Can't figure out why managesieve (pigeonhole) can't connect

Wed Dec 14 20:48:08 UTC 2022

Thank you for this.  I am not using self-signed, I am using letsencrypt 
as a CA, the certs are installed where certbot put them.

I tried the example from https://wiki2.dovecot.org/TestInstallation, 
using openssl s_client, and I achieved the following (lots of data 
replaced with "...")

I have not changed anything else since your last reply, I am honestly 
not sure what rc config has to do with certs (google has not given me a 
result that seems to apply).  Does the below help confirm my certs are 
properly installed and that i can connect to dovecot over tls and pass 
my credentials?

-----

root at mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mydomain.com
verify return:1
---
Certificate chain
  ...
---
Server certificate
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
..
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4922 bytes and written 426 bytes
Verification: OK
---
..
..
..
---
read R BLOCK
a login me at mydomain.com MyPass
* CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT 
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS 
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES 
WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY 
PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE
a OK Logged in
a OK Logged in
b select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] 
Flags permitted.
* 35 EXISTS
* 0 RECENT
* OK [UNSEEN 18] First unseen.
* OK [UIDVALIDITY 1669149589] UIDs valid
* OK [UIDNEXT 255] Predicted next UID
* OK [HIGHESTMODSEQ 615] Highest
b OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
c list "" *
* LIST (\HasNoChildren \Marked \Trash) "/" Trash
* LIST (\HasNoChildren \UnMarked \Junk) "/" Junk
* LIST (\HasNoChildren \Marked \Sent) "/" Sent
* LIST (\HasNoChildren \Drafts) "/" Drafts
* LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports
* LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts
* LIST (\HasChildren) "/" INBOX
c OK List completed (0.001 + 0.000 secs).

On 2022-11-23 14:49, PGNet Dev wrote:

>> i don't understand why it can't connect, this seems to work fine:
> 
> fine ?
> 
> you're manually overriding at least one problem with your certs/config
> 
>> ...
>> - Status: The certificate is NOT trusted. The name in the certificate 
>> does not match the expected.
>> *** PKI verification of server certificate failed...
>> Host 10.0.0.91 (sieve) has never been contacted before.
>> Its certificate is valid for 10.0.0.91.
>> Are you sure you want to trust it? (y/N): y
>> ...
> 
> it appears that you're using a self-signed cert?  are your trusted 
> certs defined and correctly chained?  if not explicitly defined, did 
> you correctly add you certs to system ssl dirs, and ensure hashes are 
> correct?
> 
> demonstrate first that you can connect to dovecot over tls with a cmd 
> line client, without ignoring or overriding your cert problems
> 
> including any client/server cert verification requirements you've 
> turned on in dovecot config
> 
> once you've passed the correct certs, then demonstrate that you can 
> authenticate in the same session with any password/credentials you've 
> set
> 
> once that all works, make sure you've got those certs correctly set up 
> in your rc config

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20221214/4dc23b28/attachment.htm>