTH=SCRAM-SHA-1] may i suggest that you try a different mail client? pretty sure that this is one of the uncountable cases where Apple devices are failing signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
Am 17.09.2013 16:32, schrieb Dan Langille: *what* says telnet your-server 143 $ telnet imaps.unixathome.org 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. At present, I am using dovecot-1.2.17 on another server with a certificate from StartCom: $ openssl s_client -connect nyi.unixathome.org:993 -quiet * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. The server which fails me is running 2.1.16 (was 2.2 before this morning) $ openssl s_client -connect imaps.unixathome.org:993 -quiet * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. Somewhere, somehow, there is something vastly different and not working you are making it hard to impossible to help you if you are mixing servers and their responses and port 993 will *never ever* show STARTTLS because it is IMAPS which enforces a encrypted connection and *not* STARTTLS where the inital connection is unencrpyted by design so *please* stay at *one* config, *one* machine and *one* port for debugging if the machine in question announces STARTTLS on port 143 it should work and that is why i asked if *a different client* than a iPhone is using STARTTLS on *that* machine with *that config* signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-17 10:39, Reindl Harald wrote: Am 17.09.2013 16:32, schrieb Dan Langille: *what* says telnet your-server 143 $ telnet imaps.unixathome.org 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. At present, I am using dovecot-1.2.17 on another server with a certificate from StartCom: $ openssl s_client -connect nyi.unixathome.org:993 -quiet * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. The server which fails me is running 2.1.16 (was 2.2 before this morning) $ openssl s_client -connect imaps.unixathome.org:993 -quiet * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. Somewhere, somehow, there is something vastly different and not working you are making it hard to impossible to help you if you are mixing servers and their responses and port 993 will *never ever* show STARTTLS because it is IMAPS which enforces a encrypted connection and *not* STARTTLS where the inital connection is unencrpyted by design so *please* stay at *one* config, *one* machine and *one* port for debugging if the machine in question announces STARTTLS on port 143 it should work and that is why i asked if *a different client* than a iPhone is using STARTTLS on *that* machine with *that config* Oh I misunderstood. I thought you were suggesting I stop trying to get this to work, give in, and *just use another email client*. My apologies. I was looking for another iPhone email client which was free and did iMap. I failed. I think I'll just have to pay for one and try it. I've run out of time just now. I'll try again soon. Thank you. -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
Le 17/09/2013 à 16:32, Dan Langille a écrit : $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=27:certificate not trusted verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org verify error:num=21:unable to verify the first certificate verify return:1 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. Somewhere, somehow, there is something vastly different and not working. Hi, Something is definitely wrong with your certificate chain. The first certificate listed in your chain (depth 2) should be StartCom's root CA, bearing CN = StartCom Certification Authority, the 2nd one (depth 1) should be the intermediate cert, bearing CN = StartCom Class 1 Primary Intermediate Server CA and the last one (depth 0) should be yours. You told in an earlier message that you had put the 3 certs (yours, then the intermediate, and then the root) in your crt file. Is it still the case ? If not, you really *must* do it, even if you find it makes no difference. Maybe there's another problem somewhere else, but this chain is a prerequisite for many clients to work. Regards, Bruno -- - Service Hydrographique et Oceanographique de la Marine - DMGS/INF - 13, rue du Chatellier - CS 92803 - 29228 Brest Cedex 2, FRANCE - Phone: +33 2 98 22 17 49 - Email: bruno.tregu...@shom.fr
Re: [Dovecot] SSL with startssl.com certificates
Am 17.09.2013 16:44, schrieb Dan Langille: On 2013-09-17 10:39, Reindl Harald wrote: you are making it hard to impossible to help you if you are mixing servers and their responses and port 993 will *never ever* show STARTTLS because it is IMAPS which enforces a encrypted connection and *not* STARTTLS where the inital connection is unencrpyted by design so *please* stay at *one* config, *one* machine and *one* port for debugging if the machine in question announces STARTTLS on port 143 it should work and that is why i asked if *a different client* than a iPhone is using STARTTLS on *that* machine with *that config* Oh I misunderstood. I thought you were suggesting I stop trying to get this to work, give in, and *just use another email client*. My apologies. I was looking for another iPhone email client which was free and did iMap. I failed. I think I'll just have to pay for one and try it. I've run out of time just now. I'll try again soon i asked for using *a different device* like Thunderbird or whatever on a PC to confirm that STARTLS is working in general or not and not a different application on the same Apple device as we all know that any app on a iPhone is using *the same* backends as the vendor application that's why there is no Firefox because the would have to use Safari and make a nice window around it but not a own rendering engine with thunderbird you can *explicit* switch between IMAPS on 993 and STARTTLS on port 143 and so easy verify if the server is working and only your specific client have a problem signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On 16 Sep 2013, at 08:10 , Dan Langille d...@langille.org wrote: For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went to my iPhone and turned off SSL for this mail account. That configuration works for my iPhone. This is very odd. For the record, I used an iPhone (iOS 7) and iPad (iOS 7), and a couple of Macs, and at least 5 other users use iPhones with iOS 6, and several people are using Macs (OS X 10.6 through 10.9) to connect to my server via SSL. The only thing that may be different is that I do not allow non-secure connections. in the account setting on the phone: Use SSL [X] authentication: Password IMAP Path Prefix: / Server Port: 993 the '/' is grayed out as the default no entry choice STARTTLS works just fine on the Submission port (587) -- Evil is a little man afraid for his job.
