[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Mon Sep 16 17:10:01 EEST 2013 

On Sep 14, 2013, at 10:36 PM, Noel Butler wrote:

> On Sat, 2013-09-14 at 15:21 -0400, Dan Langille wrote:
> 
> 
>>> 
>> 
>> Hmmm, I tried ssl = yes.  Mail.app still crashes when trying to connect.
>> 
> 
> 
> Well, its likely an Apple fault, after all their implementation of pop3
> has been known to be broken for many many many years, but still after
> all these years are incapable of finding a developer to fix it by
> inserting a QUIT after its done everything.
> 
> 
>> 
>> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client 
>> certificate A [173.49.195.214]
> 
> 
> 
>> What is this… read client certificate?  There is no client certification in this config.
> 
> 
> 
> dovecot wants to know if your client wishes to authenticate using a
> local-to-client certificate, wouldnt focus too much on that 
> (unless that client is trying to give a certificate that is invalid -
> not sure, I have never ever in 20 years, seen any client try to auth
> with a local certificate to a mail server)...  
> 
> is this just one user? or all using apple? is it you?

It is just me (I'm my only user).

Neither my Macbook nor my iPhone can use this IMAP server.

I got a colleague to try his iPhone; same problem there too.

> Have you/they tried simply using TLS on 143?  (preferred as POP3s/IMAPs
> has really be deprecated everywhere for some time now)

For this test, I reconfigured the server to NOT use IMAPS and restarted it.  Then I went 
to my iPhone and turned off SSL for this mail account.

That configuration works for my iPhone.

# doveconf nf -n
# 2.2.5: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64  
auth_debug = yes
auth_verbose = yes
disable_plaintext_auth = no
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
  args = scheme=BLF-CRYPT /var/db/dovecot.users
  driver = passwd-file
}
protocols = imap
service imap-login {
  inet_listener imap {
    address = 199.233.228.197
  }
  inet_listener imaps {
    port = 0
  }
}
userdb {
  args = /var/db/dovecot.users
  driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}

Looking via tcpdump, I can see that emails are indeed being downloaded in clear text.  
I suppose that's not so big an issue, given they are delivered in plain text.  But it would be better
to have the IMAP connection secured.

> 
> a successful TLS login appears like (and this particular user I know
> uses an ipad) :
> 
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
> initialization [101.xxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1:
> before/accept initialization [101.xx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3
> read client hello A [101.xxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client hello A [101.xxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server hello A [101.xxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> certificate A [101.xxxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server done A [101.xxxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [101.xxxxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [101.xxxx]
> Sep 15 12:09:38 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [101.xxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client key exchange A [101.xxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> finished A [101.xxxxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> change cipher spec A [101.xxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> finished A [101.xxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [101.xxxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x20, ret=1: SSL
> negotiation finished successfully [101.xxxxxx]
> Sep 15 12:09:45 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
> negotiation finished successfully [101.xxxxx]
> Sep 15 12:09:45 imap-login: Info: Login: user<x at x>, method=PLAIN,
> rip=xxxxx, TLS
> 
> 
> 
>> protocols = imap
>> service imap-login {
>>  inet_listener imap {
>>    port = 0
>>  }
>>  inet_listener imaps {
>>    address = 199.233.228.197
>>  }
>> }
> 
>        inet_listener imap {
>                port = 143          <-- use it for TLS, its possible
> this is why fails as its falling back to TLS,  i cant test that theory
>        }                                        since we all use
> android devices. 
>        inet_listener imaps {
>                port = 993          
>        }
> 
> Anyway, the fact you said thunderbird works, indicates it is not a cert
> issue, and I fail to see dovecot issue, have they tried another mail
> app?

I have not.  That's a good test…  I'm searching for a free mail client to test with now…. failing...

-- 
Dan Langille - http://langille.org

More information about the dovecot mailing list