[Dovecot] failing ssl authentication

Ivars Strazdiņš ivars.strazdins at gmail.com
Wed Mar 6 22:49:49 EET 2013 

Hi,
I have a fairly basic dovecot 2.0.19 configuration on Ubuntu 12.04 LTS server with self signed certificates and "ssl = required" option set. It had been working for years flawlessly (including upgrade from 1.x to 2.0.19).
Please see full "dovecot -n" output at the end of this post.

Until recently, new mail user agents (MUA) are having problems. I cannot pass the account creation step, MUA says that there is some problem.
I tried to isolate the problem and did some testing with various combinations of MUA and OS and I am still confused where is the problem - in dovecot, self signed certificates (in operation since 2003, expires this summer), or MUA, or operating system.
All tests done with IMAP.

For example,
Recent Thunderbird versions (>10) do not work at all on most OS'es (tried Windows, Linux, OS X). Actually, v10 does not let me setup an account, but there is a way to get through by clicking on Advanced button. Then the account in Thunderbird is created. After that all works fine and Thunderbird can even be upgraded to the latest version.

Windows Live Mail 2012 (former Outlook Express) works on Windows XP and Windows 7, but fails on Windows 8.
dovecot.log gets this:
2013-03-06 22:44:38 imap-login: Info: Disconnected (no auth attempts): rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: Disconnected

Outlook 2013 does not work in either Windows 7 or Windows 8.
Dovecot log for Outlook 2013 looks good, but Outlook complains.
2013-03-06 18:38:22 imap-login: Info: Login: user=<ivarss>, method=PLAIN, rip=x.x.x.x  lip=y.y.y.y, mpid=16801, TLS

I enabled verbose_ssl = yes in dovecot configuration, and all failing attempts produce this type of log 
2013-03-06 22:34:10 imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x]

What does this mean - a problem with certificate on the client side, MUA, that is? How could this be cured then?

Thanks for your time and patience!
Ivars

doveconf -n output:

# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-37-virtual x86_64 Ubuntu 12.04.2 LTS 
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_verbose = yes
default_process_limit = 300
info_log_path = /var/log/dovecot-info.log
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_fsync = never
mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
passdb {
 driver = pam
}
plugin {
 antispam_backend = mailtrain
 antispam_mail_notspam = --ham
 antispam_mail_sendmail = /usr/local/sbin/antispam.sh
 antispam_mail_sendmail_args = -f;%u at edited.domain
 antispam_mail_spam = --spam
 antispam_spam = junk
 antispam_trash = Trash
 autocreate = junk
 autocreate2 = Sent
 autocreate3 = Drafts
 autocreate4 = Trash
 autosubscribe = junk
 autosubscribe2 = Sent
 autosubscribe3 = Drafts
 autosubscribe4 = Trash
 fts = squat
 fts_squat = partial=4 full=10
 mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append
 mail_log_fields = from, subject, flags, uid, box, msgid, size
 sieve = ~/roundcube.sieve
 sieve_dir = ~/sieve
}
postmaster_address = postmaster
protocols = " imap sieve pop3"
service auth-worker {
 client_limit = 0
}
service auth {
 unix_listener /var/spool/postfix/private/dovecot-auth {
   group = postfix
   mode = 0660
   user = postfix
 }
 unix_listener auth-master {
   group = musers
   mode = 0660
   user = root
 }
 user = root
}
service imap {
 process_limit = 1024
}
service pop3 {
 process_limit = 1024
}
ssl = required
ssl_cert = </etc/ssl/private/server.crt
ssl_key = </etc/ssl/private/server.key
userdb {
 driver = passwd
}
valid_chroot_dirs = /var/mail:/home
protocol lda {
 mail_fsync = optimized
 mail_plugins = " sieve"
}
protocol imap {
 imap_client_workarounds = tb-lsub-flags delay-newmail tb-extra-mailbox-sep
 mail_max_userip_connections = 20
 mail_plugins = " autocreate fts fts_squat antispam"
}
protocol pop3 {
 mail_plugins = " fts fts_squat"
 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lmtp {
 mail_fsync = optimized
 mail_plugins = " sieve"
}
protocol sieve {
 managesieve_notify_capability = mailto
 managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
}

More information about the dovecot mailing list