Re: [Dovecot] SSL with startssl.com certificates
On Tue, 2013-09-17 at 08:39 -0400, Dan Langille wrote: Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's just like 2.2 But, if it does work on port 143 with TLS I wouldnt worry too much about it tcpdump is showing me raw text going past, so I know I'm not getting TLS on either Dovecot 2.1 or 2.2 Hrmm, do you still have that profile of when you used my test a/c? if so TLS definitely worked, so just try changing the user/pass/server... or see whats different between the two profiles. It seems that TLS is not supported by my client. Pity. Yes, TLS is supported on your iphone, and works imap-login: Info: Login: user=xxx@, method=PLAIN, rip=xxx, TLS I thank you for your help though. We have a workaround, which is good enough for my particular situation: self-signed certificates. However, that solution is not ideal for most people. It is for that reason that I'm willing to keep hacking at this if others have further ideas / suggestions. Do you have another PC based mail client you can test with? one that you have never used to the mail server before and wont have ever accepted a cert from that server, be it startssl's, or self signed, so something completely clean, and try connect and see if cert fails? signature.asc Description: This is a digitally signed message part
Re: [Dovecot] SSL with startssl.com certificates
On Sep 14, 2013, at 10:36 PM, Noel Butler wrote: On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote: Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. Well, its likely an Apple fault, after all their implementation of pop3 has been known to be broken for many many many years, but still after all these years are incapable of finding a developer to fix it by inserting a QUIT after its done everything. Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [173.49.195.214] What is this… read client certificate? There is no client certification in this config. dovecot wants to know if your client wishes to authenticate using a local-to-client certificate, wouldnt focus too much on that (unless that client is trying to give a certificate that is invalid - not sure, I have never ever in 20 years, seen any client try to auth with a local certificate to a mail server)... is this just one user? or all using apple? is it you? It is just me (I'm my only user). Neither my Macbook nor my iPhone can use this IMAP server. I got a colleague to try his iPhone; same problem there too. Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs has really be deprecated everywhere for some time now) For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went to my iPhone and turned off SSL for this mail account. That configuration works for my iPhone. # doveconf nf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes disable_plaintext_auth = no first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { port = 0 } } userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } Looking via tcpdump, I can see that emails are indeed being downloaded in clear text. I suppose that's not so big an issue, given they are delivered in plain text. But it would be better to have the IMAP connection secured. a successful TLS login appears like (and this particular user I know uses an ipad) : Sep 15 12:09:38 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [101.] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [101.xx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [101.xxx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [101.xxx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [101.] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [101.x] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [101.x] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [101.xx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [101.] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [101.xxx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [101.] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [101.xxx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [101.] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [101.x] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [101.xx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [101.xx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [101.x] Sep 15 12:09:45 imap-login: Info: Login: userx@x, method=PLAIN, rip=x, TLS protocols = imap service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 199.233.228.197 } } inet_listener imap { port = 143 -- use it for TLS, its possible this is why fails as its falling back to TLS, i cant test that theory }since we all use android devices. inet_listener imaps { port = 993 } Anyway, the fact you said thunderbird works, indicates it is not a cert issue, and I fail to see dovecot issue, have they
Re: [Dovecot] SSL with startssl.com certificates
Am 16.09.2013 16:10, schrieb Dan Langille: Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs has really be deprecated everywhere for some time now) For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went to my iPhone and turned off SSL for this mail account. That configuration works for my iPhone. Looking via tcpdump, I can see that emails are indeed being downloaded in clear text you need to understand the difference between IMAPS/POP3S on the dedicated 9xx ports versus STARTLS on 143/110 http://en.wikipedia.org/wiki/STARTTLS if you turn off SSL it is turned off on sane clients like thunderbird you can switch between cleartext/STARTTLS and SSL signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On Sep 16, 2013, at 10:21 AM, Reindl Harald wrote: Am 16.09.2013 16:10, schrieb Dan Langille: Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs has really be deprecated everywhere for some time now) For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went to my iPhone and turned off SSL for this mail account. That configuration works for my iPhone. Looking via tcpdump, I can see that emails are indeed being downloaded in clear text you need to understand the difference between IMAPS/POP3S on the dedicated 9xx ports versus STARTLS on 143/110 I believe I do understand. http://en.wikipedia.org/wiki/STARTTLS Yes, that's what I those STARTTLS was. if you turn off SSL it is turned off on sane clients like thunderbird you can switch between cleartext/STARTTLS and SSL So far, with all we've tried, the only secure option appears to be self signed certificates. -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
Am 16.09.2013 16:48, schrieb Dan Langille: On Sep 16, 2013, at 10:21 AM, Reindl Harald wrote: Am 16.09.2013 16:10, schrieb Dan Langille: Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs has really be deprecated everywhere for some time now) For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went to my iPhone and turned off SSL for this mail account. That configuration works for my iPhone. Looking via tcpdump, I can see that emails are indeed being downloaded in clear text you need to understand the difference between IMAPS/POP3S on the dedicated 9xx ports versus STARTLS on 143/110 I believe I do understand. http://en.wikipedia.org/wiki/STARTTLS Yes, that's what I those STARTTLS was. if you turn off SSL it is turned off on sane clients like thunderbird you can switch between cleartext/STARTTLS and SSL So far, with all we've tried, the only secure option appears to be self signed certificates having like here since 2009 a Thawte certificate for SMTP/POP3/IMAP/HTTPS without any issue is the better option because it is accepted by *any* client and not *that* expensive dealing with self-signed certificates is *plain wrong* because you educate your users happily confirm SSL warnings in their clients and having the final result of this in mind it's better not offer SSL at all signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL with startssl.com certificates
On Sep 16, 2013, at 10:56 AM, Reindl Harald wrote: Am 16.09.2013 16:48, schrieb Dan Langille: On Sep 16, 2013, at 10:21 AM, Reindl Harald wrote: Am 16.09.2013 16:10, schrieb Dan Langille: Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs has really be deprecated everywhere for some time now) For this test, I reconfigured the server to NOT use IMAPS and restarted it. Then I went to my iPhone and turned off SSL for this mail account. That configuration works for my iPhone. Looking via tcpdump, I can see that emails are indeed being downloaded in clear text you need to understand the difference between IMAPS/POP3S on the dedicated 9xx ports versus STARTLS on 143/110 I believe I do understand. http://en.wikipedia.org/wiki/STARTTLS Yes, that's what I those STARTTLS was. if you turn off SSL it is turned off on sane clients like thunderbird you can switch between cleartext/STARTTLS and SSL So far, with all we've tried, the only secure option appears to be self signed certificates having like here since 2009 a Thawte certificate for SMTP/POP3/IMAP/HTTPS without any issue is the better option because it is accepted by *any* client and not *that* expensive dealing with self-signed certificates is *plain wrong* because you educate your users happily confirm SSL warnings in their clients and having the final result of this in mind it's better not offer SSL at all When I am setting up servers for others to use, I agree. In this case. I am the only user. -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
