I'm running Ubuntu 10.04, recently upgraded. My dovecot version is 1.2.9. My SSL/TLS authentication with dovecot from non-local IP's has stopped working, and I can no longer access my mail securely. I have changed all entries to refer to my server as "host". I am the only user, and am OK with the a self-signed cert. When I try to connect using Thunderbird, the certificate window says "unable to obtain identification status for the given site". This action generates the entry in /var/log/mail.log:
TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
I am using self-signed certificates, generated using:
openssl genrsa -out server.key 1024 openssl req -new -x509 -key server.key -out server.pem -days 1826
If I use openssl s_client -connect host:993 to connect, I get the following output:
CONNECTED(00000003) depth=0 /C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555@gmail.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555@gmail.com verify return:1
Certificate chain 0 s:/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555@gmail.com
i:/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555@gmail.com
Server certificate -----BEGIN CERTIFICATE----- MIIDdTCCAt6gAwIBAgIJAIMqhTeSqt7PMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEQMA4GA1UE ChMHSGFydmFyZDEMMAoGA1UECxMDT0VCMQ8wDQYDVQQDEwZNQ1IyRDIxIzAhBgkq hkiG9w0BCQEWFGJqb3JkYW41NTVAZ21haWwuY29tMB4XDTEwMDcxMDE0MjYyMFoX DTE1MDcxMDE0MjYyMFowgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTESMBAG A1UEBxMJQ2FtYnJpZGdlMRAwDgYDVQQKEwdIYXJ2YXJkMQwwCgYDVQQLEwNPRUIx DzANBgNVBAMTBk1DUjJEMjEjMCEGCSqGSIb3DQEJARYUYmpvcmRhbjU1NUBnbWFp bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ8m09I2TR9J93lRzYvi mvo7WoZsjEI9kJbJwrJo3xc662w5yLGiolkxvuul8TN0PaDcJsjTAKPuiU2hmYku 9OmCtGlWtkVGmUPCyUok97rC7N81vBdIwUPoMRI4AA1s/Ubu22QIRnnmB8H+BNfs BqTA6E9q4cHUEhVlt3CMTk9tAgMBAAGjgewwgekwHQYDVR0OBBYEFFh0Xj1WtJmZ ZUKijH/JqVgsF4KCMIG5BgNVHSMEgbEwga6AFFh0Xj1WtJmZZUKijH/JqVgsF4KC oYGKpIGHMIGEMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNh bWJyaWRnZTEQMA4GA1UEChMHSGFydmFyZDEMMAoGA1UECxMDT0VCMQ8wDQYDVQQD EwZNQ1IyRDIxIzAhBgkqhkiG9w0BCQEWFGJqb3JkYW41NTVAZ21haWwuY29tggkA gyqFN5Kq3s8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQArUj++GxWm b7hPaB9cBC6DP4uj6D1/xWRovcnaMhniR47Hrm1qVc6Rt6Lvn82KAsmBcmgc58W4 aV5h4tqqSeHh/TqBg3361qLp3DiOk08M66MbSDl1bHWG5te/JaxeiJLbfpuCg1xX j8dK4ilp5neshaKozl/X+1Et71KESGuT0w== -----END CERTIFICATE----- subject=/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555@gmail.com issuer=/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555@gmail.com
No client certificate CA names sent
SSL handshake has read 1453 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: CABB8909A462A3B6FB65AB556D5ABF6A632691BB81F8F994ED0C8098448FD3DE Session-ID-ctx: Master-Key: BF53FCA25DEA893EFF8C152A99A62A304229C8FA811ACE757233326826543340EF1FC1F433F95B9505E823D5CF289793 Key-Arg : None Start Time: 1278774437 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
The output of dovecot -n is:
# 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-23-generic x86_64 Ubuntu 10.04 LTS ssl_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem ssl_key_file: /etc/ssl/private/ssl-cert-snakeoil.key login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mbox_write_locks: fcntl dotlock auth default: passdb: driver: pam userdb: driver: passwd