On Tue, 2020-03-31 at 09:06 +0300, Aki Tuomi wrote:
On 30/03/2020 22:11 Ben Mulvihill ben.mulvihill@gmail.com wrote:
I am trying to backup a gmail account (not the one I am writing from) to dovecot, using doveadm-backup and imapc, but am having ssl connection problems.
ted@expectation:~# doveadm backup -D -R -u ted imapc: dsync(ted): Info: imapc(imap.gmail.com:993): Connected to 74.125.71.108:993 (local 10.7.1.179:53852) dsync(ted): Warning: imapc(imap.gmail.com:993): Server disconnected unexpectedly: SSL_connect() failed: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure: SSL alert number 40 - reconnecting (delay 0 ms) dsync(ted): Info: imapc(imap.gmail.com:993): Connected to 74.125.71.109:993 (local 10.7.1.179:59052) dsync(ted): Error: imapc(imap.gmail.com:993): Server disconnected unexpectedly: SSL_connect() failed: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure: SSL alert number 40 - disconnecting dsync(ted): Error: User initialization failed: imapc: Login to imap.gmail.com failed: Disconnected from serv
I am using dovecot version 2.2.33.2 on ubuntu, with the configuration below. I have also enabled "allow access from unsecure apps" in my gmail settings.
My first thought looking at the error messages was has that perhaps doveadm-backup was trying to connect with ssl3, which is no longer supported by gmail or anyone else nowadays. But apparently the ssl3_read_bytes function in openssl also handles tls, so the reference to ssl3 in the message is misleading, and the real problem must be elsewhere.
If anyone can help me debug this I'd be grateful.
Many thanks, Ben
root@expectation:/etc/dovecot# doveconf -N # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
Hi!
This is very old version of dovecot so this could be a bug that has been fixed in more recent version.
Can you verify that you have the required CA certs with
openssl s_client -connect imap.gmail.com:993 -servername imap.gmail.com -CApath /etc/ssl/certs
and make sure the cert gets validated by openssl.
If it does, then you should probably consider upgrading to some more recent version. We provide packages at https://repo.dovecot.org if you are able to upgrade.
Aki
Hi Aki!
I checked the CA certificate and it was validated OK, so I followed your suggestion and installed dovecot version 2.3.10 from the dovecot repository (the version I was using previously was the latest available in my distribution).
The ssl handshake now completes successfully. I have hit further problems later in the process, but I'll investigate myself first and then maybe post again with the details if I am still stuck.
Thank you for your help!
Ben