On Oct 9, 2013, at 11:36 PM, Noel Butler wrote:
I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either?
Yes, neither TLS nor IMAPS will connect.
tried pop3 TLS ? pop3s?
I have not.
My next step will be setting up a non-dovecot IMAP server and test the same certificates there.
and when you test, use -CAfile /path/to/(startssl's)CA.pem
When I do that, I get:
$ openssl s_client -t -CAfile /usr/local/share/certs/ca-root-nss.crt -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify return:1 depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA verify return:1 depth=0 /description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org verify return:1
…. lots snipped
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4098 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: C9D4AF8FA11CF6EF00E367BC1B45BA465668AEAE595BF3925FC679C7816CE023 Session-ID-ctx: Master-Key: AA0B04AB1C93688C089349A0137D99B5E65303F58A322397509284AE224B37149F76C8C1CD2A7BAC12BEA8E190468598 Key-Arg : None Start Time: 1381428914 Timeout : 300 (sec) Verify return code: 0 (ok)
All looks good?
I see no auth mech statement, so using hte default is limited, IIRC, login is re
auth_mechanisms = plain login
But that's OK, right?
On 10/10/2013 10:51, Dan Langille wrote:
On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:
On 10/10/2013 06:09, Eliezer Croitoru wrote:
I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine. I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration. One avenue I will purse: if I swap from 4096 to 2048, why does it work? Here is a connection with a 4096 cert: $ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Here is it with a 2048 cert: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmaster@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority The only thing I change in the configuration is: # MY KEYS #ssl_cert = </usr/local/etc/ssl/dovecot.pem #ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key # My 2048 key ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key Current configuration is: # doveconf -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=SHA512-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 } } ssl_ca = </usr/local/etc/ssl/sub.class2.server.ca.pem ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes
-- Dan Langille - http://langille.org