Problem with TLS and Outlook 2010
Wayne Andersen
wayne.andersen at clima-tech.com
Thu Dec 11 23:06:30 UTC 2014
Dovecot 2.0.9
So I am trying to get my Outlook 2010 client to use TLS with Dovecot.
The Outlook error that I get is:
Log onto incoming mail server (IMAP): A secure connection to the server
cannot be established.
I have set the port to 143,993,995 none of them work, and the security to
TLS.
I have all of the certificates in the full chain installed on my machine and
when viewing them they all show This certificate is OK.
I have turned on Outlook logging and am seeing this:
C:\PROGRA~2\MICROS~2\Office14\OUTLMIME.DLLIMAP: 14:48:40 [db]
Intializing connection [131383B0]
IMAP: 14:48:40 [db] Setting internal codepage to 1200
IMAP: 14:48:40 [db] Connecting to 'mail.mydomain.com' on port 143.
IMAP: 14:48:40 [db] OnNotify: asOld = 0, asNew = 2, ae = 0
IMAP: 14:48:40 [db] srv_name = "mail.mydomain.com" srv_addr =
174.46.198.101:143
IMAP: 14:48:40 [db] OnNotify: asOld = 2, asNew = 3, ae = 1
IMAP: 14:48:40 [db] OnNotify: asOld = 3, asNew = 4, ae = 0
IMAP: 14:48:40 [db] OnNotify: asOld = 4, asNew = 5, ae = 2
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 4
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 14:48:40 [rx] * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ß----- not seeing the STARTTLS
capability here.
IMAP: 14:48:40 [tx] sx59 CAPABILITY
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 14:48:40 [rx] * CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN
AUTH=LOGIN
IMAP: 14:48:40 [rx] sx59 OK Capability completed.
IMAP: 14:48:40 [db] ERROR: "A secure connection to the server cannot be
established.", hr=0x800CCCE1
IMAP: 14:48:40 [db] Connection to 'mail.mydomain.com' closed.
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 0, ae = 5
>From a windows 7 client if I do a telnet mail.mydomain.com 143 I get:
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN]
Dovecot ready. ß--- do not see STARTTLS in the capability list.
Same windows client:
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect mail.mydomain.com:993
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(0000018C)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate ß--- Yes I see
this and it may be an issue, but this certificate exist and is valid.
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL
Wildcard/CN=*.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5169 bytes and written 497 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID:
281D21C81FA6E7656B9CA2BD13590DDE0094CC8FA43FFD31DFEEDEC74F2511BF
Session-ID-ctx:
Master-Key:
AF36CFDBBAA955270A48E2E9740F671299511DA1B3EEAFFAEC582E100DE519EC7CBC612ED686
DBBBFE06B9D6E535B837
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 1d 2a e7 fd 94 9d a2 84-90 52 32 2f e7 89 28 59
.*.......R2/..(Y
0010 - 12 d5 b3 56 0e a7 71 c4-84 53 01 ec 95 97 59 4e
...V..q..S....YN
0020 - ac 17 3f 3f dc b6 b0 db-0f 47 0c 88 5a c2 7b a7
..??.....G..Z.{.
0030 - d0 73 ff 19 ec 6f cd 67-d5 58 3e cd 91 eb 79 90
.s...o.g.X>...y.
0040 - 76 a9 d9 f2 17 dc da c4-bd ba 69 b4 11 c7 65 f9
v.........i...e.
0050 - 71 42 01 3b bd 6f a5 3a-9f 34 48 36 9e 31 4e 1c
qB.;.o.:.4H6.1N.
0060 - 93 24 75 7f 8a c6 7f 7a-4c cd 93 bd 92 4c 9d 7f
.$u....zL....L..
0070 - df 47 11 3e 93 11 73 8e-09 5c ef 85 e2 aa bc 77
.G.>..s..\.....w
0080 - eb 29 fa c6 30 5b 27 de-50 98 47 7b 55 f0 84 91
.)..0['.P.G{U...
0090 - 97 da 66 29 1c c9 7e 63-56 8b a7 80 57 4b 2f 2c
..f)..~cV...WK/,
Start Time: 1418336961
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
e logout
closed
>From a linux client I get :
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
I do see STARTTLS here.
>From a linux client:
openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN =
*.mydomain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB
fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL
Wildcard/CN=*.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5169 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID:
8357FF1D37476EEF1BE64DE443EFFBBED9CE375EA8CA5F1C5ED628B52E723D8F
Session-ID-ctx:
Master-Key:
D6906D40FF47E7ED278AF4D0B143407A53955DA97365A09881EA0C68AAF3B879CB3136A7783B
18A46FD0A0634CBDC17D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - cb 06 13 9a c9 2a 67 b7-3d 5b 5b 33 3b fe 1e 2e
.....*g.=[[3;...
0010 - 18 73 2d ae 9e 4d f3 69-aa 13 ca 9c 07 94 73 cb
.s-..M.i......s.
0020 - 02 a2 74 c9 df 70 ed 1b-33 f8 fb cb 97 1d 12 f5
..t..p..3.......
0030 - 88 21 4e fd 7e be 69 b8-88 30 c9 99 70 f4 ea f3
.!N.~.i..0..p...
0040 - b0 90 c8 ab a6 f4 e5 37-c8 3e 4e 33 24 f9 cd 37
.......7.>N3$..7
0050 - f8 b0 8a 9a f3 44 39 27-e3 3d 96 3b ba a2 4e 85
.....D9'.=.;..N.
0060 - 77 5f a7 f7 6e 12 76 59-51 94 da 63 dd 99 cc 74
w_..n.vYQ..c...t
0070 - 1b 1b 1f 33 02 5f 3d ed-9a 57 e8 63 87 d4 8f d5
...3._=..W.c....
0080 - d5 fc 8c bf 89 4d 4d 91-bc 4f c7 67 79 c4 ec e9
.....MM..O.gy...
0090 - 47 68 0f 21 47 58 8a c9-10 a0 3b 46 e9 3b 08 cb
Gh.!GX....;F.;..
Start Time: 1418337012
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
e logout
closed
doveconf n | grep ssl
# 2.0.9: /etc/dovecot/dovecot.conf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
ssl_key = </etc/pki/dovecot/private/dovecot.key
More information about the dovecot
mailing list