Re: Dovecot 2.3.0 TLS

2019-07-19 Thread Jean-Daniel Dupas via dovecot 



> Le 18 juil. 2019 à 11:21, Alexandre Urban via dovecot  a 
> écrit :
> 
> Hello,
>  
> I don’t know who will read this message, but I found this thread: 
> https://www.mail-archive.com/search?l=dovecot@dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest
> And I’m expected the same issue, I will try to explain to you (english is not 
> my native language, sorry)
>  
> Since Buster update, so Dovecot update too, I’m not able to connect to my 
> mail server from my iOS mail client (12.2)
> Thunderbird just work fine.
>  
> Here is my configuration:
>  
> Debian Buster (amd64)
> Dovecot: 2.3.4.1
> Postfix : 3.4.5
> OpenSSL: 1.1.1c
>  
> Dovecot configuration file:
>  
> ssl_min_protocol = TLSv1.2 (I tried different version)
>  
> When I tried to connect with command line: openssl s_client -showcerts 
> -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2322 bytes and written 392 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
>  
> When I tried to connect with command line: openssl s_client -showcerts 
> -no_tls1_3 -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2423 bytes and written 310 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol  : TLSv1.2
> Cipher: ECDHE-RSA-AES256-GCM-SHA384
>  
> I think the “Secure Renegotiation IS NOT supported” with tls 1.3 could be an 
> issue, but I don’t what to do to fix the issue ?
>  
> Could you help me ?
> Let me know if you need more informations.
>  

I would rather look at the "Verify return code: 21 (unable to verify the first 
certificate)" error. 
Is your TLS certificat valid and trusted on your iOS device ?

IIRC, "Secure Renegotiation" is explicitly not supported by TLS1.3 (TLS1.3 
forbids any renegotiation).

Re: Dovecot 2.3.0 TLS

2019-07-19 Thread Alexandre Urban via dovecot 
Hello,

I don't know who will read this message, but I found this thread: 
https://www.mail-archive.com/search?l=dovecot@dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest
And I'm expected the same issue, I will try to explain to you (english is not 
my native language, sorry)

Since Buster update, so Dovecot update too, I'm not able to connect to my mail 
server from my iOS mail client (12.2)
Thunderbird just work fine.

Here is my configuration:

Debian Buster (amd64)
Dovecot: 2.3.4.1
Postfix : 3.4.5
OpenSSL: 1.1.1c

Dovecot configuration file:

ssl_min_protocol = TLSv1.2 (I tried different version)

When I tried to connect with command line: openssl s_client -showcerts -connect 
server:993

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2322 bytes and written 392 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)

When I tried to connect with command line: openssl s_client -showcerts 
-no_tls1_3 -connect server:993

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2423 bytes and written 310 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384

I think the "Secure Renegotiation IS NOT supported" with tls 1.3 could be an 
issue, but I don't what to do to fix the issue ?

Could you help me ?
Let me know if you need more informations.

Thank you.

Regards,

Alex

Re: Dovecot 2.3.0 TLS

2019-07-07 Thread Peter Kahl via dovecot 
Hi Aki and all,

Thanks for the feedback.

I have removed the home-made root CA and the home-made server cert
signed by the root CA, replaced it with valid Let's Encrypt cert and all
works well.

Whilst the home-made certs have always worked well (years) with
Thunderbird clients and iOS 12.x, the new iOS 13.0 is now very picky
about the cert parameters. The Let's Encrypt cert is a good solution,
although I may eventually explore learning how to properly use OpenSSL
to generate home-made root CA and server certificates. Can anyone point
me to a good resource that has all the information for generating these
certs?

