LMPT SSL

Piotr Rotter piotr.rotter at active24.pl
Mon Jul 27 15:13:54 UTC 2015


# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.18.9-hardened x86_64 Gentoo Base System release 2.2
auth_mechanisms = plain login digest-md5 cram-md5 ntlm apop
auth_verbose = yes
default_client_limit = 10000
default_process_limit = 1000
default_vsz_limit = 512 M
deliver_log_format = from=%f, msgid=%m, psize=%p: %$
disable_plaintext_auth = no
dotlock_use_excl = no
doveadm_password = yjH5KiEpCWAVLHtt
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Active24 Sp. z o.o.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %k 
session=<%{session}>
login_trusted_networks = 192.168.67.0/27
mail_access_groups = vmail
mail_fsync = always
mail_gid = 502
mail_location = maildir:~/
mail_log_prefix = "%s(%u) session=<%{session}>: "
mail_plugins = mail_log notify quota
mail_uid = 502
maildir_very_dirty_syncs = yes
mmap_disable = yes
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
   mailbox Spam {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
   prefix =
}
passdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   driver = sql
}
plugin {
   autosubscribe = Trash
   autosubscribe2 = Spam
   autosubscribe3 = Sent
   autosubscribe4 = Drafts
   mail_log_events = delete undelete expunge copy mailbox_delete 
mailbox_rename append append
   mail_log_fields = box msgid from size
   quota = maildir
   quota2 = maildir:user quota
   quota_rule = *:storage=10GB
   quota_rule2 = *:messages=10000
   quota_rule3 = Trash:storage=+10M
   quota_rule4 = Trash:messages=+100
   quota_warning = storage=80%% quota-warning 80 %u
   quota_warning2 = storage=90%% quota-warning 90 %u
   quota_warning3 = storage=100%% quota-warning 100 %u
   sieve_global_path = /etc/dovecot/sieve/default.sieve
}
sendmail_path = /usr/sbin/postfix
service auth {
   client_limit = 20000
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0666
     user = postfix
   }
   unix_listener auth-userdb {
     group = vmail
     mode = 0600
     user = vmail
   }
}
service doveadm {
   unix_listener doveadm-server {
     mode = 0666
   }
}
service imap-login {
   process_limit = 4096
   process_min_avail = 6
   service_count = 1000
}
service imap {
   process_limit = 4096
   process_min_avail = 6
   service_count = 100
}
service lmtp {
   inet_listener lmtp {
     address = 0.0.0.0
     port = 24
     ssl = yes
   }
   process_limit = 100
   process_min_avail = 5
   user = vmail
}
service pop3-login {
   process_limit = 4096
   process_min_avail = 6
   service_count = 1000
}
service pop3 {
   process_limit = 4096
   process_min_avail = 6
   service_count = 100
}
service quota-warning {
   executable = script /opt/bin/quota-warning
   unix_listener quota-warning {
     mode = 0600
     user = vmail
   }
   user = vmail
}
ssl_ca = </etc/ssl/mail.active24.pl/mail.active24.pl.ca
ssl_cert = </etc/ssl/mail.active24.pl/mail.active24.pl.crt
ssl_key = </etc/ssl/mail.active24.pl/mail.active24.pl.key
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   driver = sql
}
verbose_proctitle = yes
protocol lmtp {
   mail_plugins = quota sieve
   syslog_facility = mail
}
protocol lda {
   info_log_path =
   log_path =
   mail_plugins = sieve quota
   syslog_facility = mail
}
protocol imap {
   mail_max_userip_connections = 50
   mail_plugins = mail_log notify quota imap_quota
}
protocol pop3 {
   mail_plugins = mail_log notify quota quota
   pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, 
in=%i, out=%o
   pop3_save_uidl = yes
}

W dniu 27.07.2015 o 15:03, Steffen Kaiser pisze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 27 Jul 2015, Piotr Rotter wrote:
>
>> I tryed to eneble TLS connection from postfix to dovecot lmtp.
>> Unfortunely I have problem with certificate, postfix shows,
>
> post the output of doveconf -n
>
>>
>> 2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS
>> connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2
>> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>
>> I checked certs by openssl s_client:
>> #openssl s_client -connect localhost:24 -showcerts -starttls smtp
>> -CApath /etc/ssl/certs/
>>
>> And I gets
>>
>> didn't found starttls in server response, try anyway...
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>>
>> It look likes dovecot lmtp send 3 times the same certificate.
>> I made the same test for imap in the same dovecot instance:
>>
>> #openssl s_client -connect localhost:143 -showcerts -starttls imap
>> -CApath /etc/ssl/certs/
>> CONNECTED(00000003)
>> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
>> verify return:1
>> depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
>> verify return:1
>> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps
>> (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
>> verify return:1
>>
>> For imap it looks ok. Why lmtp shows wrong certs list
>>
>> # dovecot --version
>> 2.2.16
>>
>>
>
> - -- Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEVAwUBVbYsIXz1H7kL/d9rAQIDbgf/UTzRhj6ZiiuknCHjmmFRwdbTk+qclXbo
> vo2XtuH6V3WcuBoHwRedOiTuGH5g8WO2A+tl9wSSSvtw9TWurt2lLMfUsemWO4r4
> zv7SwkTn2CVCIbZmC/3D1kqXHm08fuSo9Vn5/tgfgdOFwt5r4VfNkkp+zm72wFWT
> o6uzL+EXSGEqnm/R1hFdC9cDZqKuzQ3MK+8qasoCPgMAr4svN0lwdi+yATaxzjgj
> MviyKpdtQmA9gKRfLhptVcIP17rRNkoZKCS/Eboy6g/Rjf8c4C4Hn7lUbnx+kCVe
> Xk4Z2cmlPhl17iyvzo8Tvyeuu/gxDEXfa/xgwRGhp0xx3c+WBOrJSg==
> =a+SK
> -----END PGP SIGNATURE-----

-- 
Best regards!
Piotr Rotter


More information about the dovecot mailing list