On Mon, 2013-09-16 at 10:10 -0400, Dan Langille wrote: On Sep 14, 2013, at 10:36 PM, Noel Butler wrote: On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote: Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. Well, its likely an Apple fault, after all their implementation of pop3 has been known to be broken for many many many years, but still after all these years are incapable of finding a developer to fix it by inserting a QUIT after its done everything. Since we just ruled this one out, might I suggest you grab the source and build it, install it all under /opt/dovecot that way it wont interfere with your ports installation and try that, the one you successfully just tested uses dovecot 2.1 not 2.2, so maybe try source of 2.1 and see if it works. But, if it does work on port 143 with TLS I wouldnt worry too much about it, the only place that seems to prefer it is the NSA's mail server, oops, I mean gmail, not many ISP's these days bother with it, it has been withdrawn for years since most clients can handle TLS, the better way to do it, like they dont bother with smtps either, the *s version is really only supported for those running antique versions of windows that dont understand TLS, and yes thats more micro$lops fault, just like SNI thats been available even in lynx and other older browsers/ epihany/galeon etc) since 2005ish. But M$ doesnt give a toss about its users, a very senior M$ dev on his personal blog a year or so ago wrote they need to upgrade to windows 7 or 8 yup they only see $$$ not happy users (I posted a comment btw that went along the lines of or mid last decade version of linux ;) attachment: face-wink.png signature.asc Description: This is a digitally signed message part
Re: [Dovecot] SSL with startssl.com certificates
On Sep 13, 2013, at 9:55 PM, Noel Butler wrote: On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote: Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following: I have three certs in this chain file: cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem testing.chain.pem 1 - the certificate issued by startssl for my server 2 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/ That is the correct chain method, and order $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain Never panic about the above, it is just indicating (rightly so) you have a local certificate (the first) in your chain. ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key correct method, so long as the cert and key files are named correctly and in the right location. ssl = required Bit dangerous... and may be the cause of your problems, change to : ssl = yes We use startssl and have many android, blackberry, and iphone users (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop types and never had any problems with them using startssl Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. I also try the cert bundle mentioned by Johan. The server says: Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [173.49.195.214] Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=173.49.195.214, lip=199.233.228.197, TLS handshaking: Disconnected, session=8+862VzmPwCtMcPW What is this… read client certificate? There is no client certification in this config. : doveconf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 199.233.228.197 } } ssl_cert = /usr/local/etc/ssl/testing.chain.pem ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
Are you getting asked to add an exception to the email applications certificate dialogue box? This is an example with Thunderbird. http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg Dan On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille d...@langille.org wrote: On Sep 13, 2013, at 9:55 PM, Noel Butler wrote: On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote: Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following: I have three certs in this chain file: cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem testing.chain.pem 1 - the certificate issued by startssl for my server 2 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/ That is the correct chain method, and order $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain Never panic about the above, it is just indicating (rightly so) you have a local certificate (the first) in your chain. ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key correct method, so long as the cert and key files are named correctly and in the right location. ssl = required Bit dangerous... and may be the cause of your problems, change to : ssl = yes We use startssl and have many android, blackberry, and iphone users (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop types and never had any problems with them using startssl Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. I also try the cert bundle mentioned by Johan. The server says: Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [173.49.195.214] Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=173.49.195.214, lip=199.233.228.197, TLS handshaking: Disconnected, session=8+862VzmPwCtMcPW What is this… read client certificate? There is no client certification in this config. : doveconf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 199.233.228.197 } } ssl_cert = /usr/local/etc/ssl/testing.chain.pem ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } -- Dan Langille - http://langille.org -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] SSL with startssl.com certificates
On Sep 14, 2013, at 3:28 PM, Daniel Reinhardt wrote: Are you getting asked to add an exception to the email applications certificate dialogue box? This is an example with Thunderbird. http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg No, it never gets to that point. Mail.app crashes right after I start it. I am able to access this IMAP server with Thunderbird. Dan On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille d...@langille.org wrote: On Sep 13, 2013, at 9:55 PM, Noel Butler wrote: On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote: Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following: I have three certs in this chain file: cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem testing.chain.pem 1 - the certificate issued by startssl for my server 2 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/ That is the correct chain method, and order $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain Never panic about the above, it is just indicating (rightly so) you have a local certificate (the first) in your chain. ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key correct method, so long as the cert and key files are named correctly and in the right location. ssl = required Bit dangerous... and may be the cause of your problems, change to : ssl = yes We use startssl and have many android, blackberry, and iphone users (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop types and never had any problems with them using startssl Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. I also try the cert bundle mentioned by Johan. The server says: Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [173.49.195.214] Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=173.49.195.214, lip=199.233.228.197, TLS handshaking: Disconnected, session=8+862VzmPwCtMcPW What is this… read client certificate? There is no client certification in this config. : doveconf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 199.233.228.197 } } ssl_cert = /usr/local/etc/ssl/testing.chain.pem ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } -- Dan Langille - http://langille.org -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h) -- Dan Langille - http://langille.org
Re: [Dovecot] SSL with startssl.com certificates