Kind regards,
Peter


signature.asc
Description: OpenPGP digital signature

Re: Dovecot 2.3.0 TLS

2019-07-04 Thread Aki Tuomi via dovecot 


On 4.7.2019 12.14, @lbutlr via dovecot wrote:
> On 3 Jul 2019, at 02:55, Peter Kahl via dovecot  wrote:
>> I failed to disclose that the described problem occurs on iOS 13.0 beta.
>>
>> After trying again and again, it appears that a bug in iOS 13.0 beta is the 
>> likely culprit. I am reading on Reddit that there is some bug in iOS with 
>> certificate trust...
> I am accessing my dovecot mail via iOS 13 beta without issue. (noe on eta 3, 
> but had no issues with beta 2 or 3. Well, no issues with MAIL that is).
>
> I am running current doevcot.
>
> I just opened the mail client on my phone:
>
> imap(krem...@kreme.com)<12940><14ffIdeMDf9JDqGg>: ID sent: name=iPhone Mail, 
> version=17A5522f, os=iOS, os-version=13.0 (17A5522f)


I think the problem manifests itself when using custom CA certificates.

Aki

Re: Dovecot 2.3.0 TLS

2019-07-04 Thread @lbutlr via dovecot 
On 3 Jul 2019, at 02:55, Peter Kahl via dovecot  wrote:
> I failed to disclose that the described problem occurs on iOS 13.0 beta.
> 
> After trying again and again, it appears that a bug in iOS 13.0 beta is the 
> likely culprit. I am reading on Reddit that there is some bug in iOS with 
> certificate trust...

I am accessing my dovecot mail via iOS 13 beta without issue. (noe on eta 3, 
but had no issues with beta 2 or 3. Well, no issues with MAIL that is).

I am running current doevcot.

I just opened the mail client on my phone:

imap(krem...@kreme.com)<12940><14ffIdeMDf9JDqGg>: ID sent: name=iPhone Mail, 
version=17A5522f, os=iOS, os-version=13.0 (17A5522f)

Re: Dovecot 2.3.0 TLS

2019-07-03 Thread Peter Kahl via dovecot 
Hi Aki,

I failed to disclose that the described problem occurs on iOS 13.0 beta.

After trying again and again, it appears that a bug in iOS 13.0 beta is
the likely culprit. I am reading on Reddit that there is some bug in iOS
with certificate trust...

https://www.reddit.com/r/signal/comments/c2q6c6/anyone_using_signal_in_ios_13_beta_iphone/

Kind regards,
Peter Kahl


0x526F0AC69C48DEE4.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Dovecot 2.3.0 TLS

2019-07-01 Thread Aki Tuomi via dovecot 


On 2.7.2019 8.06, Peter via dovecot wrote:
>    On 11.01.2018 13:20, Hauke Fath wrote:
>    >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the
> certificate path bundled in the server certificate? />/No, as a
> separate file, provided from the local (intermediate) CA:
> />//>/ssl_cert = /ssl_key =
> /ssl_ca =
> //>/Worked fine with 2.2.x,
> 2.3 gives />//>/% openssl s_client -connect XXX:993
> />/CONNECTED(0006) />/depth=0 C = DE, ST = Hessen, L = Darmstadt,
> O = Technische
>    Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> />/verify error:num=20:unable to get local issuer certificate
> />/verify return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O =
> Technische
>    Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> />/verify error:num=21:unable to verify the first certificate
> />/verify return:1 />/--- />/Certificate chain />/0
> s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
> />/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> />/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
>     />/--- />/Server
> certificate />/-BEGIN CERTIFICATE- />/[...] />/% />//
>    Seems we might've made a unexpected change here when we revamped
> the ssl
>    code. Can you try if it works if you concatenate the cert and
> cert-chain
>    to single file? We'll start looking if this is misunderstanding or
> bug.
>
>    Aki
>
> -
>
> Hi Aki,
>
> I believe that Dovecot 2.3.6 sends only one certificate even though my
> Dovecot uses two concatenated certificates.
>
> Thanks for looking into this.
>
> Regards,
> Peter


Hi!

