I've successfully gone back and forth with using the same cert and
key that works with my mail client and an alternate mail server
(courier-imap) but seems to not work with with Dovecot/Apple Mail.
I've also tested with openssl s_client commands (shown below). So
given a particular cert/key the situation looks like this:
Courier + Apple Mail: works
Courier + Thunderbird: works
Dovecot + Apple Mail: doesn't work
Dovecot + Thunderbird: works
I found an old message on the mailing list that basically just said
that Apple Mail isn't working with IMAP-SSL support on dovecot, but
that seems like it must be a bug that hopefully would be fixed (if it
hasn't been already).
Does anyone else have info or experience with that?
.tim
CONNECTED(00000003) depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org verify return:1
Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org i:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org
Server certificate -----BEGIN CERTIFICATE----- MIIDoTCCAwqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEaMBgGA1UE ChMRRGVzaWduMXN0IERvdCBPcmcxGzAZBgNVBAMTEm1haWwuZGVzaWduMXN0Lm9y ZzEnMCUGCSqGSIb3DQEJARYYZDFzdC1hZG1pbkBkZXNpZ24xc3Qub3JnMB4XDTA1 MTEwNTA2NDIwNFoXDTMzMDMyMjA2NDIwNFowgZgxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxGjAYBgNVBAoTEURl c2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2lnbjFzdC5vcmcxJzAl BgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9yZzCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAueMIqNJGCB9QIZXBZw+17iT06feMdyzi0p7rB5xt 3nz/nTSMRFTIzmabN0tR8wFJ1oA3TlHFKQ51x08ZSUPLHmVo61xZIn392mwDL9Zn ozh3FreVXkKHMhANvwTV2kqMcOJzeyNgENO0YSl6iv1MydMAM2OGbC6FdHAz6dHG 4GkCAwEAAaOB+DCB9TAdBgNVHQ4EFgQUF985KOsukGEGsY1eyBgWouDOVxIwgcUG A1UdIwSBvTCBuoAUF985KOsukGEGsY1eyBgWouDOVxKhgZ6kgZswgZgxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUx GjAYBgNVBAoTEURlc2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2ln bjFzdC5vcmcxJzAlBgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9y Z4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBABwOsxpHng49aC9u eRe1a3wn5tyZDPq5YQqpACHvz5JRX54y6Dh+PB2Y0Qim6/Ihf2r91D/WnFwULHvX gllx6L4DnoB5Zq8+P+4B8m27VqgzaJAeIawXm0hXAl7E8UTUCXFCCUvuHmzVqHKl dtAuA5z38boKKywg6U1HUhbuAmd8 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org issuer=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org
No client certificate CA names sent
SSL handshake has read 1497 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
24AA32335F51E58F94067A09F44DEF049D7B4588490046E04F9C31E91D1BF006
Session-ID-ctx:
Master-Key:
9CFE3120D1363C82003E74B01CFAAA22224BE44CCDC6915F743A9CB3593240CCFDE43795
FCF2A1E03242C9282B28CB3F
Key-Arg : None
Start Time: 1158300051
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
- OK Dovecot ready.
On Sep 9, 2006, at 9:43pm, OpenMacNews wrote:
given what i'm seeing below, i'm going to suggest that you step-by- step it 1st with your own, home-grown CA cert ... just to see what's happening
dovecot.cert: /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch OK
all my self-signed certs look like this:
design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=design1st.org error 18 at 0 depth lookup:self signed certificate OK
This seemed more interesting, but also didn't help me:
design1st:/usr/local/openssl/certs root# openssl s_client -connect localhost:10943 -showcerts CONNECTED(00000003) depth=0 /CN=mail.design1st.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=mail.design1st.org verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=mail.design1st.org verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/CN=mail.design1st.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE-----
Server certificate subject=/CN=mail.design1st.org issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
No client certificate CA names sent
SSL handshake has read 1681 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706 Session-ID-ctx: Master-Key: 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28 6C 0008197298EC8A16CE8D11BF4B Key-Arg : None Start Time: 1157850811 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
- OK Dovecot ready.
1st, take each of the errors and google on it ... there's lots of info out there.
unfortunately, you're gonna have to match what you find with your particular circumstance(s).
that said ... lemme guess at something here:
have you IMPORTED the cert into mail.app?
why do i ask? cref here:
Mac OS X Mail.app (native eMail application) for Signing / Encrypting http://wiki.cacert.org/wiki/EmailCertificates "these steps were needed because Apple does not ship with the cacert Root CA Certificate"
richard
/"
\ / ASCII Ribbon Campaign X against HTML email, vCards / \ & micro$oft attachments[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP pwEAnRKE48MFdgacepl8qTQc6VxzWSI2 =pFSx -----END PGP SIGNATURE-----