[Dovecot] SSL / TLS Problem
Leander S.
leander.schaefer at googlemail.com
Mon Jul 12 20:34:36 EEST 2010
Oh, ofcourse - a pipe - silly me ;)
But no, I don't know how it came there - I must have accidently done a
typo while editing the mail. It looks like that on the server:
##
## SSL settings
##
ssl = yes
ssl_cert_file = /etc/ssl/mail/mail.cert
ssl_key_file = /etc/ssl/mail/mail.key
#ssl_key_password = passphrase
server [~]# cat /etc/ssl/mail/mail.cert
-----BEGIN CERTIFICATE-----
MIIC6TCCAlKgAwIBAgIJAN4Jfaj9QgEhMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD
VQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMREwDwYDVQQHEwhO
ZXVicm9ubjEWMBQGA1UEChMNTmV0T2NlYW4gR21iSDETMBEGA1UECxMKV2ViSG9z
dGluZzEYMBYGA1UEAxMPc2VydmVyLm5ldG9jZWFuMSQwIgYJKoZIhvcNAQkBFhVh
ZG1pbkBzZXJ2ZXIubmV0b2NlYW4wHhcNMTAwNzExMTgwMzQ4WhcNMzAwNzA2MTgw
MzQ4WjCBqjELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVy
ZzERMA8GA1UEBxMITmV1YnJvbm4xFjAUBgNVBAoTDU5ldE9jZWFuIEdtYkgxEzAR
BgNVBAsTCldlYkhvc3RpbmcxGDAWBgNVBAMTD3NlcnZlci5uZXRvY2VhbjEkMCIG
CSqGSIb3DQEJARYVYWRtaW5Ac2VydmVyLm5ldG9jZWFuMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDFiBWAJ893Ocm4dooDHHkNRZcvC4N5qjfx1wywoS2DlnV4
GwBQPYcyewx5ptcjqq863r3rvHhbNeJbcnh8jNATTxto8r2NkadwccXw4LtqpfAS
A2dhuYt8zKhiI2tlfZNCzSzDmqid4NuxKiNQGNB6OU6/x2vp0ZFTwstIr7TMAwID
AQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAtlPa
GQ4Weyi9vlIDLL4PgGsNk4sR4Ca2gbYLTd5HaSkww+BKIfz1OkFEmsNozNSo19PJ
WaOp7exCN23j5Z/+qfZSGgUAelJHxRJ0Mc8YmtTuLKaNHxWYBJit3T3n1lbuFENe
vdh8oCo6GKjjm7RkbkEvTvdzrOdztXZt3Ij4gLE=
-----END CERTIFICATE-----
server [~]#
server [~]# cat /etc/ssl/mail/mail.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDFiBWAJ893Ocm4dooDHHkNRZcvC4N5qjfx1wywoS2DlnV4GwBQ
PYcyewx5ptcjqq863r3rvHhbNeJbcnh8jNATTxto8r2NkadwccXw4LtqpfASA2dh
uYt8zKhiI2tlfZNCzSzDmqid4NuxKiNQGNB6OU6/x2vp0ZFTwstIr7TMAwIDAQAB
AoGAZwRgyjR486IUvPo9YgAAddZ8UVG84L/Qa3UPLjLw7LaUTu4uDKr6Dm60A+Hq
Q7SprJcsD3x8fH0uryiVA8fgX7YU6SNOnW/F69asp66DLmuTHzWUJMknYhvbXpc/
mxOyOpbgKqCXQgVZvaRffTi5l6jafOn/HkShHVcCCb05WDkCQQD2PlcS39Q5PaAv
jJmVt9PoyYTFQlcriwljWHKXWI4bdroVYIGiw1Mu5xdKYv9mhvOdulpktzCBaxUd
ki/VZS9tAkEAzVuoBFgazVRIYOY1AK1P8Bu84Zp1erqRPf5+a99ppx1F/xbefP5T
gZwEY18krRzvYbfuJDeBIfSw9OBKUIwTLwJBALi9bHYslvua0GLcCR3aHJG5HnMf
omZ4mUJ/SPli5rqUCGehT6DdCbtWhJK6UwKInJzpAogtJ6bwv5a/5kMi9sECQQC/
miQCoZ2oNFovprqPPiVWdtrdd7ri3o3DVN7pkRLHrGVxownFf5m0VTg26z+SEWw8
NVuJCQx//QjaASb1TixbAkAJojqfpDAw79FxFnyZiqERz+DOs2A4zEd3z9sQRG+x
YzKjYkVgNUG5JyVlZrh7xSNhgtw+U8IH7hx/p6RJ4+Ce
-----END RSA PRIVATE KEY-----
server [~]#
P.S. I just re-tested the whole procedure with 2.0.0.24 - and it didn't
complain at all - it's just Thunderbird 3.1 where I faced the issue the
very first time. weired.
Am 12.07.10 19:23, schrieb Daniel Petre:
> hey,
> check your dovecot.conf :
>
> "ssl_key_file = /etc/ssl/mail/mail.key"
>
> is that a pipe, a vertical sign after "mail.key" ?
