Re: [Dovecot] dovecot: imap-login: Disconnected (no auth attempts)
Am 09.01.2012 10:37, schrieb Simon Loewenthal:
On 09/01/12 10:27, Robert Schetterer wrote:
Am 09.01.2012 10:16, schrieb J4K:
Morning everyone,
On the 8th of Jan the TLS/SSL certificate I use with Dovecot expired. I replaced it with a new on the 9th of Jan. I tested this with Thunderbird and all is well.
This morning people tell me they cannot get their email using their mobile telephones : K9 Mail
I have reverted the SSL cert back to the old one just in case. Thunderbird will works.
Dovecot 1:1.2.15-7 running on Debian 6
The messages in the logs are:
Jan 9 10:11:37 logout dovecot: imap-login: Disconnected (no auth attempts): rip=90.131.95.130, lip=88.119.95.13, TLS: Disconnected Jan 9 10:11:38 logout dovecot: imap-login: Disconnected (no auth attempts): rip=90.131.95.130, lip=88.119.95.13, TLS: Disconnected
In dovecot.conf I have this set :
disable_plaintext_auth = no
And the auth default mechanisms are set to: mechanisms = plain login
What is strange is the only item that changed is the SSL cert, which has since been changed back to the old one (which has expired... ^^).
Any ideas where I may look or change?
Regards, S if you only changed the crt etc, and youre sure you did everything right
perhaps you have forgot adding a needed intermediate cert ?
read here http://www.trustico.co.uk/install/how-to-install-ssl-certificate.php
Required Intermediate Certificates (CA Certificates)
To successfully install your SSL Certificate you may be required to install an Intermediate CA Certificate. Please review the above installation instructions carefully to determine if an Intermediate CA Certificate is required, how to obtain it and correctly import it into your system. For more information please Contact Us. Alternatively, and for systems not covered by the above installation instructions, please use our Intermediate Certificate Wizard to find the correct CA Certificate or Root Bundle that is required for your SSL Certificate to function correctly. Find Out More Information I know that the intermediate certs are messed up, which is why I rolled back to the old expired certificate. I did not expect an expired certificate to block authentication, and it does not mean that it does block. The problem may be elsewhere.
that might be a k9 problem ( older versions ) or in android older versions, is there a ignore ssl failure option as workaround
what does thunderbird tell you about the new cert ?
but for sure the problem may elsewhere
-- PGP is optional: 4BA78604 simon @ klunky . org simon @ klunky . co.uk I won't accept your confidentiality agreement, and your Emails are kept. ~Ö¿Ö~
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
On 09/01/12 10:41, Robert Schetterer wrote:
On 09/01/12 10:27, Robert Schetterer wrote:
Am 09.01.2012 10:16, schrieb J4K:
Morning everyone,
On the 8th of Jan the TLS/SSL certificate I use with Dovecot expired. I replaced it with a new on the 9th of Jan. I tested this with Thunderbird and all is well.
This morning people tell me they cannot get their email using their mobile telephones : K9 Mail
I have reverted the SSL cert back to the old one just in case. Thunderbird will works.
Dovecot 1:1.2.15-7 running on Debian 6
The messages in the logs are:
Jan 9 10:11:37 logout dovecot: imap-login: Disconnected (no auth attempts): rip=90.131.95.130, lip=88.119.95.13, TLS: Disconnected Jan 9 10:11:38 logout dovecot: imap-login: Disconnected (no auth attempts): rip=90.131.95.130, lip=88.119.95.13, TLS: Disconnected
In dovecot.conf I have this set :
disable_plaintext_auth = no
And the auth default mechanisms are set to: mechanisms = plain login
What is strange is the only item that changed is the SSL cert, which has since been changed back to the old one (which has expired... ^^).
Any ideas where I may look or change?
Regards, S if you only changed the crt etc, and youre sure you did everything right
perhaps you have forgot adding a needed intermediate cert ?
read here http://www.trustico.co.uk/install/how-to-install-ssl-certificate.php
Required Intermediate Certificates (CA Certificates)
To successfully install your SSL Certificate you may be required to install an Intermediate CA Certificate. Please review the above installation instructions carefully to determine if an Intermediate CA Certificate is required, how to obtain it and correctly import it into your system. For more information please Contact Us. Alternatively, and for systems not covered by the above installation instructions, please use our Intermediate Certificate Wizard to find the correct CA Certificate or Root Bundle that is required for your SSL Certificate to function correctly. Find Out More Information I know that the intermediate certs are messed up, which is why I rolled back to the old expired certificate. I did not expect an expired certificate to block authentication, and it does not mean that it does block. The problem may be elsewhere.
Am 09.01.2012 10:37, schrieb Simon Loewenthal: that might be a k9 problem ( older versions ) or in android older versions, is there a ignore ssl failure option as workaround
what does thunderbird tell you about the new cert ?
but for sure the problem may elsewhere
-- PGP is optional: 4BA78604 simon @ klunky . org simon @ klunky . co.uk I won't accept your confidentiality agreement, and your Emails are kept. ~Ö¿Ö~
TB says unknown, and I know why. I have set the class 1 and class 2 certificate chain keys to the same, when these should be different. Damn, StartCom's certs are difficult to set up.
Workaround for K9 (latest version) is to go to the Account Settings -> Fetching -> Incoming Server, and click Next. It will attempt to authenicate and then complain about the certificate. One can ignore the warning and accept the certificate.
Cheers all.
Simon
TB says unknown, and I know why. I have set the class 1 and class 2 certificate chain keys to the same, when these should be different. Damn, StartCom's certs are difficult to set up.
read this: http://binblog.info/2010/02/02/lengthy-chains/
basically, you start with YOUR cert and work you way up to the root CA with
openssl x509 -in your_servers.{crt|pem} -subject -issuer > server- allinone.crt
openssl x509 -in intermediate_authority.{crt|pem} -subject -issuer >> server-allinone.crt
openssl x509 -in root_ca.{crt|pem} -subject -issuer >> server-allinone.crt
then, in dovecot.conf ---8<--- ssl_cert_file = /path/to/server-allinone.crt ssl_key_file = /path/to/private.key ---8<---
It works for me but YMMV of course. Androids before 2.2 do not have startcom as a trusted CA and will complain anyhow.
Best Regards, Thanos Chatziathanassiou
Workaround for K9 (latest version) is to go to the Account Settings -> Fetching -> Incoming Server, and click Next. It will attempt to authenicate and then complain about the certificate. One can ignore the warning and accept the certificate.
Cheers all.
Simon
participants (3)
-
J4K
-
Robert Schetterer
-
Thanos Chatziathanassiou