[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Tue Oct 8 15:59:55 EEST 2013 

On 2013-10-07 13:57, Bruno Tréguier wrote:
> Le 06/10/2013 à 22:42, Dan Langille a écrit :
> After a long delay, I'm ready to tackle this again.
> 
> [...]
> Testing via the command line gives:
> 
> $ openssl s_client -connect imaps.unixathome.org:993
> CONNECTED(00000003)
> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
> Signing, CN = StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> 
> Ok, this is fine, and different from the result you were getting a few
> weeks ago. Your cert chain is ok, it seems. The "errornum=19:self 
> signed
> certificate in certificate chain" is a "normal" errot, due to the fact
> that you didn't tell openssl where to find a list of valid root certs.
> 
> 
> All looks good.
> 
> /var/log/maillog shows:
> 
> Oct  6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>, 
> method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, 
> session=<fYUwEhjoVgBib5Pc>
> Oct  6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out 
> in=26 out=691
> 
> 
> I have Thunderbird working just fine on my Macbook.
> 
> But my goal is mail.app on my iPhone and my Macbook.  When they try to 
> connect, the mail server logs are:
> 
> Oct  6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: 
> where=0x2002: SSLv3 read client certificate A [98.111.147.220]
> Oct  6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth 
> attempts in 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, 
> TLS handshaking: Disconnected, session=<Ux8HRBjo7QBib5Pc>
> 
> Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 
> installation.  That's my current IMAP server.  I'm moving to another 
> server and failing so far.
> 
> Suggestions to use another client app or platform will not be 
> entertained, because, clearly, this works with dovecot 1.
> 
> Well, sorry but no further suggestions as far as I'm concerned then,
> except that some people tend to think that mail.app is pretty crappy 
> and
> behaves quite strangely in certain situations...

I have given up. As much as I'd like to solve this problem, I must move 
on.  I will resort to self-signed certificates.[1]  I had hoped to 
resolve the issue so that others can use the solution.

My thanks to those that have offered suggestions and help.

[1] - FYI, I am the only user of this IMAP server.

-- 
Dan Langille - http://langille.org/

More information about the dovecot mailing list