[Dovecot] client certs with godaddy ssl cert

Harondel J. Sibble help at pdscc.com
Mon Oct 13 12:01:47 EEST 2008 

Note, the problem below also occurs with Thunderbird so it's something server 
side, but the "what exactly" has me scractching my head...


On 11 Oct 2008 at 23:43, Harondel J. Sibble wrote:

> 
> 
> On 29 Sep 2008 at 8:40, Rainer Frey (Inxmail GmbH) wrote:
> 
> > What is important: you can not self-sign each client certificate, but
> > you need a CA with a self-signed root instead. I think you understand
> > that already, just noting that for completeness. 
> > Then you simply configure Dovecot as described in 
> > http://wiki.dovecot.org/SSL/DovecotConfiguration
>  
> > To sum it up: ssl_cert_file is responsible for server side TLS/SSL and
> > needs to contain the complete verification path for the server
> > certificate. It has no influence on client certs. ssl_ca_file is used
> > for client cert verification only, and does not need to cover the
> > server certificate. 
>  
> Okay, got this mostly working, currently testing with a Nokia e61i
> smartphone 
> and having a problem which I'm not quote clear on where it lies, phone
> issue, 
> postfix issue or dovecot sasl issue
> 
> Here's the problem, I can successfully authenticate to dovecot via imap
> using 
> client certs, however when I attempt to send an email, that is giving me 
> errors as follows
> 
> Oct 11 23:09:40 server postfix/smtpd[25720]: xsasl_dovecot_handle_reply:
> auth 
> reply: FAIL?1?reason=Client didn't present valid SSL certificate
> Oct 11 23:09:40 server postfix/smtpd[25720]: warning: 
> unknown[192.xxx.yyy.zzz]: SASL LOGIN authentication failed: Client didn't 
> present valid SSL certificate
> Oct 11 23:09:40 server postfix/smtpd[25720]: > unknown[192.xxx.yyy.zzz]: 535
> 5.7.0 Error: authentication failed: Client didn't present valid SSL 
> certificate
> 
> On the phone, there is only the self signed personal cert used to 
> authenticate for imap. Postfix is set to authenticate using the same self 
> signed CA, server cert and server key.
> 
> Any ideas on what I should look at next?
> 
> I've already wiped all the certs from both the server and the phone and 
> recreated a new CA, but same problem occurs.
> 
> Kinda out of ideas, any suggestions?
> -- 
> Harondel J. Sibble 
> Sibble Computer Consulting
> Creating Solutions for the small and medium business computer user.
> help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
> 


-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

More information about the dovecot mailing list