Can you provide readable output of

openssl s_client -connect host:993


Aki

Re: Re: Dovecot 2.3.0 TLS

2019-07-01 Thread Peter via dovecot 

   On 11.01.2018 13:20, Hauke Fath wrote:
   >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? 
/>/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = /ssl_key = /ssl_ca = //>/Worked 
fine with 2.2.x, 2.3 gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(0006) />/depth=0 C = DE, ST = 
Hessen, L = Darmstadt, O = Technische
   Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify 
error:num=20:unable to get local issuer certificate />/verify return:1 />/depth=0 C = 
DE, ST = Hessen, L = Darmstadt, O = Technische
   Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=21:unable to 
verify the first certificate />/verify return:1 />/--- />/Certificate chain />/0 
s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de 
/>/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/CN=TUD CA 
G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
    />/--- />/Server certificate 
/>/-BEGIN CERTIFICATE- />/[...] />/% />//
   Seems we might've made a unexpected change here when we revamped the ssl
   code. Can you try if it works if you concatenate the cert and cert-chain
   to single file? We'll start looking if this is misunderstanding or bug.

   Aki

-

Hi Aki,

I believe that Dovecot 2.3.6 sends only one certificate even though my 
Dovecot uses two concatenated certificates.


Thanks for looking into this.

Regards,
Peter

Re: Re: Dovecot 2.3.0 TLS

2019-06-29 Thread Peter via dovecot 

   On 11.01.2018 13:20, Hauke Fath wrote:
   >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? 
/>/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = /ssl_key = /ssl_ca = //>/Worked 
fine with 2.2.x, 2.3 gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(0006) />/depth=0 C = DE, ST = 
Hessen, L = Darmstadt, O = Technische
   Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify 
error:num=20:unable to get local issuer certificate />/verify return:1 />/depth=0 C = 
DE, ST = Hessen, L = Darmstadt, O = Technische
   Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=21:unable to 
verify the first certificate />/verify return:1 />/--- />/Certificate chain />/0 
s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de 
/>/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/CN=TUD CA 
G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
    />/--- />/Server certificate 
/>/-BEGIN CERTIFICATE- />/[...] />/% />//
   Seems we might've made a unexpected change here when we revamped the ssl
   code. Can you try if it works if you concatenate the cert and cert-chain
   to single file? We'll start looking if this is misunderstanding or bug.

   Aki

-

I have the CA cert concatenated with the actual cert (one file).

Code:
# openssl s_client -showcerts -connect some.server.host:587
CONNECTED(0003)
depth=1 C = US, ST = State, L = Town, O = Company Name, OU = 
CERTIFICATION AUTHORITY, CN = CA Company Name, emailAddress = XXX@

verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=State/L=Town/O=Company Name/OU=IT 
Department/CN=some.server.host/emailAddress=XXX@
   i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX@

-BEGIN CERTIFICATE-
MIIGUzCCBDsCCQC0iFO/81SS6DANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC
SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D
b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ
MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu
a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE5MDYyOTA1MzA0NloXDTI0MDYyOTA1
MzA0NlowgaUxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH
Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEWMBQGA1UECwwNSVQgRGVw
...
B9Kuzi4+x3+3W/Hpzup+cGu/Rm3BrZ9EQuLU0l8/51o5++VJ0eYjO8sXmnf/OD9g
m4SHlaIv1I9iF6xDbFSqVDhoyXZfci+Fp9Yg8IfdnRPuyhm+A9n80IpOVptMkHgH
5WHuteE3p7ZWz0sCHXihbt6P03Sp8VrN8TzBkRVDaGMMEErXq17dbX6FAWzcwreA
I9MyC457hKbNvkRuMWyYTuTWXXAA15sCyyLsG6LuOuH0nexW7NdwipKzNq6QAtqT
Evt/+OmEhVrQFllEeW9KT2AKab8FA4/F4SHBl8J1JMeZ+jgJ9DWeRYgUUGzj82bu
7nI27hEgpmT3Oz2a5WGbHRl7ryTNcPkYx1UOo1/7dIN8dZDRxdK31ZcXhwfRs/bu
YBt/NGRaiAv5+RsA+qytjmgLZyTWjyAeKSHsL+OU4R5IvrLOpl6O
-END CERTIFICATE-
 1 s:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX@
   i:/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX@

