Hello list,
dovecot ran rock-solid on OSX Mavericks for about 1 year replicating my mail between 2 servers via dsync with SSL as that is well described here: http://wiki2.dovecot.org/Replication
After upgrading to 2.2.15, dsync gets stuck with the Error: "Received invalid SSL certificate" even though neither any of the dovecot configs nor the certs, keys or the CA have changed! When I simply outcomment SSL and switch dsync to use tcp (instead of tcps) everthing replications still works like a charm.
Please help me to get SSL back working!
I did a lot of testing and come up with a concrete QUESTION below, hopefully leading the way out of this trap.
What happend
2 days before I upgraded one of the machines to OSX Yosemite. Along with this, I also upgraded to dovecot 2.2.15 via homebrew (unfortunately on both machines at once). During this process, also openssl was updated to "OpenSSL 1.0.1k 8 Jan 2015".
If checking the unchanged certs against the CA, however, the results are still "OK".
1st check: OK
sudo /usr/bin/openssl verify -CAfile /etc/ssl/ca/dovecotCA.pem /etc/ssl/certs/dovecot_on27_signed_cert.pem Password: /etc/ssl/certs/dovecot_on27_signed_cert.pem: OK
2nd check: OK (providing the CAfile and connecting to the doveadm_port)
openssl s_client -CAfile /etc/ssl/ca/dovecotCA.pem -connect on27.linkpc.net:8082 CONNECTED(00000003) depth=1 CN = dovecotCA2, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = dovecot, emailAddress = mc@aiguphonie.com verify return:1 depth=0 CN = on27.linkpc.net, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = dovecot, emailAddress = mc@aiguphonie.com verify return:1
Certificate chain 0 s:/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com i:/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
Server certificate -----BEGIN CERTIFICATE----- dmVjb3RDQTIxEDAOBgNVBAoMB2RvdmVjb3QxEDAOBgNVBAsMB2RvdmVjb3QxEDAO [...] +g== -----END CERTIFICATE----- subject=/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com issuer=/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
No client certificate CA names sent
SSL handshake has read 1709 bytes and written 487 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C4DDBA1FA50039FA5D94EF2359BA037B3903D66B6B637CA0733A9216BFCC3996
Session-ID-ctx:
Master-Key: 0495D21CA11AA54856D78B48C3DBE9B70EFFB65F13224B430D2B4B2F80F12BE5A89F31454F9577F22F5DDC26FDBAAFAC
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[...]
0090 - 2d 97 37 15 bd a9 be 68-c1 79 fa dd d8 75 76 3f -.7....h.y...uv?
Compression: 1 (zlib compression)
Start Time: 1421443766
Timeout : 300 (sec)
Verify return code: 0 (ok)
Yet, testing dsync yields: ERROR
sudo -u _vmail doveadm -v sync -u test tcps:on27.linkpc.net Password: doveadm(test): Info: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com doveadm(test): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com doveadm(test): Fatal: Disconnected from remote: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
QUESTION
So the question clearly is, how does dovecot check the cert against the CA exactly? Is there a call to the openssl cmd or is the library linked into dovecotadm? If liked, what version is used and how can I possibly change it?
or:
What's wrong with my CA and cert(s) all of a sudden? How can I create new CA for two certs fitting the (new) needs of dovecotadm?
THANK YOU!
========================================================================================== Here are my full but rather simple configs of both machines:
1st machine: Yosemite
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Darwin 14.0.0 x86_64 base_dir = /var/run/dovecot/ default_internal_user = _dovecot default_login_user = _dovenull doveadm_password = secret doveadm_port = 8082 log_path = /usr/local/var/log/dovecot/error mail_home = /var/vmail/%n mail_location = maildir:~/mail mail_plugin_dir = /usr/local/lib/dovecot mail_plugins = " notify replication" namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot_authDBs/authDBs_on27/passwd.dovecot driver = passwd-file } plugin { mail_replica = tcps:nephelism.linkpc.net replication_full_sync_interval = 1 hour } protocols = imap service aggregator { fifo_listener replication-notify-fifo { user = _vmail } unix_listener replication-notify { user = _vmail } } service auth { unix_listener auth-userdb { group = _vmail mode = 0666 user = _vmail } } service doveadm { inet_listener { port = 8082 ssl = yes } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 user = _vmail } } ssl = required ssl_cert = </etc/ssl/certs/dovecot_on27_signed_cert.pem ssl_client_ca_file = /etc/ssl/ca/dovecotCA.pem ssl_key = </etc/ssl/private/dovecot_on27_signed_key_noenc.pem userdb { args = username_format=%u /usr/local/etc/dovecot_authDBs/authDBs_on27/userdb.dovecot driver = passwd-file } protocol imap { mail_max_userip_connections = 40 }
==========================================================================================
2nd machine: Mavericks
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Darwin 13.1.0 x86_64 base_dir = /var/run/dovecot/ default_internal_user = _dovecot default_login_user = _dovenull doveadm_password = secret doveadm_port = 8082 log_path = /usr/local/var/log/dovecot/error mail_home = /var/vmail/%n mail_location = maildir:~/mail mail_plugin_dir = /usr/local/lib/dovecot mail_plugins = " notify replication" namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot_authDBs/authDBs_nephelism/passwd.dovecot driver = passwd-file } plugin { mail_replica = tcps:on27.linkpc.net replication_full_sync_interval = 1 hour } protocols = imap service aggregator { fifo_listener replication-notify-fifo { user = _vmail } unix_listener replication-notify { user = _vmail } } service auth { unix_listener auth-userdb { group = _vmail mode = 0666 user = _vmail } } service doveadm { inet_listener { port = 8082 ssl = yes } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0600 user = _vmail } } ssl = required ssl_cert = </etc/ssl/certs/dovecot_nephelism_signed_cert.pem ssl_client_ca_file = /etc/ssl/ca/dovecotCA.pem ssl_key = </etc/ssl/private/dovecot_nephelism_signed_key_noenc.pem userdb { args = username_format=%u /usr/local/etc/dovecot_authDBs/authDBs_nephelism/userdb.dovecot driver = passwd-file } protocol imap { mail_max_userip_connections = 40 }
-- Fetch my gnupg key: gpg --keyserver pgp.mit.edu --recv-keys 7E3CA33F