Can't figure out why managesieve (pigeonhole) can't connect

Aki Tuomi aki.tuomi at open-xchange.com
Thu Dec 15 07:55:11 UTC 2022 

Actually, managesieve DOES use starttls, and does use the same config as rest of Dovecot does, unless you override it of course.

But other than that, you're right.

Aki

> On 15/12/2022 09:49 EET Christian Mack <christian.mack at uni-konstanz.de> wrote:
> 
>  
> Hello
> 
> This test only states, that you can connect to IMAP Port 143 with 
> STARTTLS and use your certificate there.
> It does not show, if your managesieve Port 4190 uses that certificate too.
> Managesieve does not use STARTTLS, and has its own configurations.
> 
> I suspect, that in your certificate you do not have the private IP as 
> alternate name included, as you try to reach 10.0.0.91:4190, not 
> mydomain.com:4190.
> 
> 
> Kind regards,
> Christian Mack
> 
> Am 14.12.22 um 21:48 schrieb colin at colinlikesfood.com:
> > 
> > 
> > Thank you for this.  I am not using self-signed, I am using letsencrypt 
> > as a CA, the certs are installed where certbot put them.
> > 
> > I tried the example from https://wiki2.dovecot.org/TestInstallation, 
> > using openssl s_client, and I achieved the following (lots of data 
> > replaced with "...")
> > 
> > I have not changed anything else since your last reply, I am honestly 
> > not sure what rc config has to do with certs (google has not given me a 
> > result that seems to apply).  Does the below help confirm my certs are 
> > properly installed and that i can connect to dovecot over tls and pass 
> > my credentials?
> > 
> > -----
> > 
> > root at mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap
> > CONNECTED(00000004)
> > depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> > verify return:1
> > depth=1 C = US, O = Let's Encrypt, CN = R3
> > verify return:1
> > depth=0 CN = mydomain.com
> > verify return:1
> > ---
> > Certificate chain
> >   ...
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > ..
> > -----END CERTIFICATE-----
> > ..
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA256
> > Peer signature type: RSA-PSS
> > Server Temp Key: X25519, 253 bits
> > ---
> > SSL handshake has read 4922 bytes and written 426 bytes
> > Verification: OK
> > ---
> > ..
> > ..
> > ..
> > ---
> > read R BLOCK
> > a login me at mydomain.com MyPass
> > * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
> > SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT 
> > MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS 
> > LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES 
> > WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY 
> > PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE
> > a OK Logged in
> > a OK Logged in
> > b select inbox
> > * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
> > * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] 
> > Flags permitted.
> > * 35 EXISTS
> > * 0 RECENT
> > * OK [UNSEEN 18] First unseen.
> > * OK [UIDVALIDITY 1669149589] UIDs valid
> > * OK [UIDNEXT 255] Predicted next UID
> > * OK [HIGHESTMODSEQ 615] Highest
> > b OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
> > c list "" *
> > * LIST (\HasNoChildren \Marked \Trash) "/" Trash
> > * LIST (\HasNoChildren \UnMarked \Junk) "/" Junk
> > * LIST (\HasNoChildren \Marked \Sent) "/" Sent
> > * LIST (\HasNoChildren \Drafts) "/" Drafts
> > * LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports
> > * LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts
> > * LIST (\HasChildren) "/" INBOX
> > c OK List completed (0.001 + 0.000 secs).
> > 
> > On 2022-11-23 14:49, PGNet Dev wrote:
> > 
> >>> i don't understand why it can't connect, this seems to work fine:
> >>
> >> fine ?
> >>
> >> you're manually overriding at least one problem with your certs/config
> >>
> >>> ...
> >>> - Status: The certificate is NOT trusted. The name in the certificate 
> >>> does not match the expected.
> >>> *** PKI verification of server certificate failed...
> >>> Host 10.0.0.91 (sieve) has never been contacted before.
> >>> Its certificate is valid for 10.0.0.91.
> >>> Are you sure you want to trust it? (y/N): y
> >>> ...
> >>
> >> it appears that you're using a self-signed cert?  are your trusted 
> >> certs defined and correctly chained?  if not explicitly defined, did 
> >> you correctly add you certs to system ssl dirs, and ensure hashes are 
> >> correct?
> >>
> >> demonstrate first that you can connect to dovecot over tls with a cmd 
> >> line client, without ignoring or overriding your cert problems
> >>
> >> including any client/server cert verification requirements you've 
> >> turned on in dovecot config
> >>
> >> once you've passed the correct certs, then demonstrate that you can 
> >> authenticate in the same session with any password/credentials you've set
> >>
> >> once that all works, make sure you've got those certs correctly set up 
> >> in your rc config
> > 
> > 
> 
> -- 
> Christian Mack
> Universität Konstanz
> Kommunikations-, Informations-, Medienzentrum (KIM)
> Abteilung IT-Dienste Forschung, Lehre, Infrastruktur
> 78457 Konstanz
> +49 7531 88-4416

More information about the dovecot mailing list