Re: [Dovecot] SSL cert problem
At 1PM -0700 on 11/07/13 you (Professa Dementia) wrote: > > If you have access to a Unix / Linux system, you can use openssl with > the s_client command to connect to your mail server, much as you would > have done with telnet in the old days. openssl shows all of the key > exchange in detail and should be more than enough for you to be able to > debug your problem. Compare fingerprints of the keys you have stored > with those being sent to/from the server. > > Example: > > openssl s_client -connect mail.mydomain.com:995 For STARTTLS that needs to be openssl s_client -starttls imap mail.mydomain.com:143 Ben
Re: [Dovecot] SSL cert problem
On 7/11/2013 11:47 AM, Peter von Nostrand wrote: > Hi, > I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with > SSL certificate not being accepted by the email client. > I have my own CA and I have generated certificates for web usage without a > problem. > > For imaps and pop3s what I did was generate a certificate for the hostname > of my dovecot server and then cat that cert with the intermediate and root > CA certificates. No matter what thunderbird still complains with Unknown > identity. If you have access to a Unix / Linux system, you can use openssl with the s_client command to connect to your mail server, much as you would have done with telnet in the old days. openssl shows all of the key exchange in detail and should be more than enough for you to be able to debug your problem. Compare fingerprints of the keys you have stored with those being sent to/from the server. Example: openssl s_client -connect mail.mydomain.com:995 Dem
Re: [Dovecot] SSL cert problem
Am 11.07.2013 21:51, schrieb Peter von Nostrand: > On Thu, Jul 11, 2013 at 4:23 PM, Reindl Harald > because thunderbird does not trust your own CA by default > without import it there by hand - you can not expect to > cat your CA to the cert for the server and that is enough > to get truested by the client - if so everybody would do > this to make his DNS forgery successful > > Sorry, I should specify that I already have my root CA certificates loaded in > thunderbird much more important you should reply this to the list and not off-list, fixed by me, no need to send it again signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL cert problem
Am 11.07.2013 20:47, schrieb Peter von Nostrand: > I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with > SSL certificate not being accepted by the email client. > I have my own CA and I have generated certificates for web usage without a > problem. > > For imaps and pop3s what I did was generate a certificate for the hostname > of my dovecot server and then cat that cert with the intermediate and root > CA certificates. No matter what thunderbird still complains with Unknown > identity. because thunderbird does not trust your own CA by default without import it there by hand - you can not expect to cat your CA to the cert for the server and that is enough to get truested by the client - if so everybody would do this to make his DNS forgery successful please do not post debug logs anywhere without requested > This is the log: > Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1: > before/accept initialization [192.168.0.1] > Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: > before/accept initialization [192.168.0.1] > Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 > read client hello A [192.168.0.1] the below is clear because the client does not finish the TLS handshake > Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts): > rip=192.168.0.1, lip=192.168.1.1, TLS: SSL_read() failed: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown: SSL alert number 46 signature.asc Description: OpenPGP digital signature