On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote: Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. Well, its likely an Apple fault, after all their implementation of pop3 has been known to be broken for many many many years, but still after all these years are incapable of finding a developer to fix it by inserting a QUIT after its done everything. Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [173.49.195.214] What is this… read client certificate? There is no client certification in this config. dovecot wants to know if your client wishes to authenticate using a local-to-client certificate, wouldnt focus too much on that (unless that client is trying to give a certificate that is invalid - not sure, I have never ever in 20 years, seen any client try to auth with a local certificate to a mail server)... is this just one user? or all using apple? is it you? Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs has really be deprecated everywhere for some time now) a successful TLS login appears like (and this particular user I know uses an ipad) : Sep 15 12:09:38 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [101.] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [101.xx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [101.xxx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [101.xxx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [101.] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [101.x] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [101.x] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [101.xx] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [101.] Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [101.xxx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [101.] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [101.xxx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [101.] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [101.x] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [101.xx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [101.xx] Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [101.x] Sep 15 12:09:45 imap-login: Info: Login: userx@x, method=PLAIN, rip=x, TLS protocols = imap service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 199.233.228.197 } } inet_listener imap { port = 143 -- use it for TLS, its possible this is why fails as its falling back to TLS, i cant test that theory }since we all use android devices. inet_listener imaps { port = 993 } Anyway, the fact you said thunderbird works, indicates it is not a cert issue, and I fail to see dovecot issue, have they tried another mail app? signature.asc Description: This is a digitally signed message part
[Dovecot] SSL with startssl.com certificates
I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me). I have success with self-signed certificates but not with others (e.g. StartSSL.com) With StartSSL certs: I've been able to connect and test commands via: openssl s_client -connect imaps.unixathome.org:993 Can you configure your iPhone or Macbook to access the above? Authentication isn't the issue. Connection is the issue. I've been able to get Thunderbird to connect and access my mail. However, I've been unable to get my iPhone or my Mac configured to use the same IMAP server. On the iPhone, adding the new Mail account causes the Settings app to crash on a persistently consistent basis when adding the new account. The crash occurs when connecting to the IMAPS server. Configuration never completes. I suspect the problem is SSL because in both cases (iPhone and Mac), I see these messages I see in the logs: *** /var/log/debug.log *** Sep 13 11:50:32 imaps dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:45 imaps dovecot: auth: Debug: auth client connected (pid=31647) Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [166.137.84.11] Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [166.137.84.11] *** /var/log/maillog *** Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [166.137.84.11] Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=, rip=166.137.84.11, lip=199.233.228.197, TLS handshaking: Disconnected, session=a7AJd0LmWwCmiVQL /usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert issued by StartSSL /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key contains a no-password key generated by myself. Output of doveconf -n: # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=BLF-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 199.233.228.197 } } ssl = required ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
On 09/13/13 07:59 AM, Dan Langille wrote: I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me). I have success with self-signed certificates but not with others (e.g. StartSSL.com) /usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert issued by StartSSL Maybe you are missing some of the certificate chain. http://wiki2.dovecot.org/SSL/DovecotConfiguration Chained SSL certificates
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-13 09:18, Oscar del Rio wrote: On 09/13/13 07:59 AM, Dan Langille wrote: I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me). I have success with self-signed certificates but not with others (e.g. StartSSL.com) /usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert issued by StartSSL Maybe you are missing some of the certificate chain. http://wiki2.dovecot.org/SSL/DovecotConfiguration Chained SSL certificates I tried that yesterday and it seemed to make no difference. My attempts were based on http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following: I have three certs in this chain file: cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem testing.chain.pem 1 - the certificate issued by startssl for my server 2 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/ I am not convinced that I have the appropriate PEM files for StartSSL. I verified the cert chain: # openssl verify -CAfile testing.chain.pem imaps.unixathome.org.crt imaps.unixathome.org.crt: OK When I test the connection, I see: $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. Ideas? -- Dan Langille - http://langille.org/
Re: [Dovecot] SSL with startssl.com certificates
On 2013-09-13 10:18, Dan Langille wrote: On 2013-09-13 09:18, Oscar del Rio wrote: On 09/13/13 07:59 AM, Dan Langille wrote: I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me). I have success with self-signed certificates but not with others (e.g. StartSSL.com) /usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert issued by StartSSL Maybe you are missing some of the certificate chain. http://wiki2.dovecot.org/SSL/DovecotConfiguration Chained SSL certificates I tried that yesterday and it seemed to make no difference. My attempts were based on http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following: I have three certs in this chain file: cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem testing.chain.pem 1 - the certificate issued by startssl for my server 2 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/ The following test seems to indicate I have SSL configured correctly: http://www.sslshopper.com/ssl-checker.html#hostname=imaps.unixathome.org:993 A similar test from http://www.digicert.com/help/ does not find an issue. Even better, this test shows the certs it finds: http://certlogik.com/ssl-checker/ Not sure what to conclude yet.
Re: [Dovecot] SSL with startssl.com certificates
I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me). I have success with self-signed certificates but not with others (e.g. my setup is similar (although I'm at dovecot 2.1.17) using certs from StartSSL with several macs and many iphones, and it works. The only thing (that seems relevant) that's different in our configs is that I have this line: ssl_ca = /etc/ssl/ca-bundle.crt which is just http://www.startssl.com/certs/ca-bundle.pem .jh
Re: [Dovecot] SSL with startssl.com certificates
On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote: Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following: I have three certs in this chain file: cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem testing.chain.pem 1 - the certificate issued by startssl for my server 2 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/ That is the correct chain method, and order $ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain Never panic about the above, it is just indicating (rightly so) you have a local certificate (the first) in your chain. ssl_cert = /usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key correct method, so long as the cert and key files are named correctly and in the right location. ssl = required Bit dangerous... and may be the cause of your problems, change to : ssl = yes We use startssl and have many android, blackberry, and iphone users (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop types and never had any problems with them using startssl attachment: face-wink.png signature.asc Description: This is a digitally signed message part
[Dovecot] SSL Cipher Order in Dovecot
Hi, I want that dovecot uses PFS with my Apple Devices. I set the Cipher List to: ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4 I got this from here: http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/ But then my only Outlook 2010 Client won't connect. If i enable rsa-aes128-SHA again on third place all clients connect without dhe. Dosen't dovecot horner the Cipher Order in the config? Kind regards Marc smime.p7s Description: S/MIME cryptographic signature
Re: [Dovecot] SSL warning messages
On 18.7.2013, at 19.33, Anand Kumria wildf...@progsoc.org wrote: I've had the following appear in my logfile, and am just wondering what the warning means? dovecot: managesieve-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [a.b.c.d] dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [w.x.y.z] Should I be worrying about these kinds of messages? No. They are normal. Since this gets asked a bit too often, changing it to a debug message should help I hope: http://hg.dovecot.org/dovecot-2.2/rev/2714f51e2355 Anyway, you probably shouldn't be using verbose_ssl=yes unless you're actually debugging some SSL issues (I guess the setting should have really been named ssl_debug=yes).