>
>
>> Thanks for your reply.
>> What do you mean by "pipe"
>>
>> See, I can even connect via the console from the outside:
>>
>>
>> |Notebook [~]$ openssl s_client -CApath ~/.cert/XYZ.com/ -connect
>> XYZ.com:993
>> CONNECTED(00000003)
>> depth=0 /C=DE/ST=BW/L=City/O=HomeServer
>> GmbH/OU=WebHosting/CN=XYZ.com/emailAddress=admin at XYZ.com
>> verify error:num=18:self signed certificate
>> verify return:1
>> depth=0 /C=DE/ST=BW/L=City/O=HomeServer
>> GmbH/OU=WebHosting/CN=XYZ.com/emailAddress=admin at XYZ.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=DE/ST=BW/L=City/O=HomeServer
>> GmbH/OU=WebHosting/CN=XYZ.com/emailAddress=admin at XYZ.com
>> i:/C=DE/ST=BW/L=City/O=HomeServer
>> GmbH/OU=WebHosting/CN=XYZ.com/emailAddress=admin at XYZ.com
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIC6TCCAlKgAwIBAgIJAN4Jfaj9QgEhMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD
>> VQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMREwDwYDVQQHEwhO
>> ZXVicm9ubjEWMBQGA1UEChMNTmV0T2NlYW4gR21iSDETMBEGA1UECxMKV2ViSG9z
>> dGluZzEYMBYGA1UEAxMPc2VydmVyLm5ldG9jZWFuMSQwIgYJKoZIhvcNAQkBFhVh
>> ZG1pbkBzZXJ2ZXIubmV0b2NlYW4wHhcNMTAwNzExMTgwMzQ4WhcNMzAwNzA2MTgw
>> MzQ4WjCBqjELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVy
>> ZzERMA8GA1UEBxMITmV1YnJvbm4xFjAUBgNVBAoTDU5ldE9jZWFuIEdtYkgxEzAR
>> BgNVBAsTCldlYkhvc3RpbmcxGDAWBgNVBAMTD3NlcnZlci5uZXRvY2VhbjEkMCIG
>> CSqGSIb3DQEJARYVYWRtaW5Ac2VydmVyLm5ldG9jZWFuMIGfMA0GCSqGSIb3DQEB
>> AQUAA4GNADCBiQKBgQDFiBWAJ893Ocm4dooDHHkNRZcvC4N5qjfx1wywoS2DlnV4
>> GwBQPYcyewx5ptcjqq863r3rvHhbNeJbcnh8jNATTxto8r2NkadwccXw4LtqpfAS
>> A2dhuYt8zKhiI2tlfZNCzSzDmqid4NuxKiNQGNB6OU6/x2vp0ZFTwstIr7TMAwID
>> AQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAtlPa
>> GQ4Weyi9vlIDLL4PgGsNk4sR4Ca2gbYLTd5HaSkww+BKIfz1OkFEmsNozNSo19PJ
>> WaOp7exCN23j5Z/+qfZSGgUAelJHxRJ0Mc8YmtTuLKaNHxWYBJit3T3n1lbuFENe
>> vdh8oCo6GKjjm7RkbkEvTvdzrOdztXZt3Ij4gLE=
>> -----END CERTIFICATE-----
>> subject=/C=DE/ST=BW/L=City/O=HomeServer
>> GmbH/OU=WebHosting/CN=XYZ.com/emailAddress=admin at XYZ.com
>> issuer=/C=DE/ST=BW/L=City/O=HomeServer
>> GmbH/OU=WebHosting/CN=XYZ.com/emailAddress=admin at XYZ.com
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1313 bytes and written 325 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DHE-RSA-AES256-SHA
>> Session-ID:
>> 54DC3526DB721308D460CBAF21D562958D34ED146332F0B4ACBE9E1311633ED1
>> Session-ID-ctx:
>> Master-Key:
>> 1BCB1FA49855FC38ACB52C2CD8D54594C006116220D66FA0E74F68663AFE3FC09086B9
>> BFB1FE0E515681A2E0DC7C1AFC Key-Arg : None Start Time: 1278952607
>> Timeout : 300 (sec) Verify return code: 18 (self signed
>> certificate) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-
>> REFERRALS ID ENABLE AUTH=CRAM-MD5] NetOcean MailSystem ^C Notebook
>> [~]$|
>>
>>
>> Am 12.07.10 19:11, schrieb Daniel Petre:
>>> dude, whats the pipe at the end of the mail.key location?
>>>
>>>> It's always the same when it fails ...
>>>>
>>>>
>>>> And this is how my dovecot.conf looks like:
>>>>
>>>> [...]
>>>>
>>>> |##
>>>> ## SSL settings
>>>> ##
>>>> ssl = yes
>>>> ssl_cert_file = /etc/ssl/mail/mail.cert
>>>> ssl_key_file = /etc/ssl/mail/mail.key|
>>>>
>>>> [...]
>>>>
>>>>
>>>> Thank you
More information about the dovecot
mailing list