TLS handshake issue
Andrey Fesenko
f0andrey at gmail.com
Thu Mar 17 17:30:32 UTC 2016
On Thu, Mar 17, 2016 at 8:18 PM, John Oliver <joliver at john-oliver.net> wrote:
> dovecot-2.0.9 on CentOS 6.7
>
> The system in question is not connected to the Internet, so I can't
> copy-and-paste. I have to type anything required :-(
>
> Brand-new out-of-the-box install with a really minimal dovecot.conf
> including:
>
> service imap-login {
> inet_listener imaps {
> address = 192.168.1.10
> port = 143
> ssl = yes
> }
> }
>
> ssl_cert=</etc/pki/tls/certs/dovecot.pem
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_key =</etc/pki/tls/private/dovecot.pem
>
>
> That's very, very similar to an existing dovecot server on an old VM I
> need to replace. Certs are self-signed, I know that's a horrible thing
> to do, but right now we don't have any choice. I'm connecting with
> Apple Mail 8.2 running on OS X 10.10.5, another thing we have no choice
> about :-/ The Apple Mail just sits there stupidly. It's "Connection
> Doctor" just helpfully reports that it can't establish a connection. I
> can use 'openssl s_client -showcerts -connect mail:143' and see what I
> expect to see. The dovecot log with lots of verbosity enabled tells me:
>
> imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200,
> lip=192.168.1.10, TLS handshaking: Disconnected
> auth: Debug: auth client connected (pid=21006)
> imap-login: Warning: SSL: where=0x10, ret=1: before/accept
> initialization [192.168.1.200]
> imap-login: Warning: SSL: where=0x2001, ret=1: before/accept
> initialization [192.168.1.200]
> imap-login: Warning: SSL: where=0x2002, ret=1: SSLv2/v3 read client
> hello A [192.168.1.200]
>
>
> And that's it... those lines get repeated every minute that Mail is
> running. I'm not seeing anything in any logs that even hints at what
> it's unhappy about, or any way to increase verbosity any more.
>
> Any hints appreciated!
>
> --
> ***********************************************************************
> * John Oliver http://www.john-oliver.net/ *
> * *
> ***********************************************************************
May be use -starttls imap or 993 port and more logs verbose_ssl=yes
More information about the dovecot
mailing list