On 16/11/2020 09:54 lists@lazygranch.com <lists@lazygranch.com> wrote:
On Sun, 15 Nov 2020 17:31:07 -0500 Mike Schroeder <mikeschroe@gmail.com> wrote:
CentOS 7 Dovecot 2.2.36
Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<>
Was working fine for over a year, until the cert expired and I replaced it. I've tried the good cert I have for https and I used the Dovecot.org script to generate a self-signed certificate.
10-ssl.conf ## SSL settings #ssl = required ssl = yes #ssl = no ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt ssl_key = </etc/pki/dovecot/private/mydomain.com.key #ssl_ca = #ssl_require_crl = yes #ssl_client_ca_dir = #ssl_client_ca_file = #ssl_verify_client_cert = no #ssl_cert_username_field = commonName #ssl_dh_parameters_length = 1024 #ssl_protocols = !SSLv3
# SSL ciphers to use # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: !RC4:!ADH:!LOW@STRENGTH
# Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no
# Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device =
# SSL extra options. Currently supported options are: # no_compression - Disable compression. # no_ticket - Disable SSL session tickets. #ssl_options =
=========================== # openssl x509 -dates -in mydomain.com.crt notBefore=Nov 11 16:31:35 2020 GMT notAfter=Nov 11 16:31:35 2022 GMT -----BEGIN CERTIFICATE----- :
# openssl pkey -in mydomain.com.key -----BEGIN PRIVATE KEY----- :
Thanks for taking a look. Any ideas on what I should do next to debug?
Mike
I remembered this problem was posted and still had the reply post from Viktor. This may or may not be relevant. A search on this text will probably drag up the whole thread.
Specifically, an ECDSA P-256 certificate, but some systems don't (yet?) support ECDSA. You'd need an additional RSA certificate to interoperate with their sending MTA's limited STARTTLS cipher/protocol repertoire.
When this thread went around I looked at my logs and found some no auth complaints on my dovecot log. I believe they were trying to use the sslv3 to hack my server. Or at least see if it is hackable. Since my email server is a personal one and the attack was from a hosting company, I blocked server IP space.
The weird thing I get your error now myself but not consistently. Here is an example.
Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<rXchrDG06qvGx2p9> Nov 16 04:18:37 imap-login: Info: Login: user=<me@mydomain.com>, method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, session=<DSIjrDG05KvGx2p9>
However the problem isn't present at the moment.
Dovecot supports alternative certificate if you have problems with ECDSA and need to use RSA for them.
See https://doc.dovecot.org/settings/core/#ssl-alt-cert
Aki