-BEGIN CERTIFICATE-
MIIF3jCCA8YCCQDf2f6HjwgkqTANBgkqhkiG9w0BAQ0FADCBsDELMAkGA1UEBhMC
SEsxDjAMBgNVBAgMBUhLU0FSMRAwDgYDVQQHDAdDZW50cmFsMRYwFAYDVQQKDA1D
b2xvc3NhbCBNaW5kMSAwHgYDVQQLDBdDRVJUSUZJQ0FUSU9OIEFVVEhPUklUWTEZ
MBcGA1UEAwwQQ0EgQ29sb3NzYWwgTWluZDEqMCgGCSqGSIb3DQEJARYbcGV0ZXIu
a2FobEBjb2xvc3NhbG1pbmQuY29tMB4XDTE1MDYxNDA0MDA1OVoXDTI1MDYxMTA0
MDA1OVowgbAxCzAJBgNVBAYTAkhLMQ4wDAYDVQQIDAVIS1NBUjEQMA4GA1UEBwwH
Q2VudHJhbDEWMBQGA1UECgwNQ29sb3NzYWwgTWluZDEgMB4GA1UECwwXQ0VSVElG

riwfRMSnfXTQWtv1pkV+vGk02tuZQSatY6v18Uw0EdeuwfrV8n4WBYXCbzDQoQsa
Jipzub5H/5u8nIIUFPFeTeqnaRihjFJfFQkTH8lteVkq0ctRHVF4Il0OfigW4Q0j
CJ/jcarQ5gQa8l1SOZIj1OqwEYaLeruc7U6gn+PEZPhxw0jPJBCjo3eBI4sIpWOe
JpB0S1JHhzFLnyZTQmat0qDxbmWW/PqYj8TAGskBTh+OVdqvxXVbNVv9pUtVV/oy
x8l7mOfPWYQlbhD+b7Rk2Qc+o6ohL5XXCm66vJoMbD86eaMegtcLrq7eG03I8EfO
F8seAmJ4aQ89dlFvcbLwdhYoDq02BtcoCLkSQlRTng3pdMuITdSoTczbusmPlvI6
dOw+FBqbIL+bAGHdUrQJJgZ5MhbN6V+a/Ntkn7ByaYRPO0yAJ0DrytkGR6tCzNLs
egZqM8EcD56riKdlGv2OSe2+
-END CERTIFICATE-
---
Server certificate
subject=/C=US/ST=State/L=Town/O=Company Name/OU=IT 
Department/CN=some.server.host/emailAddress=XXX@
issuer=/C=US/ST=State/L=Town/O=Company Name/OU=CERTIFICATION 
AUTHORITY/CN=CA Company Name/emailAddress=XXX@

---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4074 bytes and written 373 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 5120 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SH

Re: Dovecot 2.3.0 TLS

2018-01-23 Thread Mark Moseley 
On Tue, Jan 23, 2018 at 10:05 AM, Aki Tuomi  wrote:

>
> > On January 23, 2018 at 7:09 PM Arkadiusz Miśkiewicz 
> wrote:
> >
> >
> > On Thursday 11 of January 2018, Aki Tuomi wrote:
> >
> > > Seems we might've made a unexpected change here when we revamped the
> ssl
> > > code.
> >
> > Revamped, interesting, can it support milions certs now on single
> machine? (so
> > are certs loaded by demand and not wasting memory)
> >
> > > Aki
> >
> >
> > --
> > Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
>
> Unfortunately not. This time round it was about putting the ssl code
> mostly in one place, so that we use same code for all SSL connections.
>
>

Just to chime in, having some way of supporting SSL certs dynamically would
be tremendously useful. Like splitting out the retrieval of certs/key to a
socket, that would typically just be a built-in regular dovecot service
("go and get the certs that are configured in dovecot configs"), but could
also be a custom unix listener that could return certs/keys. Dovecot would
send in the local IP/port and/or SNI name (if there was one) to the socket
and then use whatever comes back. A perl/python/etc script doing the unix
listener could then grab the appropriate cert/key from wherever (and
dovecot would presumably have a time-based cache for certs/keys).  This is
just wish-listing :)

Currently, I've got a million different domains on my dovecot boxes, so
allowing them all to use per-domain SSL is a bit challenging. I've been
searching for an SSL proxy that supports something like nginx/openresty's
"ssl_certificate_by_lua_file" (and can communicate the remote IP to dovecot
like haproxy does) to put in front of dovecot, to no avail. Having
something like that built directly into dovecot would be a dream -- or that
can at least farm that functionality out to a custom daemon).

Re: Dovecot 2.3.0 TLS

2018-01-23 Thread Aki Tuomi 

> On January 23, 2018 at 7:09 PM Arkadiusz Miśkiewicz  wrote:
> 
> 
> On Thursday 11 of January 2018, Aki Tuomi wrote:
> 
> > Seems we might've made a unexpected change here when we revamped the ssl
> > code. 
> 
> Revamped, interesting, can it support milions certs now on single machine? 
> (so 
> are certs loaded by demand and not wasting memory)
> 
> > Aki
> 
> 
> -- 
> Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Unfortunately not. This time round it was about putting the ssl code mostly in 
one place, so that we use same code for all SSL connections.

Aki

Re: Dovecot 2.3.0 TLS

2018-01-23 Thread Arkadiusz Miśkiewicz 
On Thursday 11 of January 2018, Aki Tuomi wrote:

> Seems we might've made a unexpected change here when we revamped the ssl
> code. 

Revamped, interesting, can it support milions certs now on single machine? (so 
are certs loaded by demand and not wasting memory)

> Aki


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: Dovecot 2.3.0 TLS

2018-01-23 Thread Odhiambo Washington 
On 23 January 2018 at 10:35, Aki Tuomi  wrote:

>
>
> On 22.01.2018 22:14, Odhiambo Washington wrote:
>
>
>
> On 22 January 2018 at 23:10, Matthias Fechner  wrote:
>
>> Dear Odhiambo,
>>
>> Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
>>
>> ...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and
>> 9.3
>> and my reports were ignored, so should I assume support for those has
>> been dropped?
>>
>> Support for FreeBSD 8.4 stopped August 1, 2015.
>> Support for FreeBSD 9.3 stopped December 31, 2016
>>
>> Please see here:
>> https://www.freebsd.org/security/unsupported.html
>>
>> You should really upgrade to current version 10.4 or 11.1.
>>
>> Gruß
>> Matthias
>>
>> Hello Matthias,
>
> I am running the latest version of Dovecot on FreeBSD 8.4, 9.3 and 11.
> I am not really planning to upgrade now, unless I am told that Dovecot
> 2.3.x will not compile on them. In which case I can let them run the
> version they have and forget about 2.3.
> Until I hear such from Aki or Timo, I will wait :-)
>
>
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
>
> Have you tried compiling latest 2.3.0 instead of RC?
>
> Aki
>

Hello Aki,

I didn't even know that 2.3 was released. After the disappointment with the
RC, I kinda got withdrawn.
I have just tested the 2.3 release and it compiles successfully on all my
servers.

