[Dovecot] failing ssl authentication
Ivars Strazdiņš
ivars.strazdins at gmail.com
Wed Mar 6 22:49:49 EET 2013
Hi,
I have a fairly basic dovecot 2.0.19 configuration on Ubuntu 12.04 LTS server with self signed certificates and "ssl = required" option set. It had been working for years flawlessly (including upgrade from 1.x to 2.0.19).
Please see full "dovecot -n" output at the end of this post.
Until recently, new mail user agents (MUA) are having problems. I cannot pass the account creation step, MUA says that there is some problem.
I tried to isolate the problem and did some testing with various combinations of MUA and OS and I am still confused where is the problem - in dovecot, self signed certificates (in operation since 2003, expires this summer), or MUA, or operating system.
All tests done with IMAP.
For example,
Recent Thunderbird versions (>10) do not work at all on most OS'es (tried Windows, Linux, OS X). Actually, v10 does not let me setup an account, but there is a way to get through by clicking on Advanced button. Then the account in Thunderbird is created. After that all works fine and Thunderbird can even be upgraded to the latest version.
Windows Live Mail 2012 (former Outlook Express) works on Windows XP and Windows 7, but fails on Windows 8.
dovecot.log gets this:
2013-03-06 22:44:38 imap-login: Info: Disconnected (no auth attempts): rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: Disconnected
Outlook 2013 does not work in either Windows 7 or Windows 8.
Dovecot log for Outlook 2013 looks good, but Outlook complains.
2013-03-06 18:38:22 imap-login: Info: Login: user=<ivarss>, method=PLAIN, rip=x.x.x.x lip=y.y.y.y, mpid=16801, TLS
I enabled verbose_ssl = yes in dovecot configuration, and all failing attempts produce this type of log
2013-03-06 22:34:10 imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x]
What does this mean - a problem with certificate on the client side, MUA, that is? How could this be cured then?
Thanks for your time and patience!
Ivars
doveconf -n output:
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-37-virtual x86_64 Ubuntu 12.04.2 LTS
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_verbose = yes
default_process_limit = 300
info_log_path = /var/log/dovecot-info.log
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_fsync = never
mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
passdb {
driver = pam
}
plugin {
antispam_backend = mailtrain
antispam_mail_notspam = --ham
antispam_mail_sendmail = /usr/local/sbin/antispam.sh
antispam_mail_sendmail_args = -f;%u at edited.domain
antispam_mail_spam = --spam
antispam_spam = junk
antispam_trash = Trash
autocreate = junk
autocreate2 = Sent
autocreate3 = Drafts
autocreate4 = Trash
autosubscribe = junk
autosubscribe2 = Sent
autosubscribe3 = Drafts
autosubscribe4 = Trash
fts = squat
fts_squat = partial=4 full=10
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append
mail_log_fields = from, subject, flags, uid, box, msgid, size
sieve = ~/roundcube.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster
protocols = " imap sieve pop3"
service auth-worker {
client_limit = 0
}
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = musers
mode = 0660
user = root
}
user = root
}
service imap {
process_limit = 1024
}
service pop3 {
process_limit = 1024
}
ssl = required
ssl_cert = </etc/ssl/private/server.crt
ssl_key = </etc/ssl/private/server.key
userdb {
driver = passwd
}
valid_chroot_dirs = /var/mail:/home
protocol lda {
mail_fsync = optimized
mail_plugins = " sieve"
}
protocol imap {
imap_client_workarounds = tb-lsub-flags delay-newmail tb-extra-mailbox-sep
mail_max_userip_connections = 20
mail_plugins = " autocreate fts fts_squat antispam"
}
protocol pop3 {
mail_plugins = " fts fts_squat"
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lmtp {
mail_fsync = optimized
mail_plugins = " sieve"
}
protocol sieve {
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
}
More information about the dovecot
mailing list