Re: STARTTLS issue with sieve

13 Jul 2017

      Am 07.07.2017 um 08:15 schrieb Andreas Oster:
...
Hi all,
I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks
ago I had to replace our dovecot certificate due to expiration. In the
past I did use a self-signed certificate, but because we now have a
little openssl based CA I have decided to create signed certificate for
imaps. Dovecot is happily accepting the new certificate which has
integrated the whole cert-chain. Unfortunately Pigeonhole does not seem
to like the certificate:
<--snip
gnutls-cli --starttls -p4190 mail.novanetwork.local
Processed 173 CA certificate(s).
Resolving 'mail.novanetwork.loc'...
Connecting to '10.2.1.23:4190'...

Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."
STARTTLS
OK "Begin TLS negotiation now."
-->
At this point the TLS process does not proceed. When I press CTRL-D I
get the following output:
*** Starting TLS handshake

Certificate type: X.509

Got a certificate list of 3 certificates.

Certificate[0] info:

subject C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA  Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer  C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA
Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed
using RSA-SHA256, activated 2017-06-23 06:58:40 UTC', expires  2020-06-22 06:58:40 UTC', SHA-1 fingerprint
`51a9b62eaebb6b4a2b8cc9a22740dc689445da0c'
Public Key ID:
165eaaa4b36c091ec8f32103da003a1f43b1c57d
Public key's random art:
+--[ RSA 2048]----+
|  .o..           |
|. .o. . E        |
|o..    .. .      |
|= o    . +       |
|+* o  . S        |
|o==. o o         |
| .=o+..          |
|  .ooo           |
|   .o            |
+-----------------+

Certificate[1] info:

subject C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen  GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer  C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using
RSA-SHA256, activated 2016-12-05 11:40:29 UTC', expires 2026-12-03
11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'

Certificate[2] info:

subject C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA  Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer  C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using
RSA-SHA256, activated 2016-12-05 11:36:47 UTC', expires 2036-11-30
11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'

Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed

I have checked the certificate with:
openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
and also with:
openssl verify -verbose -CAfile
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
Does anyone have an idea what could be the cause of the problem and how
to fix it ?
Thank you for your kind help.
best regards
Andreas
Hi all,
in another posting Stephan Bosch pointed out that there is already a fix:
https://github.com/dovecot/pigeonhole/commit/c80aa7c25b0b4e61bb8e3a91864a355...
This small change also resolved my sieve login issue.
best regards
Andreas