[Dovecot] Dovecot SSL issues

Tom Hendrikx tom at whyscream.net
Fri Jan 29 13:27:35 EET 2010


Spyros Tsiolis wrote:
>     * Trying protocol imap/ssl, Port 993:
> 
>           ERROR - The server returned the following error message:
> 
>           SECURITY PROBLEM: insecure server advertised AUTH=PLAINCertificate failure for localhost: self signed certificate:
>           /C=GR/ST=Kerkyra/L=Kerkyra/O=The Company Name/OU=IMAP
>           server/CN=webmail.thecompanyname.gr/emailAddress=postmaster at webmail.thecompanyname.gr
>
> From what I understand, it doesn't like the certificate.
> However, I've followed a howto document step-by-step and did what
> is documented.

The webmail connects to server 'localhost', but the SSL certificate that
is presented, does not contain hostname 'localhost', but
'webmail.thecompanyname.gr'.

This error is harmless, but you could setup dovecot to listen for both
ssl and non-ssl connections, and setup your webmail to use the non-ssl
connection: ssl over localhost is probably a waste of cpu cycles.

> Now, if I click on "Get Mail" button on top of the TB window, I get a 
> pop-up window with the following message :
> 
> ------
> Server :
> Location : <Servers' IP Address>:993
> Certificate Status :
> This site attempts to identify itself with invalid information.
> 
> Wrong Site :
> Certificate belongs to a different site, which could indicate an
> identity theft.

This is the same issue as above: you instruct the client to connect to
host '1.2.3.4', but the SSL certificate does not contain '1.2.3.4', but
 'webmail.thecompanyname.gr'. TB tells you about this.

The name in the certificate (CN) must match the hostname that is used to
connect to by the client. When you tell your client to connect to
'imap.thecompanyname.gr', use a certificate that contains
'imap.thecompanyname.gr' as the CN.

> 
> Unknown Identity :
> Certificate is not trusted, because it hasn't been verified by a
> recognized authority.
> ------

You use a self-segned certificate, and not one that is bought from a
'trusted' certificate authority.

> ------
> You cannot log in to <servers' ip address> because you have enabled 
> secure authentication and this serer does not support it.
> To log in, turn off secure authentication for this account.
> ------

Try to unset "CHECK_ON : Use secure authentication" in thunderbird. This
has no use since you are already sending your password over ssl.

--
Regards,
	Tom


More information about the dovecot mailing list