Solved, thank you. TCPS was the issue.

 

From: Aki Tuomi <aki.tuomi@open-xchange.com>
Sent: Wednesday, November 20, 2019 08:54
To: Miro Igov <miro.igov@gmail.com>; dovecot@dovecot.org
Subject: Re: Doveadm replicator ssl issues

 

 

On 18.11.2019 22.30, Miro Igov via dovecot wrote:

Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard certificates.

Email clients connect fine, https://www.immuniweb.com/ssl/ tests show certificates are ok.

However I can’t make replication work when I add ssl = yes.

Without ssl it works ok.

 

I added verbose_ssl  in config and error log shows:

dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 

From the other server 149.x.x.x I tested with openssl:

 

openssl s_client -connect 188.x.x.x:12333 –crlf -CAfile /etc/pki/tls/cert.pem

 

CONNECTED(00000003)

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA

verify return:1

depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier, street = 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN = *.domain.com

verify return:1

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-SHA384

    Session-ID: 95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC

    Session-ID-ctx:

    Master-Key: ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F241BD4B3C4B9E1AB6A929

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1574108251

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

 

The configuration of the 2 servers below.

 

188.x.x.x

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.5.8 (b7b03ba2)

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: login.domain.com

default_vsz_limit = 512 M

doveadm_password = # hidden, use -P to show it

mail_plugins = " notify replication"

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

plugin {

  mail_replica = tcp:149.x.x.x:12333

  sieve = file:~/sieve;active=~/.dovecot.sieve

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

verbose_ssl = yes

local 91.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 91.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

149.x.x.x

 

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: prime.domain.com

auth_mechanisms = plain login

default_vsz_limit = 1 G

disable_plaintext_auth = no

doveadm_password = # hidden, use -P to show it

mail_location = maildir:~/Maildir

mail_plugins = " notify replication"

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Archive {

    auto = subscribe

    special_use = \Archive

  }

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

   special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Spam {

    auto = subscribe

    special_use = \Junk

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  args = session=yes setcred=yes failure_show_msg=yes dovecot

  driver = pam

}

plugin {

  mail_replica = tcp:188.x.x.x:12333

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

replication_max_conns = 11

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 50

}

protocol pop3 {

  pop3_uidl_format = %08Xu%08Xv

}

local 178.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 178.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

 

 

 

Hi!

You need to use tcps in mail_replica.

Aki