Thank you.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Re: Dovecot 2.3.0 TLS

2018-01-22 Thread Aki Tuomi 


On 22.01.2018 22:14, Odhiambo Washington wrote:
>
>
> On 22 January 2018 at 23:10, Matthias Fechner  > wrote:
>
> Dear Odhiambo,
>
> Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
>> ...and I am still unable to successfully compile 2.3RC on FreeBSD
>> 8.4 and 9.3
>> and my reports were ignored, so should I assume support for
>> those has been dropped?
>
> Support for FreeBSD 8.4 stopped August 1, 2015.
> Support for FreeBSD 9.3 stopped December 31, 2016
>
> Please see here:
> https://www.freebsd.org/security/unsupported.html
> 
>
> You should really upgrade to current version 10.4 or 11.1.
>
> Gruß
> Matthias
>
> Hello Matthias,
>
> I am running the latest version of Dovecot on FreeBSD 8.4, 9.3 and 11.
> I am not really planning to upgrade now, unless I am told that Dovecot
> 2.3.x will not compile on them. In which case I can let them run the
> version they have and forget about 2.3.
> Until I hear such from Aki or Timo, I will wait :-)
>
>  
>
>
>
> -- 
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."

Have you tried compiling latest 2.3.0 instead of RC?

Aki

Re: Dovecot 2.3.0 TLS

2018-01-22 Thread Odhiambo Washington 
On 22 January 2018 at 23:10, Matthias Fechner  wrote:

> Dear Odhiambo,
>
> Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
>
> ...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and
> 9.3
> and my reports were ignored, so should I assume support for those has
> been dropped?
>
> Support for FreeBSD 8.4 stopped August 1, 2015.
> Support for FreeBSD 9.3 stopped December 31, 2016
>
> Please see here:
> https://www.freebsd.org/security/unsupported.html
>
> You should really upgrade to current version 10.4 or 11.1.
>
> Gruß
> Matthias
>
>
> Hello Matthias,

I am running the latest version of Dovecot on FreeBSD 8.4, 9.3 and 11.
I am not really planning to upgrade now, unless I am told that Dovecot
2.3.x will not compile on them. In which case I can let them run the
version they have and forget about 2.3.
Until I hear such from Aki or Timo, I will wait :-)





-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Re: Dovecot 2.3.0 TLS

2018-01-22 Thread Matthias Fechner 
Dear Odhiambo,

Am 22.01.2018 um 19:58 schrieb Odhiambo Washington:
> ...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4
> and 9.3
> and my reports were ignored, so should I assume support for those
> has been dropped?

Support for FreeBSD 8.4 stopped August 1, 2015.
Support for FreeBSD 9.3 stopped December 31, 2016

Please see here:
https://www.freebsd.org/security/unsupported.html

You should really upgrade to current version 10.4 or 11.1.

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

Re: Dovecot 2.3.0 TLS

2018-01-22 Thread Odhiambo Washington 
On 11 January 2018 at 14:29, Aki Tuomi  wrote:

>
>
> On 11.01.2018 13:28, Hauke Fath wrote:
> > On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
> >> Can you try if it works if you concatenate the cert and cert-chain
> >> to single file? We'll start looking if this is misunderstanding or bug.
> > This is a production machine, so I would rather stick with the
> > downgrade until you've looked into the issue. I went home late
> > yesterday.  ;)
> >
> > Cheerio,
> > Hauke
> >
>
> Fine. You might want to invest into a test environment, by the way. It's
> far more safe to try out new major releases and stuff. =)
>
> Aki
>

...and I am still unable to successfully compile 2.3RC on FreeBSD 8.4 and
9.3
and my reports were ignored, so should I assume support for those has
been dropped?




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Re: Dovecot 2.3.0 TLS

2018-01-22 Thread Olaf Hopp 

On 01/11/2018 12:22 PM, Aki Tuomi wrote:



On 11.01.2018 13:20, Hauke Fath wrote:

On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:

Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = 

Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.

Aki



Hello,
let me confirm this issue.
I have a setup similar to Hauke Fath. Doing the workaround suggested by Aki

 cat /etc/openssl/certs/ca-cert-chain.pem >> /etc/openssl/certs/server.cert

and removing "ssl_ca" from the config file presents the correct CA-Chain.
Whereas the original config presented my three time my own server cert as chain.


