[Dovecot] SSL cert problem

Peter von Nostrand pvnostrand at gmail.com
Thu Jul 11 21:47:04 EEST 2013 

Hi,
I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with
SSL certificate not being accepted by the email client.
I have my own CA and I have generated certificates for web usage without a
problem.

For imaps and pop3s what I did was generate a certificate for the hostname
of my dovecot server and then cat that cert with the intermediate and root
CA certificates. No matter what thunderbird still complains with Unknown
identity.


# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_format = %n
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
mail_fsync = never
mail_home = /vmail/%u
mail_location = maildir:~/Maildir
mail_plugins = quota
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date
mbox_write_locks = fcntl
passdb {
  driver = pam
}
plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve
quota_full_tempfail = yes
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service lmtp {
  unix_listener lmtp {
    user = vmail
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl_cert = </etc/pki/dovecot/certs/mail.pem
ssl_key = </etc/pki/dovecot/private/mail.example.com.key
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
verbose_ssl = yes
protocol lmtp {
  mail_fsync = optimized
  mail_plugins = sieve quota
}
protocol lda {
  mail_plugins = sieve quota
}
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota


This is the log:

  Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1:
before/accept initialization [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1:
before/accept initialization [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3
read client hello A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read
client hello A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
server hello A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
certificate A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
key exchange A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
server done A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush
data [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read
client certificate A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read
client certificate A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read
client key exchange A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read
finished A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
session ticket A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
change cipher spec A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write
finished A [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush
data [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x20, ret=1: SSL
negotiation finished successfully [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL alert: where=0x4004, ret=558:
fatal certificate unknown [192.168.0.1]
Jul 11 15:38:45 imap-login: Warning: SSL alert: where=0x4008, ret=256:
warning close notify [192.168.0.1]
Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts):
rip=192.168.0.1, lip=192.168.1.1, TLS: SSL_read() failed:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown: SSL alert number 46


Thx in advance
-- 
Peter

More information about the dovecot mailing list