On Sep 17, 2013, at 10:59 AM, Bruno Tréguier wrote:
Le 17/09/2013 à 16:32, Dan Langille a écrit :
$ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org
verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org
verify error:num=27:certificate not trusted verify return:1 depth=0 /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org
verify error:num=21:unable to verify the first certificate verify return:1
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
Somewhere, somehow, there is something vastly different and not working.
Hi,
Something is definitely wrong with your certificate chain. The first certificate listed in your chain (depth 2) should be StartCom's root CA, bearing "CN = StartCom Certification Authority", the 2nd one (depth 1) should be the intermediate cert, bearing "CN = StartCom Class 1 Primary Intermediate Server CA" and the last one (depth 0) should be yours.
You told in an earlier message that you had put the 3 certs (yours, then the intermediate, and then the root) in your crt file. Is it still the case ? If not, you really *must* do it, even if you find it makes no difference. Maybe there's another problem somewhere else, but this chain is a prerequisite for many clients to work.
After a long delay, I'm ready to tackle this again.
This is my configuration:
# dovecot -n
# 2.2.6: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=SHA512-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
address = 199.233.228.197
port = 0
}
inet_listener imaps {
address = 199.233.228.197
}
}
ssl_cert = </usr/local/etc/ssl/dovecot.pem
ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
/usr/local/etc/ssl/dovecot.pem was created via:
cat imaps.unixathome.org.crt sub.class2.server.ca.pem ca.pem > dovecot.pem
All the certs are startssl.com certs.
Testing via the command line gives:
$ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Server certificate -----BEGIN CERTIFICATE----- MIIHsjCCBpqgAwIBAgIDAaiZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMDA2MTIzODI3 WhcNMTUxMDA2MjA1NzI4WjCBsjEZMBcGA1UEDRMQVndoZEppMHNMSFAzQkR0UTEL MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEOMAwGA1UEBxMFTWVk aWExGDAWBgNVBAoTD0RhbmllbCBMYW5naWxsZTEdMBsGA1UEAxMUaW1hcHMudW5p eGF0aG9tZS5vcmcxKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAdW5peGF0aG9t ZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQLgy4N8rCnhZS5t uwA0/4gTmMNdNflfwUgWGGUoeOC3qcodt2EitcnuhLfvDJORrpZtxKYYK0SMAlJt RHg+DTp+9mSCicDWjoxOcc1WbUUkAiFdkL155LtMEd2xSB/NaEbjeone86ln5erz 4BLJqiaaubOkhAwXrJy/Owfp6RUbqEKUToGI1bF+q5EFFGqh3rO7/3Gpx0qihScx 6sGa04CgqhT0G6JOw6zJ5zJE0PSX4U/S7nAJCA/ktXNU3v23Jd+RYIOqrmuyHnf6 dISQH8HQKr83L3D3Yq64GCadvf0Nv/xrxc/4UO2mpiZlZppf+8Q+vTgfwl98OH62 mqdUM8hspGMAtRGmt8ccB73ukmqHvY9QJEGNNvx181VlTTcAygi/R5LiEtwFewAj Zk4QvC4O3O3Rxl6VKfEgmoO93EXFfbVylv7MQqs6NKGeIdMgBpcxdsrlXo8ofVCz uIQvJV8G8mlejP/RstZAoGxtUP5BRrLbcke3q77l6d6DYrTAhb7SgxP31AYrSknj I+sCNb5IJvrrZe9lZt8OYlm3Yog8wjiTCgeBlytes7L95Dr0Xn8jZk4Dzg59HbO4 AIlSVdMistZatAvM9QFBPUdt36dyNkFOGpAtNblfmV3pB1Wyz0LlxhS2n3XFxSJB ZgHvBYV891UoSm6julSzeE2i/6liIQIDAQABo4IC8zCCAu8wCQYDVR0TBAIwADAL BgNVHQ8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1Ud DgQWBBTuSWRJewXVTNYjoX6gw/DdaXcDqTAfBgNVHSMEGDAWgBQR2yNF/VTManFv hIoD1773AS8mhjAvBgNVHREEKDAmghRpbWFwcy51bml4YXRob21lLm9yZ4IOdW5p eGF0aG9tZS5vcmcwggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgIwggE7BgsrBgEE AYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29t L3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1 ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAyIFZhbGlkYXRpb24gcmVxdWlyZW1l bnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9y IHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlp bmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9j cmwuc3RhcnRzc2wuY29tL2NydDItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5 BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIv c2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9j ZXJ0cy9zdWIuY2xhc3MyLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDov L3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBHkfLREbnBtJUE MPDsaHEZSEDe5uagtAvuNMQh03qcu5UG2x5KkjeT6OK7JwrrjEehA+m5t2JcGtPY dLN8VB9w7WdPg4ezNR/F4sKdeOPNl8+Us5pWMXRPnLN8EqAp4Kg5KzfJli8Jnaxw Snbs1Itmwxm19lYF2nWPUMMBru4CxHN7U5jbii+wqpi3LhRK/okuMEbG7xogcboP n2CDTFk6Yc9W0BE7XBwr1t0xE8KFgvlKu87RS3C+d1AkzM92NUDgS0JQgmO6F2T/ nBsediEpNGORzEvSuq/4wVych5tUKFkksy5X4CHXZw86YjZccPcrtpLrWxs5EhUD s+tkDOSK -----END CERTIFICATE----- subject=/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
No client certificate CA names sent
SSL handshake has read 6672 bytes and written 409 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4098 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: AE8788A1289F10CB6417E4578F2EB86AFC132B3637748B237C559C72ECE26D77 Session-ID-ctx: Master-Key: 9D2151FF1BB2C45F32C1DBB1E49E45FA1E03F82387EE9FCCB50D7F2DB02BB0169D82B4ED386DCD17221856DD35CB1617 Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - a4 61 9f 61 21 7e 67 45-71 2d 46 97 c7 4c 6c 99 .a.a!~gEq-F..Ll. 0010 - e8 7a 4b 5b 5d f5 32 e7-fe 1d 78 fa 4e 43 72 6e .zK[].2...x.NCrn 0020 - 68 22 4b 60 68 91 98 39-d1 50 09 0a 2a 08 f0 ae h"K`h..9.P..*... 0030 - a9 6e 14 b8 d9 82 09 3b-7d ef 1a b0 f1 d8 a7 c4 .n.....;}....... 0040 - 2c 83 57 a1 03 6e 17 89-13 ff 82 e0 06 88 c9 a1 ,.W..n.......... 0050 - dc 79 e7 3f 3b d4 da da-47 d8 63 07 71 6c df 2b .y.?;...G.c.ql.+ 0060 - 39 b2 0f f7 bf ac 8e b3-37 24 6f 58 83 1f 2a 65 9.......7$oX..*e 0070 - 7f 19 fb 1c 9a 46 1f 35-73 b1 cb 73 6b b5 c6 84 .....F.5s..sk... 0080 - dc d3 4b cb e7 db bb 7c-f3 52 b4 69 1b 42 9e 21 ..K....|.R.i.B.! 0090 - 4d c0 50 19 d2 98 77 be-b8 0e 9e 66 e7 d7 d9 52 M.P...w....f...R
Start Time: 1381089774
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
I can login fine. This is the temporary login and password. There is nothing private in there at present. If anyone wishes to confirm this works, please feel free to connect in. I'm especially interested in those of you with Mac or iPhones. Is this only me? All Mac/iPhone?
a1 login dan password a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
and commands work OK:
a3 examine inbox
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS ()] Read-only mailbox.
- 0 EXISTS
- 0 RECENT
- OK [UIDVALIDITY 1379426958] UIDs valid
- OK [UIDNEXT 1] Predicted next UID
- OK [NOMODSEQ] No permanent modsequences a3 OK [READ-ONLY] Examine completed (0.014 secs).
Logout:
a5 LOGOUT
- BYE Logging out a5 OK Logout completed. closed
All looks good.
/var/log/maillog shows:
Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=<fYUwEhjoVgBib5Pc> Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691
I have Thunderbird working just fine on my Macbook.
But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are:
Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=<Ux8HRBjo7QBib5Pc>
Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far.
Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1.
-- Dan Langille - http://langille.org