[Dovecot] SSL with startssl.com certificates
Noel Butler
noel.butler at ausics.net
Sun Sep 15 05:36:04 EEST 2013
On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote:
> >
>
> Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect.
>
Well, its likely an Apple fault, after all their implementation of pop3
has been known to be broken for many many many years, but still after
all these years are incapable of finding a developer to fix it by
inserting a QUIT after its done everything.
>
> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client
> certificate A [173.49.195.214]
> What is this… read client certificate? There is no client certification in this config.
dovecot wants to know if your client wishes to authenticate using a
local-to-client certificate, wouldnt focus too much on that
(unless that client is trying to give a certificate that is invalid -
not sure, I have never ever in 20 years, seen any client try to auth
with a local certificate to a mail server)...
is this just one user? or all using apple? is it you?
Have you/they tried simply using TLS on 143? (preferred as POP3s/IMAPs
has really be deprecated everywhere for some time now)
a successful TLS login appears like (and this particular user I know
uses an ipad) :
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
initialization [101.xxxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1:
before/accept initialization [101.xx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3
read client hello A [101.xxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
client hello A [101.xxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
server hello A [101.xxxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
certificate A [101.xxxxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
server done A [101.xxxxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
data [101.xxxxxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
client certificate A [101.xxxx]
Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
client certificate A [101.xxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
client key exchange A [101.xxxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
finished A [101.xxxxxxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
change cipher spec A [101.xxxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
finished A [101.xxxxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
data [101.xxxxxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x20, ret=1: SSL
negotiation finished successfully [101.xxxxxx]
Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully [101.xxxxx]
Sep 15 12:09:45 imap-login: Info: Login: user<x at x>, method=PLAIN,
rip=xxxxx, TLS
> protocols = imap
> service imap-login {
> inet_listener imap {
> port = 0
> }
> inet_listener imaps {
> address = 199.233.228.197
> }
> }
inet_listener imap {
port = 143 <-- use it for TLS, its possible
this is why fails as its falling back to TLS, i cant test that theory
} since we all use
android devices.
inet_listener imaps {
port = 993
}
Anyway, the fact you said thunderbird works, indicates it is not a cert
issue, and I fail to see dovecot issue, have they tried another mail
app?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130915/5681311c/attachment.bin>
More information about the dovecot
mailing list