subject:"LMPT SSL"

LMPT SSL

2015-07-27 Thread Piotr Rotter


Hello,

I tryed to eneble TLS connection from postfix to dovecot lmtp. 
Unfortunely I have problem with certificate, postfix shows,


2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS 
connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2 with 
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


I checked certs by openssl s_client:
#openssl s_client -connect localhost:24 -showcerts -starttls smtp 
-CApath /etc/ssl/certs/


And I gets

didn't found starttls in server response, try anyway...
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, 
OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, 
OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, 
OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify error:num=21:unable to verify the first certificate
verify return:1

It look likes dovecot lmtp send 3 times the same certificate.
I made the same test for imap in the same dovecot instance:

#openssl s_client -connect localhost:143 -showcerts -starttls imap 
-CApath /etc/ssl/certs/

CONNECTED(0003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, 
OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify return:1

For imap it looks ok. Why lmtp shows wrong certs list

# dovecot --version
2.2.16

--
Pozdrawiam! / Best regards!
--
Piotr Rotter
Konsultant IT / IT Consultant
===
http://www.ACTIVE24.pl - Powerful hosting - surprisingly easy
===
ul. Barkocińska 6, 03-543 Warszawa PL
Email: b...@active24.pl
Tel: +48 222 950 446

Re: LMPT SSL

2015-07-27 Thread Steffen Kaiser


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 27 Jul 2015, Piotr Rotter wrote:

I tryed to eneble TLS connection from postfix to dovecot lmtp. Unfortunely I 
have problem with certificate, postfix shows,


post the output of doveconf -n



2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS 
connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2 with 
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


I checked certs by openssl s_client:
#openssl s_client -connect localhost:24 -showcerts -starttls smtp -CApath 
/etc/ssl/certs/


And I gets

didn't found starttls in server response, try anyway...
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify error:num=21:unable to verify the first certificate
verify return:1

It look likes dovecot lmtp send 3 times the same certificate.
I made the same test for imap in the same dovecot instance:

#openssl s_client -connect localhost:143 -showcerts -starttls imap -CApath 
/etc/ssl/certs/

CONNECTED(0003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
Domain Control Validated - RapidSSL(R), CN = mail.active24.pl

verify return:1

For imap it looks ok. Why lmtp shows wrong certs list

# dovecot --version
2.2.16




- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVbYsIXz1H7kL/d9rAQIDbgf/UTzRhj6ZiiuknCHjmmFRwdbTk+qclXbo
vo2XtuH6V3WcuBoHwRedOiTuGH5g8WO2A+tl9wSSSvtw9TWurt2lLMfUsemWO4r4
zv7SwkTn2CVCIbZmC/3D1kqXHm08fuSo9Vn5/tgfgdOFwt5r4VfNkkp+zm72wFWT
o6uzL+EXSGEqnm/R1hFdC9cDZqKuzQ3MK+8qasoCPgMAr4svN0lwdi+yATaxzjgj
MviyKpdtQmA9gKRfLhptVcIP17rRNkoZKCS/Eboy6g/Rjf8c4C4Hn7lUbnx+kCVe
Xk4Z2cmlPhl17iyvzo8Tvyeuu/gxDEXfa/xgwRGhp0xx3c+WBOrJSg==
=a+SK
-END PGP SIGNATURE-

Re: LMPT SSL

2015-07-27 Thread Piotr Rotter


# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.18.9-hardened x86_64 Gentoo Base System release 2.2
auth_mechanisms = plain login digest-md5 cram-md5 ntlm apop
auth_verbose = yes
default_client_limit = 1
default_process_limit = 1000
default_vsz_limit = 512 M
deliver_log_format = from=%f, msgid=%m, psize=%p: %$
disable_plaintext_auth = no
dotlock_use_excl = no
doveadm_password = yjH5KiEpCWAVLHtt
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Active24 Sp. z o.o.
login_log_format_elements = user=%u method=%m rip=%r lip=%l mpid=%e %k 
session=%{session}

login_trusted_networks = 192.168.67.0/27
mail_access_groups = vmail
mail_fsync = always
mail_gid = 502
mail_location = maildir:~/
mail_log_prefix = %s(%u) session=%{session}: 
mail_plugins = mail_log notify quota
mail_uid = 502
maildir_very_dirty_syncs = yes
mmap_disable = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Spam {
auto = subscribe
special_use = \Junk
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  autosubscribe = Trash
  autosubscribe2 = Spam
  autosubscribe3 = Sent
  autosubscribe4 = Drafts
  mail_log_events = delete undelete expunge copy mailbox_delete 
mailbox_rename append append

  mail_log_fields = box msgid from size
  quota = maildir
  quota2 = maildir:user quota
  quota_rule = *:storage=10GB
  quota_rule2 = *:messages=1
  quota_rule3 = Trash:storage=+10M
  quota_rule4 = Trash:messages=+100
  quota_warning = storage=80%% quota-warning 80 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=100%% quota-warning 100 %u
  sieve_global_path = /etc/dovecot/sieve/default.sieve
}
sendmail_path = /usr/sbin/postfix
service auth {
  client_limit = 2
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
}
service doveadm {
  unix_listener doveadm-server {
mode = 0666
  }
}
service imap-login {
  process_limit = 4096
  process_min_avail = 6
  service_count = 1000
}
service imap {
  process_limit = 4096
  process_min_avail = 6
  service_count = 100
}
service lmtp {
  inet_listener lmtp {
address = 0.0.0.0
port = 24
ssl = yes
  }
  process_limit = 100
  process_min_avail = 5
  user = vmail
}
service pop3-login {
  process_limit = 4096
  process_min_avail = 6
  service_count = 1000
}
service pop3 {
  process_limit = 4096
  process_min_avail = 6
  service_count = 100
}
service quota-warning {
  executable = script /opt/bin/quota-warning
  unix_listener quota-warning {
mode = 0600
user = vmail
  }
  user = vmail
}
ssl_ca = /etc/ssl/mail.active24.pl/mail.active24.pl.ca
ssl_cert = /etc/ssl/mail.active24.pl/mail.active24.pl.crt
ssl_key = /etc/ssl/mail.active24.pl/mail.active24.pl.key
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = quota sieve
  syslog_facility = mail
}
protocol lda {
  info_log_path =
  log_path =
  mail_plugins = sieve quota
  syslog_facility = mail
}
protocol imap {
  mail_max_userip_connections = 50
  mail_plugins = mail_log notify quota imap_quota
}
protocol pop3 {
  mail_plugins = mail_log notify quota quota
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, 
in=%i, out=%o

  pop3_save_uidl = yes
}

W dniu 27.07.2015 o 15:03, Steffen Kaiser pisze:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 27 Jul 2015, Piotr Rotter wrote:


I tryed to eneble TLS connection from postfix to dovecot lmtp.
Unfortunely I have problem with certificate, postfix shows,


post the output of doveconf -n



2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS
connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

I checked certs by openssl s_client:
#openssl s_client -connect localhost:24 -showcerts -starttls smtp
-CApath /etc/ssl/certs/

And I gets

didn't found starttls in server response, try anyway...
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
(c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
(c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
(c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
verify error:num=21:unable to verify the

LMPT SSL

Re: LMPT SSL

Re: LMPT SSL

3 matches

Site Navigation

Mail list logo

Footer information