Since server certs tend to change more frequent than the CA chains
I really want to keep them in separate files.

So this is really a show stopper for me.

CU, Olaf




--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: olaf.h...@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Dovecot 2.3.0 TLS

2018-01-11 Thread Hauke Fath 
On Thu, 11 Jan 2018 13:29:02 +0200, Aki Tuomi wrote:
> You might want to invest into a test environment, by the way. It's
> far more safe to try out new major releases and stuff. =)

Fair enough. 

With SSL certs, this gets a bit involved, though. This is a small site 
with a few dozen users, so I have a bit of flexibility. And in the 
present case a test bed wouldn't have saved me: The first reports came 
in a week after roll-out, mainly from users of android clients. I don't 
know if the desktop clients cache the intermediate certs, or if they 
just don't care.

Cheerio,
hauke

-- 
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in emailInstitut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: Dovecot 2.3.0 TLS

2018-01-11 Thread Aki Tuomi 


On 11.01.2018 13:28, Hauke Fath wrote:
> On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
>> Can you try if it works if you concatenate the cert and cert-chain
>> to single file? We'll start looking if this is misunderstanding or bug.
> This is a production machine, so I would rather stick with the 
> downgrade until you've looked into the issue. I went home late 
> yesterday.  ;)
>
> Cheerio,
> Hauke
>

Fine. You might want to invest into a test environment, by the way. It's
far more safe to try out new major releases and stuff. =)

Aki

Re: Dovecot 2.3.0 TLS

2018-01-11 Thread Hauke Fath 
On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote:
> Can you try if it works if you concatenate the cert and cert-chain
> to single file? We'll start looking if this is misunderstanding or bug.

This is a production machine, so I would rather stick with the 
downgrade until you've looked into the issue. I went home late 
yesterday.  ;)

Cheerio,
Hauke

-- 
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in emailInstitut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: Dovecot 2.3.0 TLS

2018-01-11 Thread Aki Tuomi 


On 11.01.2018 13:20, Hauke Fath wrote:
> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
>> Was the certificate path bundled in the server certificate?
> No, as a separate file, provided from the local (intermediate) CA:
>
> ssl_cert =  ssl_key =  ssl_ca = 
> Worked fine with 2.2.x, 2.3 gives
>
> % openssl s_client -connect XXX:993
> CONNECTED(0006)
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
>i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
> Darmstadt/CN=TUD CA G01/emailAddress=tud...@hrz.tu-darmstadt.de
> ---
> Server certificate
> -BEGIN CERTIFICATE-
> [...]
> %
>

Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.

Aki

Re: Dovecot 2.3.0 TLS

2018-01-11 Thread Hauke Fath 
On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
> Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert =

Re: Dovecot 2.3.0 TLS

2018-01-11 Thread Aki Tuomi 


On 11.01.2018 12:18, Hauke Fath wrote:
> All,
>
> our dovecot installation provides a bundle of intermedia CA 
> certificates using the ssl_ca option.
>
> 2.3.0 does not supply the bundle, resulting in various clients either 
> complaining about an unverifiable server cert, or quietly not 
> connecting. The log has
>
> Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking: 
> SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
> alert certificate unknown: SSL alert number 46, 
> session=
>
> We fixed the issue by downgrading to 2.2.33.2.
>
> Cheerio,
> hauke
>

Was the certificate path bundled in the server certificate?

Aki

Dovecot 2.3.0 TLS

2018-01-11 Thread Hauke Fath 
All,

our dovecot installation provides a bundle of intermedia CA 
certificates using the ssl_ca option.

2.3.0 does not supply the bundle, resulting in various clients either 
complaining about an unverifiable server cert, or quietly not 
connecting. The log has

Jan  5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS handshaking: 
SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 
alert certificate unknown: SSL alert number 46, 
session=

We fixed the issue by downgrading to 2.2.33.2.

Cheerio,
hauke

-- 
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in emailInstitut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344