[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Sat Sep 14 22:30:30 EEST 2013 

On Sep 14, 2013, at 3:28 PM, Daniel Reinhardt wrote:

> Are you getting asked to add an exception to the email applications
> certificate dialogue box?
> 
> This is an example with Thunderbird.
> 
> http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg

No, it never gets to that point.  Mail.app crashes right after I start it.

I am able to access this IMAP server with Thunderbird.

> 
> Dan
> 
> 
> On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille <dan at langille.org> wrote:
> 
>> 
>> On Sep 13, 2013, at 9:55 PM, Noel Butler wrote:
>> 
>>> On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote:
>>> 
>>> 
>>>> Perhaps I am doing the chain incorrectly.  I just tried again.  The
>>>> server is now set up with the following:
>>>> 
>>>> I have three certs in this chain file:
>>>> 
>>>> cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem >
>>>> testing.chain.pem
>>>> 
>>>> 1 - the certificate issued by startssl for my server
>>>> 2 & 3 - the PEM files for StartSSL as found at
>>>> http://www.startssl.com/certs/
>>>> 
>>> 
>>> 
>>> That is the correct chain method, and order
>>> 
>>> 
>>>> $ openssl s_client -connect imaps.unixathome.org:993 -quiet
>>>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>>>> Signing/CN=StartCom Certification Authority
>>>> verify error:num=19:self signed certificate in certificate chain
>>> 
>>> 
>>> 
>>> Never panic about  the above, it is just indicating (rightly so) you
>>> have a local certificate (the first) in your chain.
>>> 
>>> 
>>>> ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt
>>>> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
>>> 
>>> correct method, so long as the cert and key files are named correctly
>>> and in the right location.
>>> 
>>> 
>>>> ssl = required
>>> 
>>> Bit dangerous... and may be the cause of your problems,  change to :
>>> ssl = yes
>>> 
>>> 
>>> We use startssl and have many  android, blackberry, and iphone users
>>> (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop
>>> types and never had any problems with them using startssl
>> 
>> Hmmm, I tried ssl = yes.  Mail.app still crashes when trying to connect.
>> 
>> I also try the cert bundle mentioned by Johan.
>> 
>> The server says:
>> 
>> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed:
>> where=0x2002: SSLv3 read client certificate A [173.49.195.214]
>> Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts
>> in 0 secs): user=<>, rip=173.49.195.214, lip=199.233.228.197, TLS
>> handshaking: Disconnected, session=<8+862VzmPwCtMcPW>
>> 
>> What is this… read client certificate?  There is no client certification
>> in this config.
>> 
>> : doveconf -n
>> # 2.2.5: /usr/local/etc/dovecot/dovecot.conf
>> # OS: FreeBSD 9.1-RELEASE-p6 amd64
>> auth_debug = yes
>> auth_verbose = yes
>> first_valid_gid = 1001
>> first_valid_uid = 1001
>> mail_debug = yes
>> mail_location = maildir:~/Maildir
>> mail_privileged_group = mail
>> passdb {
>>  args = scheme=BLF-CRYPT /var/db/dovecot.users
>>  driver = passwd-file
>> }
>> protocols = imap
>> service imap-login {
>>  inet_listener imap {
>>    port = 0
>>  }
>>  inet_listener imaps {
>>    address = 199.233.228.197
>>  }
>> }
>> ssl_cert = </usr/local/etc/ssl/testing.chain.pem
>> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
>> userdb {
>>  args = /var/db/dovecot.users
>>  driver = passwd-file
>> }
>> verbose_proctitle = yes
>> verbose_ssl = yes
>> protocol imap {
>>  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
>> }
>> 
>> 
>> --
>> Dan Langille - http://langille.org
>> 
>> 
> 
> 
> -- 
> Daniel Reinhardt
> cryptodan at cryptodan.net
> http://www.cryptodan.net
> 301-875-7018(c)
> 410-455-0488(h)

-- 
Dan Langille - http://langille.org

More information about the dovecot mailing list