Re: [Dovecot] SSL with startssl.com certificates

8 Oct 2013


      On 2013-10-07 13:57, Bruno Tréguier wrote:
...
Le 06/10/2013 à 22:42, Dan Langille a écrit :
After a long delay, I'm ready to tackle this again.
[...]
Testing via the command line gives:
$ openssl s_client -connect imaps.unixathome.org:993
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
Ok, this is fine, and different from the result you were getting a few
weeks ago. Your cert chain is ok, it seems. The "errornum=19:self
signed
certificate in certificate chain" is a "normal" errot, due to the fact
that you didn't tell openssl where to find a list of valid root certs.
All looks good.
/var/log/maillog shows:
Oct  6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>,
method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS,
session=<fYUwEhjoVgBib5Pc>
Oct  6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out
in=26 out=691
I have Thunderbird working just fine on my Macbook.
But my goal is mail.app on my iPhone and my Macbook.  When they try to
connect, the mail server logs are:
Oct  6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed:
where=0x2002: SSLv3 read client certificate A [98.111.147.220]
Oct  6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth
attempts in 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197,
TLS handshaking: Disconnected, session=<Ux8HRBjo7QBib5Pc>
Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17
installation.  That's my current IMAP server.  I'm moving to another
server and failing so far.
Suggestions to use another client app or platform will not be
entertained, because, clearly, this works with dovecot 1.
Well, sorry but no further suggestions as far as I'm concerned then,
except that some people tend to think that mail.app is pretty crappy
and
behaves quite strangely in certain situations...
I have given up. As much as I'd like to solve this problem, I must move
on.  I will resort to self-signed certificates.[1]  I had hoped to
resolve the issue so that others can use the solution.
My thanks to those that have offered suggestions and help.
[1] - FYI, I am the only user of this IMAP server.
--
Dan Langille - http://langille.org/