dsync SSL fails since 2.2.15

17 Jan 2015


      Hello list,
dovecot ran rock-solid on OSX Mavericks for about 1 year replicating my mail between 2 servers via dsync with SSL as that is well described here: http://wiki2.dovecot.org/Replication
After upgrading to 2.2.15, dsync gets stuck with the Error: "Received invalid SSL certificate" even though neither any of the dovecot configs nor the certs, keys or the CA have changed!
When I simply outcomment SSL and switch dsync to use tcp (instead of tcps) everthing replications still works like a charm.
Please help me to get SSL back working!
I did a lot of testing and come up with a concrete QUESTION below, hopefully leading the way out of this trap.
What happend
2 days before I upgraded one of the machines to OSX Yosemite.
Along with this, I also upgraded to dovecot 2.2.15 via homebrew (unfortunately on both machines at once).
During this process, also openssl was updated to "OpenSSL 1.0.1k 8 Jan 2015".
If checking the unchanged certs against the CA, however, the results are still "OK".
1st check: OK
sudo /usr/bin/openssl verify -CAfile /etc/ssl/ca/dovecotCA.pem /etc/ssl/certs/dovecot_on27_signed_cert.pem
Password:
/etc/ssl/certs/dovecot_on27_signed_cert.pem: OK
2nd check: OK (providing the CAfile and connecting to the doveadm_port)
openssl s_client -CAfile /etc/ssl/ca/dovecotCA.pem -connect on27.linkpc.net:8082
CONNECTED(00000003)
depth=1 CN = dovecotCA2, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = dovecot, emailAddress = mc@aiguphonie.com
verify return:1
depth=0 CN = on27.linkpc.net, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = dovecot, emailAddress = mc@aiguphonie.com
verify return:1
Certificate chain
0 s:/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
i:/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
Server certificate
-----BEGIN CERTIFICATE-----
dmVjb3RDQTIxEDAOBgNVBAoMB2RvdmVjb3QxEDAOBgNVBAsMB2RvdmVjb3QxEDAO
[...]
+g==
-----END CERTIFICATE-----
subject=/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
issuer=/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
No client certificate CA names sent
SSL handshake has read 1709 bytes and written 487 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C4DDBA1FA50039FA5D94EF2359BA037B3903D66B6B637CA0733A9216BFCC3996
Session-ID-ctx:
Master-Key: 0495D21CA11AA54856D78B48C3DBE9B70EFFB65F13224B430D2B4B2F80F12BE5A89F31454F9577F22F5DDC26FDBAAFAC
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[...]

0090 - 2d 97 37 15 bd a9 be 68-c1 79 fa dd d8 75 76 3f   -.7....h.y...uv?
Compression: 1 (zlib compression)
Start Time: 1421443766
Timeout   : 300 (sec)
Verify return code: 0 (ok)


Yet, testing dsync yields: ERROR
sudo -u _vmail doveadm -v sync -u test tcps:on27.linkpc.net
Password:
doveadm(test): Info: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
doveadm(test): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
doveadm(test): Fatal: Disconnected from remote: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com
QUESTION
So the question clearly is, how does dovecot check the cert against the CA exactly?
Is there a call to the openssl cmd or is the library linked into dovecotadm?
If liked, what version is used and how can I possibly change it?
or:
What's wrong with my CA and cert(s) all of a sudden?
How can I create new CA for two certs fitting the (new) needs of dovecotadm?
THANK YOU!
==========================================================================================
Here are my full but rather simple configs of both machines:
1st machine: Yosemite
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Darwin 14.0.0 x86_64
base_dir = /var/run/dovecot/
default_internal_user = _dovecot
default_login_user = _dovenull
doveadm_password = secret
doveadm_port = 8082
log_path = /usr/local/var/log/dovecot/error
mail_home = /var/vmail/%n
mail_location = maildir:~/mail
mail_plugin_dir = /usr/local/lib/dovecot
mail_plugins = " notify replication"
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot_authDBs/authDBs_on27/passwd.dovecot
driver = passwd-file
}
plugin {
mail_replica = tcps:nephelism.linkpc.net
replication_full_sync_interval = 1 hour
}
protocols = imap
service aggregator {
fifo_listener replication-notify-fifo {
user = _vmail
}
unix_listener replication-notify {
user = _vmail
}
}
service auth {
unix_listener auth-userdb {
group = _vmail
mode = 0666
user = _vmail
}
}
service doveadm {
inet_listener {
port = 8082
ssl = yes
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
user = _vmail
}
}
ssl = required
ssl_cert = 
==========================================================================================
2nd machine: Mavericks
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Darwin 13.1.0 x86_64
base_dir = /var/run/dovecot/
default_internal_user = _dovecot
default_login_user = _dovenull
doveadm_password = secret
doveadm_port = 8082
log_path = /usr/local/var/log/dovecot/error
mail_home = /var/vmail/%n
mail_location = maildir:~/mail
mail_plugin_dir = /usr/local/lib/dovecot
mail_plugins = " notify replication"
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot_authDBs/authDBs_nephelism/passwd.dovecot
driver = passwd-file
}
plugin {
mail_replica = tcps:on27.linkpc.net
replication_full_sync_interval = 1 hour
}
protocols = imap
service aggregator {
fifo_listener replication-notify-fifo {
user = _vmail
}
unix_listener replication-notify {
user = _vmail
}
}
service auth {
unix_listener auth-userdb {
group = _vmail
mode = 0666
user = _vmail
}
}
service doveadm {
inet_listener {
port = 8082
ssl = yes
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
user = _vmail
}
}
ssl = required
ssl_cert = 
--
Fetch my gnupg key:
gpg --keyserver pgp.mit.edu --recv-keys 7E3CA33F

dsync SSL fails since 2.2.15

Martin Carlé

What happend

1st check: OK

2nd check: OK (providing the CAfile and connecting to the doveadm_port)

Certificate chain 0 s:/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com i:/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=mc@aiguphonie.com

No client certificate CA names sent

SSL handshake has read 1709 bytes and written 487 bytes

Yet, testing dsync yields: ERROR

QUESTION

========================================================================================== Here are my full but rather simple configs of both machines:

==========================================================================================