[Dovecot] SSL warning messages
Hi, I've had the following appear in my logfile, and am just wondering what the warning means? dovecot: managesieve-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [a.b.c.d] dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [w.x.y.z] Should I be worrying about these kinds of messages? Dovecot 2.2.4 on Ubuntu 12.04 LTS if it is important. Thanks, Anand
[Dovecot] SSL cert problem
Hi, I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with SSL certificate not being accepted by the email client. I have my own CA and I have generated certificates for web usage without a problem. For imaps and pop3s what I did was generate a certificate for the hostname of my dovecot server and then cat that cert with the intermediate and root CA certificates. No matter what thunderbird still complains with Unknown identity. # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %n disable_plaintext_auth = no log_path = /var/log/dovecot.log mail_fsync = never mail_home = /vmail/%u mail_location = maildir:~/Maildir mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { driver = pam } plugin { quota = maildir:User quota quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 lmtp sieve quota_full_tempfail = yes service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service lmtp { unix_listener lmtp { user = vmail } } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } ssl_cert = /etc/pki/dovecot/certs/mail.pem ssl_key = /etc/pki/dovecot/private/mail.example.com.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_ssl = yes protocol lmtp { mail_fsync = optimized mail_plugins = sieve quota } protocol lda { mail_plugins = sieve quota } protocol imap { mail_plugins = quota imap_quota } protocol pop3 { mail_plugins = quota This is the log: Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [192.168.0.1] Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts): rip=192.168.0.1, lip=192.168.1.1, TLS: SSL_read() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46 Thx in advance -- Peter
Re: [Dovecot] SSL cert problem
Am 11.07.2013 20:47, schrieb Peter von Nostrand: I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with SSL certificate not being accepted by the email client. I have my own CA and I have generated certificates for web usage without a problem. For imaps and pop3s what I did was generate a certificate for the hostname of my dovecot server and then cat that cert with the intermediate and root CA certificates. No matter what thunderbird still complains with Unknown identity. because thunderbird does not trust your own CA by default without import it there by hand - you can not expect to cat your CA to the cert for the server and that is enough to get truested by the client - if so everybody would do this to make his DNS forgery successful please do not post debug logs anywhere without requested This is the log: Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.1] the below is clear because the client does not finish the TLS handshake Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts): rip=192.168.0.1, lip=192.168.1.1, TLS: SSL_read() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46 signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL cert problem
Am 11.07.2013 21:51, schrieb Peter von Nostrand: On Thu, Jul 11, 2013 at 4:23 PM, Reindl Harald because thunderbird does not trust your own CA by default without import it there by hand - you can not expect to cat your CA to the cert for the server and that is enough to get truested by the client - if so everybody would do this to make his DNS forgery successful Sorry, I should specify that I already have my root CA certificates loaded in thunderbird much more important you should reply this to the list and not off-list, fixed by me, no need to send it again signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL cert problem
On 7/11/2013 11:47 AM, Peter von Nostrand wrote: Hi, I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with SSL certificate not being accepted by the email client. I have my own CA and I have generated certificates for web usage without a problem. For imaps and pop3s what I did was generate a certificate for the hostname of my dovecot server and then cat that cert with the intermediate and root CA certificates. No matter what thunderbird still complains with Unknown identity. If you have access to a Unix / Linux system, you can use openssl with the s_client command to connect to your mail server, much as you would have done with telnet in the old days. openssl shows all of the key exchange in detail and should be more than enough for you to be able to debug your problem. Compare fingerprints of the keys you have stored with those being sent to/from the server. Example: openssl s_client -connect mail.mydomain.com:995 Dem
Re: [Dovecot] SSL cert problem
At 1PM -0700 on 11/07/13 you (Professa Dementia) wrote: If you have access to a Unix / Linux system, you can use openssl with the s_client command to connect to your mail server, much as you would have done with telnet in the old days. openssl shows all of the key exchange in detail and should be more than enough for you to be able to debug your problem. Compare fingerprints of the keys you have stored with those being sent to/from the server. Example: openssl s_client -connect mail.mydomain.com:995 For STARTTLS that needs to be openssl s_client -starttls imap mail.mydomain.com:143 Ben
[Dovecot] SSL problems on dovecot 2.1.7
When I upgraded my debian-based imap server from squeeze to wheezy yesterday, SSL stopped working. I am using a http://cacert.org signed server sertificate, and I am reusing the certificates that were used on the 1.x dovecot of debian squeeze. My three MUAs that worked against the previous 1.x dovecot with the same certificate, now fails in various ways. Any hints and guesses as to how to debug this further will be highly appreciated. Even more appreciated will be a pin point of the issue. :-) Here are the error messages from the MUAs: - Opera 12.15 on Windows 7 just reports: The connection with the IMAP server was unexpectedly interrupted. - Emacs24(w/linked-in gnutls)/Ma Gnus 0.8 (Gnus git HEAD) on Windows 7 says imap.mydomain.com certificate could not be verified. - Emacs23/Ma Gnus 0.8 (also Gnus git HEAD) on debian testing (with Emacs23 gnutls-cli is run in a subprocess), says: Opening connection to imap.mydomain.com via tls... Opening TLS connection to `imap.mydomain.com'... Opening TLS connection with `gnutls-cli --insecure -p 993 imap.mydomain.com'...done Opening TLS connection to `imap.mydomain.com'...done Unable to open server nnimap+privat due to: Process *nnimap* not running When I try running gnutls-cli from the command line of the debian testing machine (the same gnutls-cli that is used by the emacs23/gnus combo), it seems to connect ok (the transcript of that session is below). The config for the SSL, from /etc/dovecot/conf.d/10-ssl.conf, is: # SSL/TLS support: yes, no, required. doc/wiki/SSL.txt ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = /etc/ssl/certs/imap_mydomain_com.pem ssl_key = /etc/ssl/private/imap_mydomain_com.key The access privileges of the files, are: -rw-r--r-- 1 root root 2077 Mar 27 12:45 /etc/ssl/certs/imap_mydomain_com.pem -rw--- 1 root root 3243 Jul 12 2011 /etc/ssl/private/imap_mydomain_com.key What follows, is the transcript from the gnutls-cli session from a debian testing machine to the server (which seems to be working as far as I can tell...): sb@edwards:~$ gnutls-cli -p 993 rainey.mydomain.com WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory Resolving 'rainey.mydomain.com'... Connecting to '212.110.185.190:993'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1023 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247' - The hostname in the certificate does NOT match 'rainey.mydomain.com' sb@edwards:~$ gnutls-cli -p 993 imap.mydomain.com WARNING: gnome-keyring:: couldn't connect to: /home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory Resolving 'imap.mydomain.com'... Connecting to '212.110.185.190:993'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1022 bits - Peer's public key: 1021 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=imap.mydomain.com', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247' - The hostname in the certificate matches 'imap.mydomain.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: * OK Waiting for authentication process to respond.. - Peer has closed the GnuTLS connection
