All sage advice. I've gone back to basics, and installed the root CA on the phone via safari rather than email (apple's mobile config package). I discovered just now to my horror after some frustration that one logging option wasn't working that my binary is picking up a different config file ;( so I need to go back and go through the differences now and see what I was actually running. Hopefully this will clean things up. I think your point#3 is the most useful ;) I'm mainly doing this b/c it was the dovecot default and I like security but for this much aggravation I probably don't need it. I was running without client certs for mail retrieval happily for a long time,
Darren
I think that is likely to be a red herring. The only thing you get in this circumstance from a commercial cert is (hopefully) rigorous technical correctness in the cert construction and signing. If you want to use client certs, you will have to manage your own PKI to some degree anyway, and that means getting all of the details right *with understanding*, not just finding a cargo-cult fix. I think you are doing the right thing in trying to get this working with your own certs, as that painful process assures that you will gain useful clues.
- make the public CA cert available via webserver ( I have installed root cert via email and that didn't help).
I will try installing root cert via browser and see if that helps. If that fails, I'll try a proper CA, not self signed. I'm sceptical that's the problem. If all that fails, I'll just throw security overboard and stick with simple password auth, life is too short. I'd still love an error message that meant something ;)
You may find it easiest to debug the certs using a web server and Safari on the iPhone rather than Dovecot and Mail, because you are likely to be able to instrument it better, get better error descriptions from the client, and be given more options on how to fix the problem.
Since you have CA, server, and client certs, it might help to not think of these as "self-signed" since at most only the CA really is that. The server cert and the client certs are signed by the CA cert, and the only difference between this setup and one using commercial certs is that you have to get your CA cert treated and trusted in the same way as a commercial root CA cert *by both ends*.
Client certs do not really add a great deal of security over just requiring auth to be done inside a TLS session. In some ways they are a security trade-off, rather than a clear improvement. If your PKI and device config processes are not very rigorous, you can end up in a risky circumstance by trusting client certs that you are dropping onto devices that can easily land in the wrong hands. I can say from first-hand experience that the iPhone version of Mail will work with Dovecot using a real self-signed cert and only allowing auth inside an encrypted session, so you do not need to completely throw security overboard.