LMPT SSL
Piotr Rotter
piotr.rotter at active24.pl
Mon Jul 27 15:13:54 UTC 2015
# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.18.9-hardened x86_64 Gentoo Base System release 2.2
auth_mechanisms = plain login digest-md5 cram-md5 ntlm apop
auth_verbose = yes
default_client_limit = 10000
default_process_limit = 1000
default_vsz_limit = 512 M
deliver_log_format = from=%f, msgid=%m, psize=%p: %$
disable_plaintext_auth = no
dotlock_use_excl = no
doveadm_password = yjH5KiEpCWAVLHtt
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Active24 Sp. z o.o.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %k
session=<%{session}>
login_trusted_networks = 192.168.67.0/27
mail_access_groups = vmail
mail_fsync = always
mail_gid = 502
mail_location = maildir:~/
mail_log_prefix = "%s(%u) session=<%{session}>: "
mail_plugins = mail_log notify quota
mail_uid = 502
maildir_very_dirty_syncs = yes
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
autosubscribe = Trash
autosubscribe2 = Spam
autosubscribe3 = Sent
autosubscribe4 = Drafts
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename append append
mail_log_fields = box msgid from size
quota = maildir
quota2 = maildir:user quota
quota_rule = *:storage=10GB
quota_rule2 = *:messages=10000
quota_rule3 = Trash:storage=+10M
quota_rule4 = Trash:messages=+100
quota_warning = storage=80%% quota-warning 80 %u
quota_warning2 = storage=90%% quota-warning 90 %u
quota_warning3 = storage=100%% quota-warning 100 %u
sieve_global_path = /etc/dovecot/sieve/default.sieve
}
sendmail_path = /usr/sbin/postfix
service auth {
client_limit = 20000
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
}
service doveadm {
unix_listener doveadm-server {
mode = 0666
}
}
service imap-login {
process_limit = 4096
process_min_avail = 6
service_count = 1000
}
service imap {
process_limit = 4096
process_min_avail = 6
service_count = 100
}
service lmtp {
inet_listener lmtp {
address = 0.0.0.0
port = 24
ssl = yes
}
process_limit = 100
process_min_avail = 5
user = vmail
}
service pop3-login {
process_limit = 4096
process_min_avail = 6
service_count = 1000
}
service pop3 {
process_limit = 4096
process_min_avail = 6
service_count = 100
}
service quota-warning {
executable = script /opt/bin/quota-warning
unix_listener quota-warning {
mode = 0600
user = vmail
}
user = vmail
}
ssl_ca = </etc/ssl/mail.active24.pl/mail.active24.pl.ca
ssl_cert = </etc/ssl/mail.active24.pl/mail.active24.pl.crt
ssl_key = </etc/ssl/mail.active24.pl/mail.active24.pl.key
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
verbose_proctitle = yes
protocol lmtp {
mail_plugins = quota sieve
syslog_facility = mail
}
protocol lda {
info_log_path =
log_path =
mail_plugins = sieve quota
syslog_facility = mail
}
protocol imap {
mail_max_userip_connections = 50
mail_plugins = mail_log notify quota imap_quota
}
protocol pop3 {
mail_plugins = mail_log notify quota quota
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s,
in=%i, out=%o
pop3_save_uidl = yes
}
W dniu 27.07.2015 o 15:03, Steffen Kaiser pisze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 27 Jul 2015, Piotr Rotter wrote:
>
>> I tryed to eneble TLS connection from postfix to dovecot lmtp.
>> Unfortunely I have problem with certificate, postfix shows,
>
> post the output of doveconf -n
>
>>
>> 2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS
>> connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2
>> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>
>> I checked certs by openssl s_client:
>> #openssl s_client -connect localhost:24 -showcerts -starttls smtp
>> -CApath /etc/ssl/certs/
>>
>> And I gets
>>
>> didn't found starttls in server response, try anyway...
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>>
>> It look likes dovecot lmtp send 3 times the same certificate.
>> I made the same test for imap in the same dovecot instance:
>>
>> #openssl s_client -connect localhost:143 -showcerts -starttls imap
>> -CApath /etc/ssl/certs/
>> CONNECTED(00000003)
>> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
>> verify return:1
>> depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
>> verify return:1
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify return:1
>>
>> For imap it looks ok. Why lmtp shows wrong certs list
>>
>> # dovecot --version
>> 2.2.16
>>
>>
>
> - -- Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEVAwUBVbYsIXz1H7kL/d9rAQIDbgf/UTzRhj6ZiiuknCHjmmFRwdbTk+qclXbo
> vo2XtuH6V3WcuBoHwRedOiTuGH5g8WO2A+tl9wSSSvtw9TWurt2lLMfUsemWO4r4
> zv7SwkTn2CVCIbZmC/3D1kqXHm08fuSo9Vn5/tgfgdOFwt5r4VfNkkp+zm72wFWT
> o6uzL+EXSGEqnm/R1hFdC9cDZqKuzQ3MK+8qasoCPgMAr4svN0lwdi+yATaxzjgj
> MviyKpdtQmA9gKRfLhptVcIP17rRNkoZKCS/Eboy6g/Rjf8c4C4Hn7lUbnx+kCVe
> Xk4Z2cmlPhl17iyvzo8Tvyeuu/gxDEXfa/xgwRGhp0xx3c+WBOrJSg==
> =a+SK
> -----END PGP SIGNATURE-----
--
Best regards!
Piotr Rotter
More information about the dovecot
mailing list