I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s?
and when you test, use -CAfile /path/to/(startssl's)CA.pem
I see no auth mech statement, so using hte default is limited, IIRC, login is re
auth_mechanisms = plain login
On 10/10/2013 10:51, Dan Langille wrote:
On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:
On 10/10/2013 06:09, Eliezer Croitoru wrote:
I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it?
hardly
and the size is not his problem.
he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine.
I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration.
One avenue I will purse: if I swap from 4096 to 2048, why does it work?
Here is a connection with a 4096 cert:
$ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Here is it with a 2048 cert:
$ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmaster@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
The only thing I change in the configuration is:
# MY KEYS #ssl_cert = </usr/local/etc/ssl/dovecot.pem #ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
# My 2048 key ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
Current configuration is:
# doveconf -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=SHA512-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 } } ssl_ca = </usr/local/etc/ssl/sub.class2.server.ca.pem ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes