RE: Doveadm replicator ssl issues

20 Nov 2019

      Solved, thank you! TCPS was the issue.
From: Aki Tuomi aki.tuomi@open-xchange.com
Sent: Wednesday, November 20, 2019 08:54
To: Miro Igov miro.igov@gmail.com; dovecot@dovecot.org
Subject: Re: Doveadm replicator ssl issues
On 18.11.2019 22.30, Miro Igov via dovecot wrote:
Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard
certificates.
Email clients connect fine, https://www.immuniweb.com/ssl/ tests show
certificates are ok.
However I can't make replication work when I add ssl = yes.
Without ssl it works ok.
I added verbose_ssl  in config and error log shows:
dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
...
From the other server 149.x.x.x I tested with openssl:
openssl s_client -connect 188.x.x.x:12333 -crlf -CAfile
/etc/pki/tls/cert.pem
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier, street
= 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN = *.domain.com
verify return:1
.
.
SSL-Session:
Protocol  : TLSv1.2

Cipher    : ECDHE-RSA-AES256-SHA384

Session-ID:
95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC
Session-ID-ctx:

Master-Key:
ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F2
41BD4B3C4B9E1AB6A929
Key-Arg   : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

Start Time: 1574108251

Timeout   : 300 (sec)

Verify return code: 0 (ok)
The configuration of the 2 servers below.
188.x.x.x
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.8 (b7b03ba2)
# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)
# Hostname: login.domain.com
default_vsz_limit = 512 M
doveadm_password = # hidden, use -P to show it
mail_plugins = " notify replication"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
plugin {
mail_replica = tcp:149.x.x.x:12333
sieve = file:~/sieve;active=~/.dovecot.sieve
file://~/sieve;active=~/.dovecot.sieve
}
protocols = imap pop3
replication_full_sync_interval = 10 mins
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
}
unix_listener replication-notify {
mode = 0666
}
}
service doveadm {
inet_listener {
port = 12333

ssl = yes
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
ssl_cert = 
ssl_cipher_list =
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED
ssl_client_ca_file = /etc/pki/tls/cert.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
verbose_ssl = yes
local 91.x.x.x {
protocol imap {
ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_key = # hidden, use -P to show it
}
}
local 91.x.x.x {
protocol pop3 {
ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_key = # hidden, use -P to show it
}
}
149.x.x.x
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)
# Hostname: prime.domain.com
auth_mechanisms = plain login
default_vsz_limit = 1 G
disable_plaintext_auth = no
doveadm_password = # hidden, use -P to show it
mail_location = maildir:~/Maildir
mail_plugins = " notify replication"
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe

special_use = \Archive
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe

special_use = \Junk
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = session=yes setcred=yes failure_show_msg=yes dovecot
driver = pam
}
plugin {
mail_replica = tcp:188.x.x.x:12333
}
protocols = imap pop3
replication_full_sync_interval = 10 mins
replication_max_conns = 11
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
}
unix_listener replication-notify {
mode = 0666
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix

mode = 0666

user = postfix
}
}
service doveadm {
inet_listener {
port = 12333

ssl = yes
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
ssl_cert = 
ssl_cipher_list =
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED
ssl_client_ca_file = /etc/pki/tls/cert.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
protocol imap {
mail_max_userip_connections = 50
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
local 178.x.x.x {
protocol imap {
ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_key = # hidden, use -P to show it
}
}
local 178.x.x.x {
protocol pop3 {
ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_key = # hidden, use -P to show it
}
}
Hi!
You need to use tcps in mail_replica.
Aki