Re: [Dovecot] SSL errors for just one client after updaing both dovecot and openssl
On 2013-02-23 11:32 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 23.02.2013 17:03, schrieb Charles Marcus: OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 on which distribtuion can you update openssl with a ABI-bump without re-compile half of the system? Gentoo... been using it for over 8 years, and been through LOTS of major changes like this with only the occasional problem. 1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x When something like this does happen, gentoo automatically rebuilds any affected packages - or at least it is supposed to (mistakes happen, things get left out/missed)... I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... how looks your ssl_cipher_list? ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH Using the defaults: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL Looks like they are slowly disappearing though... the last one was 12:35 yesterday. Also, looks like there were two other users/clients affected. I called the first one and had him check and he said he wasn't seeing any errors or problems on his end. I then had him restart all of his mail clients (restarted his phone just to be sure), and after he did this these errors disappeared (for his IP). On 2013-02-24 9:55 AM, Timo Sirainen t...@iki.fi wrote: Most likely related to the OpenSSL upgrade. Dovecot at least didn't change anything SSL related. You could see if verbose_ssl=yes logs anything interesting. And like Reindi mentioned, ssl_cipher_list is pretty much the only thing in Dovecot's configuration that may be related to this. Yeah, I expected it to be related to the openssl upgrade, I was just seeing if anyone else had been through it before and whether or not I needed to do anything proactively to fix it. Thanks for the responses, -- Best regards, */Charles /*
Re: [Dovecot] SSL errors for just one client after updaing both dovecot and openssl
On 23.2.2013, at 18.03, Charles Marcus cmar...@media-brokers.com wrote: Ok, I have a strange problem after updating both dovecot and openssl... OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... This is happening for only the one client. All other clients - I've counted about 25 so far - are working fine. Anyone have any ideas? I can't believe it is a generic openssl problem, since it is only affecting the one client. Most likely related to the OpenSSL upgrade. Dovecot at least didn't change anything SSL related. You could see if verbose_ssl=yes logs anything interesting. And like Reindi mentioned, ssl_cipher_list is pretty much the only thing in Dovecot's configuration that may be related to this.
[Dovecot] SSL errors for just one client after updaing both dovecot and openssl
Hi all, Ok, I have a strange problem after updating both dovecot and openssl... OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... This is happening for only the one client. All other clients - I've counted about 25 so far - are working fine. Anyone have any ideas? I can't believe it is a generic openssl problem, since it is only affecting the one client. I've contacted him and asked him to reboot any/all devices that connect to our mail to see if that helps... -- Best regards, */Charles/*
Re: [Dovecot] SSL errors for just one client after updaing both dovecot and openssl
Am 23.02.2013 17:03, schrieb Charles Marcus: OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 on which distribtuion can you update openssl with a ABI-bump without re-compile half of the system? 1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... how looks your ssl_cipher_list? ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH signature.asc Description: OpenPGP digital signature
[Dovecot] SSL certificates
Who is the best CA Certificate provider for Dovecot? -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [Dovecot] SSL certificates
The Doctor doc...@doctor.nl2k.ab.ca wrote: Who is the best CA Certificate provider for Dovecot? What do you mean by best? Grüße, Sven. -- Sigmentation fault. Core dumped.
Re: [Dovecot] SSL certificates
On Fri, 2012-11-23 at 19:49 -0700, The Doctor wrote: Who is the best CA Certificate provider for Dovecot? Anyone but verisign, dont get me started on them :) Now that Thawte are no longer owned by those criminals, I highly recommend them for certs for web sites. But if its just for mail/webmail and you dont need the large insurance protections, then look at the cheaper/free startcom certs, I use them on my private domains for mail certs and webmail - very pleasant and easy to deal with. attachment: face-smile.png signature.asc Description: This is a digitally signed message part
[Dovecot] ssl cert for mail server
for testing a new ssl cert. it works ok for browsers, but openssl s_client -crlf -connect ms1.trailsandtribulations.net:443 = verify error:num=19:self signed certificate in certificate chain is this ssl cert - as it's constructed - is ok for mail clients? (realize needs to be on mail port etc - right now talking about the cert itself.) have had problems with thunderbird, and was wondering if this might be part of the problem.
Re: [Dovecot] ssl cert for mail server
Am 19.09.2012 10:00, schrieb cc maco young: for testing a new ssl cert. it works ok for browsers, but openssl s_client -crlf -connect ms1.trailsandtribulations.net:443 = verify error:num=19:self signed certificate in certificate chain is this ssl cert - as it's constructed - is ok for mail clients? (realize needs to be on mail port etc - right now talking about the cert itself.) have had problems with thunderbird, and was wondering if this might be part of the problem. Hi, first of all this is likely off topic for this ML, I'll still answer though, since I'm always intrigued by TLS problems. The reason openssl doesn't accept this cert, while your browser does, is quite likely that your system wide accepted CAs don't include Starfield Technologies, while your browser's CAs do (This is the case for Firefox and Thunderbird). However, I suspect that your mail addresses are of the form u...@trailsandtribulations.net, and ms1.trailsandtribulations.net is what is in your MX record. As such the certificate needs to be valid for trailsandtribulations.net, and not ms1.trailsandtribulations.net. So you either need trailsandtribulations.net as your CN, or a SAN of type DNSName for trailsandtribulations.net. Cf. https://tools.ietf.org/html/rfc6125 for best practices on generating certificates. Regards, Florian
Re: [Dovecot] SSL Warnings in Debug Logs
Thank you, Timo. On 07/28/2012 09:57 AM, Timo Sirainen wrote: On 24.7.2012, at 21.27, Asai wrote: Greetings, In doing some debugging of authentication issues, I'm wondering if these SSL warnings are anything to be investigating? Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.70.101] They should be debug messages, not warnings. Fixed in hg.
Re: [Dovecot] SSL Warnings in Debug Logs
On 24.7.2012, at 21.27, Asai wrote: Greetings, In doing some debugging of authentication issues, I'm wondering if these SSL warnings are anything to be investigating? Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.70.101] They should be debug messages, not warnings. Fixed in hg.
[Dovecot] SSL Warnings in Debug Logs
Greetings, In doing some debugging of authentication issues, I'm wondering if these SSL warnings are anything to be investigating? Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.70.101] Jul 24 11:23:16 triata dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.70.101] [root@triata ~]# doveconf -n # 2.0.14: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-194.32.1.el5xen x86_64 CentOS release 5.5 (Final) ext3 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_debug = yes mail_home = /vmail/%d/%n/home mail_location = maildir:/vmail/%d/%n managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date namespace { inbox = yes location = prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } plugin { mail_log_fields = uid box msgid size from sieve = /vmail/%d/%n/sievescript } protocols = imap pop3 lmtp sieve sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { group = vmail mode = 0660 user = vmail } unix_listener auth-userdb { mode = 0660 user = vmail } user = root } service imap-login { process_min_avail = 3 service_count = 0 vsz_limit = 0 } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl_cert = /etc/pki/dovecot/certs/smtpd.pem ssl_key = /etc/pki/dovecot/private/smtpd.pem userdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } verbose_ssl = yes protocol lda { hostname = triata.globalchangemultimedia.net mail_plugin_dir = /usr/lib64/dovecot/ mail_plugins = sieve postmaster_address = postmas...@globalchangemultimedia.net } protocol imap { imap_idle_notify_interval = 24 mins mail_max_userip_connections = 20 } protocol sieve { mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_line_length = 65536 } -- Asai
[Dovecot] SSL Certificate Anomalies with latest code changes
Some change between bf5ae73e9475 and 584bd77c38fd seems to have broken something in the SSL Handshake. A previously valid server certificate is deemed invalid by various mail clients. http://hg.dovecot.org/dovecot-2.1/rev/bf5ae73e9475 works fine while http://hg.dovecot.org/dovecot-2.1/rev/584bd77c38fd does not. Regards Thomas signature.asc Description: Digital signature
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On 12.4.2012, at 10.11, Thomas Leuxner wrote: Some change between bf5ae73e9475 and 584bd77c38fd seems to have broken something in the SSL Handshake. A previously valid server certificate is deemed invalid by various mail clients. http://hg.dovecot.org/dovecot-2.1/rev/bf5ae73e9475 works fine while http://hg.dovecot.org/dovecot-2.1/rev/584bd77c38fd does not. What kind of a certificate do you have? You have an intermediary cert that exists only in ssl_ca file? I couldn't reproduce this with a test. But anyway, reverted for now: http://hg.dovecot.org/dovecot-2.1/rev/f80f18d0ffa3 Now how do I fix the memory leak then?...
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On 12.4.2012, at 10.43, Timo Sirainen wrote: On 12.4.2012, at 10.11, Thomas Leuxner wrote: Some change between bf5ae73e9475 and 584bd77c38fd seems to have broken something in the SSL Handshake. A previously valid server certificate is deemed invalid by various mail clients. http://hg.dovecot.org/dovecot-2.1/rev/bf5ae73e9475 works fine while http://hg.dovecot.org/dovecot-2.1/rev/584bd77c38fd does not. What kind of a certificate do you have? You have an intermediary cert that exists only in ssl_ca file? I couldn't reproduce this with a test. But anyway, reverted for now: http://hg.dovecot.org/dovecot-2.1/rev/f80f18d0ffa3 Now how do I fix the memory leak then?... http://hg.dovecot.org/dovecot-2.1/rev/85ad4baedd43 ?
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On Thu, Apr 12, 2012 at 10:43:22AM +0300, Timo Sirainen wrote: What kind of a certificate do you have? You have an intermediary cert that exists only in ssl_ca file? I couldn't reproduce this with a test. But anyway, reverted for now: http://hg.dovecot.org/dovecot-2.1/rev/f80f18d0ffa3 Thawte. They only do intermediates for some time now. $ openssl x509 -in /etc/ssl/certs/spectre_leuxner_net_2011.crt -noout -subject -issuer -dates subject= /O=spectre.leuxner.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=spectre.leuxner.net issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA notBefore=May 16 00:00:00 2011 GMT notAfter=Jun 14 23:59:59 2012 GMT [...] ssl_ca = /etc/ssl/certs/SSL123_CA_Bundle.pem ssl_cert = /etc/ssl/certs/spectre_leuxner_net_2011.crt ssl_key = /etc/ssl/private/spectre_leuxner_net_2011.key signature.asc Description: Digital signature
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On 12.4.2012, at 11.16, Thomas Leuxner wrote: On Thu, Apr 12, 2012 at 10:43:22AM +0300, Timo Sirainen wrote: What kind of a certificate do you have? You have an intermediary cert that exists only in ssl_ca file? I couldn't reproduce this with a test. But anyway, reverted for now: http://hg.dovecot.org/dovecot-2.1/rev/f80f18d0ffa3 Thawte. They only do intermediates for some time now. But do you keep your intermediate cert in ssl_ca file or ssl_cert file?
