[Dovecot] SSL with startssl.com certificates
Dan Langille
dan at langille.org
Tue Sep 17 17:32:14 EEST 2013
On 2013-09-17 10:05, Reindl Harald wrote:
> Am 17.09.2013 15:57, schrieb Dan Langille:
> On 2013-09-17 09:26, Reindl Harald wrote:
> Am 17.09.2013 15:01, schrieb Dan Langille:
> On 2013-09-17 08:43, Reindl Harald wrote:
> Am 17.09.2013 14:39, schrieb Dan Langille:
> On 2013-09-16 20:28, Noel Butler wrote:
> Since we just ruled this one out, might I suggest you grab the source
> and build it, install it all under /opt/dovecot that way it wont
> interfere with your ports installation and try that, the one you
> successfully just tested uses dovecot 2.1 not 2.2, so maybe try source
> of 2.1 and see if it works.
>
> I just tried 2.1.16. The iPhone has no trouble on 143 but on 993, it's
> just like 2.2
>
> But, if it does work on port 143 with TLS I wouldnt worry too much
> about it
>
> tcpdump is showing me raw text going past, so I know I'm not getting
> TLS on either Dovecot 2.1 or 2.2
>
> It seems that TLS is not supported by my client. Pity.
>
> iPhone is the worst mail client on this planet but for sure supports
> TLS
>
> Apple is here the same as Microsoft
>
> * remove the account completly
> * add it again and it will detect that encryption is available
>
> Done. But tcpdump is still showing me plain text.
>
> and you surely have "ssl = yes" in your configuration?
> "dovecot -n" does not show it here too while it is there
>
> I do.
>
> "dovecot -n" does not show it here too while it is there
>
> *what* says "telnet your-server 143"
>
> $ telnet imaps.unixathome.org 143
> Trying 199.233.228.197...
> Connected to imaps.unixathome.org.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
>
>
> if it is configured correctly you see "STARTTLS" in the capabilities
> if you do not see it than the problem is a completlöy different one
>
> * OK [CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE CHILDREN
> SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE
> STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN
> AUTH=SCRAM-SHA-1]
>
> may i suggest that you try a different mail client?
> pretty sure that this is one of the uncountable cases where Apple
> devices are failing
At present, I am using dovecot-1.2.17 on another server with a
certificate from StartCom:
$ openssl s_client -connect nyi.unixathome.org:993 -quiet
depth=0
/description=khACEsbS0LZ8es5F/C=US/CN=nyi.unixathome.org/emailAddress=postmaster at unixathome.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
/description=khACEsbS0LZ8es5F/C=US/CN=nyi.unixathome.org/emailAddress=postmaster at unixathome.org
verify error:num=27:certificate not trusted
verify return:1
depth=0
/description=khACEsbS0LZ8es5F/C=US/CN=nyi.unixathome.org/emailAddress=postmaster at unixathome.org
verify error:num=21:unable to verify the first certificate
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN] Dovecot ready.
The server which fails me is running 2.1.16 (was 2.2 before this
morning)
$ openssl s_client -connect imaps.unixathome.org:993 -quiet
depth=0
/description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
/description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
verify error:num=27:certificate not trusted
verify return:1
depth=0
/description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
verify error:num=21:unable to verify the first certificate
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN] Dovecot ready.
Somewhere, somehow, there is something vastly different and not working.
--
Dan Langille - http://langille.org/
More information about the dovecot
mailing list