STARTTLS issue with sieve
Andreas Oster
aoster at novanetwork.de
Thu Jul 13 08:21:31 EEST 2017
Am 07.07.2017 um 08:15 schrieb Andreas Oster:
> Hi all,
>
> I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks
> ago I had to replace our dovecot certificate due to expiration. In the
> past I did use a self-signed certificate, but because we now have a
> little openssl based CA I have decided to create signed certificate for
> imaps. Dovecot is happily accepting the new certificate which has
> integrated the whole cert-chain. Unfortunately Pigeonhole does not seem
> to like the certificate:
>
> <--snip
>
> gnutls-cli --starttls -p4190 mail.novanetwork.local
>
> Processed 173 CA certificate(s).
> Resolving 'mail.novanetwork.loc'...
> Connecting to '10.2.1.23:4190'...
>
> - Simple Client Mode:
>
> "IMPLEMENTATION" "Dovecot Pigeonhole"
> "SIEVE" "fileinto reject envelope encoded-character vacation subaddress
> comparator-i;ascii-numeric relational regex imap4flags copy include
> variables body enotify environment mailbox date ihave"
> "NOTIFY" "mailto"
> "SASL" ""
> "STARTTLS"
> "VERSION" "1.0"
> OK "Dovecot ready."
>
> STARTTLS
> OK "Begin TLS negotiation now."
>
> -->
>
> At this point the TLS process does not proceed. When I press CTRL-D I
> get the following output:
>
> *** Starting TLS handshake
> - Certificate type: X.509
> - Got a certificate list of 3 certificates.
> - Certificate[0] info:
> - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA
> Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer
> `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA
> Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed
> using RSA-SHA256, activated `2017-06-23 06:58:40 UTC', expires
> `2020-06-22 06:58:40 UTC', SHA-1 fingerprint
> `51a9b62eaebb6b4a2b8cc9a22740dc689445da0c'
> Public Key ID:
> 165eaaa4b36c091ec8f32103da003a1f43b1c57d
> Public key's random art:
> +--[ RSA 2048]----+
> | .o.. |
> |. .o. . E |
> |o.. .. . |
> |= o . + |
> |+* o . S |
> |o==. o o |
> | .=o+.. |
> | .ooo |
> | .o |
> +-----------------+
>
> - Certificate[1] info:
> - subject `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen
> GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer
> `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
> GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using
> RSA-SHA256, activated `2016-12-05 11:40:29 UTC', expires `2026-12-03
> 11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'
> - Certificate[2] info:
> - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA
> Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer
> `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
> GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using
> RSA-SHA256, activated `2016-12-05 11:36:47 UTC', expires `2036-11-30
> 11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
> - Status: The certificate is NOT trusted. The certificate issuer is
> unknown.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
>
>
> I have checked the certificate with:
>
> openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
>
> and also with:
>
> openssl verify -verbose -CAfile
> /etc/ssl/certs/mail.novanetwork.local.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
>
>
>
> Does anyone have an idea what could be the cause of the problem and how
> to fix it ?
>
> Thank you for your kind help.
>
> best regards
> Andreas
>
Hi all,
in another posting Stephan Bosch pointed out that there is already a fix:
https://github.com/dovecot/pigeonhole/commit/c80aa7c25b0b4e61bb8e3a91864a355f7f2fa89f
This small change also resolved my sieve login issue.
best regards
Andreas
More information about the dovecot
mailing list