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On Thu, Apr 12, 2012 at 11:17:50AM +0300, Timo Sirainen wrote: But do you keep your intermediate cert in ssl_ca file or ssl_cert file? Separate. Root and intermediate are in ssl_ca: $ cat /etc/ssl/certs/SSL123_CA_Bundle.pem -BEGIN CERTIFICATE- MIIEjzCCA3egAwIBAgIQdhASihe2grs6H50amjXAkjANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjE4MDAwMDAwWhcNMjAw MjE3MjM1OTU5WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu MR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3Rl IERWIFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuYyTY/ 0pzYFgfUSWP5g7DoAi3MXFp0l6YT7xMT3gV8p+bKACPaOfnvE89Sxa+a48q+84LZ iz2q4cyuiFBmoy3sYRR1SasOJPGsRFsLKKIzIHYeBmBqZwVxi7pmYhZ6s20Nx9CU QMaMPR6SDGI0DUSJ1feJ/intGI/2mysI92qr2EiXWvSf7Qx1UiL31V6EAJ/ASg0x d0xk0BLmDzrwocDVXB3nXy3C99Y2GNmVbkROyVgUTbaOu83eYh76W7W9GCuYrKyT P1Ba9RQLos+2855PWs1awzYj2hqvsE3WSiIDj0MCGb3qrN3EejUyFPFyLghVQAz0 B0FBrzg3hClCslUCAwEAAaOB/DCB+TAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH MAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/BAgwBgEB/wIBADA0 BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUENB LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVZl cmlTaWduTVBLSS0yLTExMB0GA1UdDgQWBBSrRORd7IPH2cCFn/fhxpeQsIw/mDAf BgNVHSMEGDAWgBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOC AQEABLr7rLv8S1QRoy2Iszy9AG2KGraNxMGD+MdTKsEybjqBoVR92ho/OkVPNudC sApChZegrPvlh6eDT+ixt5tYZW4mgAuSTUdVuWEWUWXpK/Fo2Vi4A4HRt2Yc07zF pntfPsU4RnbndbSgDEvOosKpwcw2c3v7uSQkoF6n9vq7DChDnh3wTvA/2CSwIdxt Le6/Wjv6iJx0bK8h3ZLswxXvlHUmRtamP79mSKod790n5rdRiTh9E4QMQPzQtfHg 2/lPL0ActI5HImG4TJbe8F8Rfk8R2exQRyIOxR3iZEnnaGNFOorZcfRe8W63FE0+ bxQe3FL+vN8MvSk/dvsRX2hoFQ== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68 0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB /wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq 95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA= -END CERTIFICATE- $ dovecot --version 2.1.4 (584bd77c38fd) Seems to have fixed it. Thanks. signature.asc Description: Digital signature
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On 12.4.2012, at 11.33, Thomas Leuxner wrote: On Thu, Apr 12, 2012 at 11:17:50AM +0300, Timo Sirainen wrote: But do you keep your intermediate cert in ssl_ca file or ssl_cert file? Separate. Root and intermediate are in ssl_ca: The documentation tells to put the intermediary to ssl_cert though. I didn't even know it worked in ssl_ca. But I guess I won't intentionally break it..
Re: [Dovecot] SSL Certificate Anomalies with latest code changes
On Thu, Apr 12, 2012 at 11:35:48AM +0300, Timo Sirainen wrote: On 12.4.2012, at 11.33, Thomas Leuxner wrote: On Thu, Apr 12, 2012 at 11:17:50AM +0300, Timo Sirainen wrote: But do you keep your intermediate cert in ssl_ca file or ssl_cert file? Separate. Root and intermediate are in ssl_ca: The documentation tells to put the intermediary to ssl_cert though. I didn't even know it worked in ssl_ca. But I guess I won't intentionally break it.. Hmmm. I did emulate Thawte instructions though: https://search.thawte.com/support/ssl-digital-certificates/index?page=contentid=SO15464actp=LISTviewlocale=en_US https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem [...] SSLCertificateFile /usr/local/ssl/crt/domainname.crt SSLCertificateKeyFile /usr/local/ssl/private/server.key SSLCACertificateFile /usr/local/ssl/crt/cabundle.crt signature.asc Description: Digital signature
Re: [Dovecot] SSL renegotiation vulnerability
On 26/10/2011 10:01, Robert Schetterer wrote: the most problem is see , not everybody can use fail2ban on his servers by keeping out dummy auth users over nat ( I have such case ) anyway ,firewalls should slow down ddos attacks, which might cause other problems then *g, but for sure not from one ip ... just a few thoughts..,for sure ,best way would be, getting it fixed If you google (I think it was on slashdot), I saw a couple of posts with a simple iptables rule with some rate limits attached to it. Clearly you could also read the iptables instructions and figure it out for yourself, but just highlighting that even the footwork has been done if you want copy/paste I think it's generally not such a bad idea to say limit tcp connections per second from a source IPs. There are plenty of big services that might not be able to implement this as a blanket, but for many shops it could probably be just added as a default for the server... Cheers Ed W
Re: [Dovecot] SSL renegotiation vulnerability
Am 27.10.2011 10:25, schrieb Ed W: On 26/10/2011 10:01, Robert Schetterer wrote: the most problem is see , not everybody can use fail2ban on his servers by keeping out dummy auth users over nat ( I have such case ) anyway ,firewalls should slow down ddos attacks, which might cause other problems then *g, but for sure not from one ip ... just a few thoughts..,for sure ,best way would be, getting it fixed If you google (I think it was on slashdot), I saw a couple of posts with a simple iptables rule with some rate limits attached to it. Clearly you could also read the iptables instructions and figure it out for yourself, but just highlighting that even the footwork has been done if you want copy/paste i just read it, but its my understanding, that this isnt solving the real Problem, also these rules cant used everywhere by tec layout reasons however youre right, this might help where using it is possible I think it's generally not such a bad idea to say limit tcp connections per second from a source IPs. There are plenty of big services that might not be able to implement this as a blanket, but for many shops it could probably be just added as a default for the server... we have a big firewall before all server, it does rate con, but in heavy attacks, this can take off the whole farm, cause every firewall has its limits too, also the problem may involve core routers etc every big attack has to be analysed and reacted, there is reason to do something better ever, but there never be a safe world in www *g Cheers Ed W -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria