[Dovecot] Dovecot with SSL Client Certification

Hi,

i am trying to setup dovecot over ssl in the last couple days unsuccessfully

My notes are from here: http://wiki.dovecot.org/SSL

My OpenSSL commands are:

mkdir -pv /opt/certificates/dovecot/ cd !$

(just to prevent questions about Common Name) [ebal@myhome:~]€ hostname myhome

openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825

# Country Name (2 letter code) [AU]:GR # State or Province Name (full name) [Some-State]:Athens # Locality Name (eg, city) []:Aigaleo # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr # Organizational Unit Name (eg, section) []:Mail Apps # Common Name (eg, YOUR name) []:myhome # Email Address []:ebalaskas@ebalaskas.gr

openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key
-name "dovecot Certificate Client" -out dovecot.p12

openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign

I've imported the dovecot.p12 to thunderbird certificates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors)

My dovecot.conf is this:

[root@myhome dovecot]# dovecot -n # 1.2.2: /usr/local/etc/dovecot.conf # OS: Linux 2.6.30-ARCH i686 ext4 info_log_path: /var/log/dovecot.log protocols: imaps ssl: required ssl_ca_file: /opt/certificates/dovecot/dovecot.crl ssl_cert_file: /opt/certificates/dovecot/dovecot.crt ssl_key_file: /opt/certificates/dovecot/dovecot.key ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /usr/local/var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login first_valid_uid: 300 mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/%u/.INBOX mail_debug: yes lda: postmaster_address: ebalaskas@ebalaskas.gr auth default: verbose: yes debug: yes debug_passwords: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd

My /var/log/dovecot.log:

Jul 30 20:14:52 Info: Dovecot v1.2.2 starting up (core dumps disabled) Jul 30 20:14:52 Info: Generating Diffie-Hellman parameters for the first time. This may take a while.. Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5872 Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5873 Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5874 Jul 30 20:15:16 ssl-build-param: Info: SSL parameters regeneration completed Jul 30 20:15:17 auth(default): Info: new auth connection: pid=5898 Jul 30 20:15:18 imap-login: Info: Disconnected (client didn't send a cert): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied

Any ideas?

Evaggelos Balaskas Unix System Engineer - http://ebalaskas.gr/wiki Informatics Engineer Technological Education