Ah, the actual problem appears to be that you are not including the conf.d directory at all in your config, so you are ending up with no certificate at all. This is handled better in 2.3.x.
Aki
On 11.12.2018 12.01, Aki Tuomi wrote:
Hi!
You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it.
Aki
On 11.12.2018 11.58, Marco Fioretti wrote:
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS).
However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem -r--------. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem -r--------. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(00000003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 305 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok)
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem ssl_key = </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<H8roHLp86psvNZ88> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs