dovecot-2.0.9 on CentOS 6.7
The system in question is not connected to the Internet, so I can't copy-and-paste. I have to type anything required :-(
Brand-new out-of-the-box install with a really minimal dovecot.conf including:
service imap-login { inet_listener imaps { address = 192.168.1.10 port = 143 ssl = yes } }
ssl_cert=</etc/pki/tls/certs/dovecot.pem ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_key =</etc/pki/tls/private/dovecot.pem
That's very, very similar to an existing dovecot server on an old VM I need to replace. Certs are self-signed, I know that's a horrible thing to do, but right now we don't have any choice. I'm connecting with Apple Mail 8.2 running on OS X 10.10.5, another thing we have no choice about :-/ The Apple Mail just sits there stupidly. It's "Connection Doctor" just helpfully reports that it can't establish a connection. I can use 'openssl s_client -showcerts -connect mail:143' and see what I expect to see. The dovecot log with lots of verbosity enabled tells me:
imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, lip=192.168.1.10, TLS handshaking: Disconnected auth: Debug: auth client connected (pid=21006) imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.1.200] imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.1.200] imap-login: Warning: SSL: where=0x2002, ret=1: SSLv2/v3 read client hello A [192.168.1.200]
And that's it... those lines get repeated every minute that Mail is running. I'm not seeing anything in any logs that even hints at what it's unhappy about, or any way to increase verbosity any more.
Any hints appreciated!
--
- John Oliver http://www.john-oliver.net/ *
*
On Thu, Mar 17, 2016 at 8:18 PM, John Oliver <joliver@john-oliver.net> wrote:
dovecot-2.0.9 on CentOS 6.7
The system in question is not connected to the Internet, so I can't copy-and-paste. I have to type anything required :-(
Brand-new out-of-the-box install with a really minimal dovecot.conf including:
service imap-login { inet_listener imaps { address = 192.168.1.10 port = 143 ssl = yes } }
ssl_cert=</etc/pki/tls/certs/dovecot.pem ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_key =</etc/pki/tls/private/dovecot.pem
That's very, very similar to an existing dovecot server on an old VM I need to replace. Certs are self-signed, I know that's a horrible thing to do, but right now we don't have any choice. I'm connecting with Apple Mail 8.2 running on OS X 10.10.5, another thing we have no choice about :-/ The Apple Mail just sits there stupidly. It's "Connection Doctor" just helpfully reports that it can't establish a connection. I can use 'openssl s_client -showcerts -connect mail:143' and see what I expect to see. The dovecot log with lots of verbosity enabled tells me:
imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, lip=192.168.1.10, TLS handshaking: Disconnected auth: Debug: auth client connected (pid=21006) imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.1.200] imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.1.200] imap-login: Warning: SSL: where=0x2002, ret=1: SSLv2/v3 read client hello A [192.168.1.200]
And that's it... those lines get repeated every minute that Mail is running. I'm not seeing anything in any logs that even hints at what it's unhappy about, or any way to increase verbosity any more.
Any hints appreciated!
--
- John Oliver http://www.john-oliver.net/ *
*
May be use -starttls imap or 993 port and more logs verbose_ssl=yes
On Thu, Mar 17, 2016 at 08:30:32PM +0300, Andrey Fesenko wrote:
May be use -starttls imap or 993 port and more logs verbose_ssl=yes
I am using verbose_ssl = yes
Dovecot is currently working with SSL on 143, and I'm trying to not change current client config.
As for '-starttls', in what context?
--
- John Oliver http://www.john-oliver.net/ *
*
On 17/03/2016 17:18, John Oliver wrote:
The dovecot log with lots of verbosity enabled tells me:
imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, lip=192.168.1.10, TLS handshaking: Disconnected
'no auth attempts' has been reported on the list a few times before and, in some cases, it means what it says - the MUA made no attempt to authenticate with username and password. I think authentication is a different activity from setting up an encrypted comms channel.
Two ideas:
Is the MUA set up to use a login?
And, as part of the secure connection, is the MUA setup to use 'starttls'?
hth Ron
On Thu, Mar 17, 2016 at 08:04:26PM +0000, Ron Leach wrote:
On 17/03/2016 17:18, John Oliver wrote:
The dovecot log with lots of verbosity enabled tells me:
imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, lip=192.168.1.10, TLS handshaking: Disconnected
'no auth attempts' has been reported on the list a few times before and, in some cases, it means what it says - the MUA made no attempt to authenticate with username and password. I think authentication is a different activity from setting up an encrypted comms channel.
Two ideas:
Is the MUA set up to use a login?
And, as part of the secure connection, is the MUA setup to use 'starttls'?
Unfortunately, as the MUA is Apple Mail, that answer is hard to determine. Have I configured a login? Sure. have I checked "Use SSL"? Yup. Do those settings mean anything? Who knows?
With our old mail server, it "just works"... after going through the mail setup, we don't need to do anything fancy. I can't help but imagine that there's some other difference in the default configs. I'll have to dump the configs of both and do a diff and hope there aren't so many differences I can't pick out what may be relevant here...
--
- John Oliver http://www.john-oliver.net/ *
*
On Thu, 17 Mar 2016 13:56:22 -0700, John Oliver replied:
With our old mail server, it "just works"... after going through the mail setup, we don't need to do anything fancy. I can't help but imagine that there's some other difference in the default configs. I'll have to dump the configs of both and do a diff and hope there aren't so many differences I can't pick out what may be relevant here...
Could you post the unobfuscated output of "dovecot -n" so we can see what your actual configuration is?
-- Jerry
participants (4)
-
Andrey Fesenko
-
Jerry
-
John Oliver
-
Ron Leach