Hello Aki,
maybe I misunderstood you, but both adding an "ssl = yes" line to this section of dovecot.conf, and commenting out the whole "four lines starting at "inet_listener imaps" do not have any effect :
service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } }
this is the error I still get after restarting dovecot, and trying again to connect with mutt:
ogin: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=server.ip.address, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<zdRFPbx8xp4vNZ88> Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users Il giorno mar 11 dic 2018 alle ore 11:01 Aki Tuomi <aki.tuomi@open-xchange.com> ha scritto:
Hi!
You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it.
Aki
On 11.12.2018 11.58, Marco Fioretti wrote:
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS).
However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem -r--------. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem -r--------. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(00000003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 305 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok)
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem ssl_key = </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<H8roHLp86psvNZ88> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs