[Dovecot] iphone connection problem
Hi, I recently changed from uw imap to dovecot on the sound recommendation of a friend and have mostly succeeded in getting all of my clients up and running, but am really stuck with the iPhone which is failing to make connections. I run certificates on all of my clients and thunderbird happily connects both locally and remotely. I installed the certificate on the iPhone after great pain (pk12 via the Web administration utility). When you open the configurations on the phone , it tries to make a test connection to the server and fails with a generic SSL error. Dovecot reports just a generic disconnected error (imap-login/client.c line 333), and it appears to be dropping the connection.
Sep 2 09:38:17 inchoate dovecot: imap-login: Disconnected (auth failed, 0 attempts): rip=209.204.139.116, lip=192.168.0.252, TLS
I have run ssldump and here is the relevant section. If anybody has any insights they would be greatly appreciated
Darren
ssldump tail..
ServerHelloDone1 5 0.1128 (0.0838) C>SV3.1(7) Handshake Certificate 1 6 0.1629 (0.0500) C>SV3.1(134) Handshake ClientKeyExchange 1 7 0.1629 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 8 0.1629 (0.0000) C>SV3.1(48) Handshake 1 9 0.1677 (0.0048) S>CV3.1(1) ChangeCipherSpec 1 10 0.1677 (0.0000) S>CV3.1(48) Handshake 1 11 0.1761 (0.0084) S>CV3.1(48) application_data 1 12 0.2650 (0.0889) C>SV3.1(32) Alert 1 13 0.2651 (0.0000) S>CV3.1(32) Alert 1 0.2651 (0.0000) S>C TCP FIN 1 0.2675 (0.0024) C>S TCP FIN
[root@inchoate src]# /tools/dovecot/sbin/dovecot -n # 1.1.2: /tools/dovecot-1.1.2/etc/dovecot.conf ssl_ca_file: /etc/mail/certs/cacert_plus_crl.pem ssl_cert_file: /etc/mail/certs/cert.pem ssl_key_file: /etc/mail/certs/key.pem ssl_verify_client_cert: yes login_dir: /tools/dovecot-1.1.2/var/run/dovecot/login login_executable: /tools/dovecot-1.1.2/libexec/dovecot/imap-login auth default: verbose: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd
On Sep 2, 2008, at 7:55 PM, dovecot@feb17.org wrote:
Hi, I recently changed from uw imap to dovecot on the sound
recommendation of a friend and have mostly succeeded in getting all
of my clients up and running, but am really stuck with the iPhone
which is failing to make connections. I run certificates on all of
my clients and thunderbird happily connects both locally and
remotely. I installed the certificate on the iPhone after great
pain (pk12 via the Web administration utility). When you open the
configurations on the phone , it tries to make a test connection to
the server and fails with a generic SSL error. Dovecot reports just
a generic disconnected error (imap-login/client.c line 333), and it
appears to be dropping the connection.Sep 2 09:38:17 inchoate dovecot: imap-login: Disconnected (auth
failed, 0 attempts): rip=209.204.139.116, lip=192.168.0.252, TLS
verbose_ssl=yes would log more.
ssl_verify_client_cert: yes .. ssl_require_client_cert: yes
Did this really work with UW-IMAP or are you just now trying to set
this up? Are you sure iPhone is even supposed to work with this?
verbose_ssl=yes would log more.
It didn't actually - just tried that, same result.
ssl_verify_client_cert: yes .. ssl_require_client_cert: yes
Did this really work with UW-IMAP or are you just now trying to set
this up? Are you sure iPhone is even supposed to work with this?
In my previous config I used certs only for sendmail relaying on the mobile thunderbird clients, and used SSL/passwords for imap. When I upgraded to dovecot, it started requiring the certs for access locally and remotely and I added the cert to the desktop and all was fine. I'm not 100% sure the iphone supports this - the docs are really murky but as of the last release, they rolled out enterprise support to keep the exchange users happy and it seems to support certificate installation, root certs, client certs etc. If it doesn't I'd just like a clean error message. The iphone says effectively ssl error, are you sure the server supports ssl? and your account settings are correct (sorry it's actually in german otherwise I'd quote it literally). Dovecot is just saying it's disconnecting. I had a very different error from dovecot when the thunderbird clients didn't have certificates, "Client didn't present valid SSL certificate"
Darren
On Sep 2, 2008, at 8:31 PM, dovecot@feb17.org wrote:
verbose_ssl=yes would log more.
It didn't actually - just tried that, same result.
With that enabled Dovecot should log all alerts as warnings (as well
as anything else OpenSSL reports). Are you sure the log file you were
looking at contained also errors/warnings? With syslog they may be in
different files. See http://wiki.dovecot.org/Logging
Also with verbose_ssl=yes Dovecot should have logged either "Invalid
certificate" or "Valid certificate". If it didn't, the client didn't
send any certificate. Although in that case the client still should
have tried to log in.. Wonder where that alert comes from.
verbose_ssl=yes would log more.
It didn't actually - just tried that, same result.
With that enabled Dovecot should log all alerts as warnings (as well
as anything else OpenSSL reports). Are you sure the log file you were
looking at contained also errors/warnings? With syslog they may be in
different files. See http://wiki.dovecot.org/Logging
Yes - it's logging everything to /var/log/maillog, just tested that. No error messages.
Also with verbose_ssl=yes Dovecot should have logged either "Invalid
certificate" or "Valid certificate". If it didn't, the client didn't
send any certificate. Although in that case the client still should
have tried to log in.. Wonder where that alert comes from.
Certainly didn't see that. For some reason I can't get ssldump to give me the type of alert it is seeing. I suspect it isn't decrypting although I've provided a key. Darren
One more piece of info for comparison, here's the thunderbrid ssldump. I'm not sure what the application_data is but it's received happily here
2 7 10.7516 (0.0000) C>SV3.1(1) ChangeCipherSpec 2 8 10.7516 (0.0000) C>SV3.1(48) Handshake 2 9 10.7620 (0.0103) S>CV3.1(1) ChangeCipherSpec 2 10 10.7620 (0.0000) S>CV3.1(48) Handshake 2 11 10.9688 (0.2068) S>CV3.1(48) application_data 2 12 10.9822 (0.0134) C>SV3.1(48) application_data 2 13 10.9824 (0.0001) S>CV3.1(224) application_data 2 14 16.3136 (5.3312) C>SV3.1(48) application_data 2 15 16.3139 (0.0003) S>CV3.1(32) application_data 2 16 16.3205 (0.0065) C>SV3.1(48) application_data 2 17 16.9382 (0.6177) S>CV3.1(48) application_data 2 18 16.9591 (0.0209) C>SV3.1(48) application_data 2 19 16.9593 (0.0002) S>CV3.1(80) application_data 2 20 16.9805 (0.0211) C>SV3.1(48) application_data
The iphone seems to get upset at around this point and raise an alert which leads to the server closing the connection after raising its own alert. I don't seem to be able to get any more information on the nature of the complaint unfortunately. I've tried providing the ssl key to ssldump but it doesn't reveal anything,
1 7 0.1629 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 8 0.1629 (0.0000) C>SV3.1(48) Handshake 1 9 0.1677 (0.0048) S>CV3.1(1) ChangeCipherSpec 1 10 0.1677 (0.0000) S>CV3.1(48) Handshake 1 11 0.1761 (0.0084) S>CV3.1(48) application_data 1 12 0.2650 (0.0889) C>SV3.1(32) Alert 1 13 0.2651 (0.0000) S>CV3.1(32) Alert 1 0.2651 (0.0000) S>C TCP FIN 1 0.2675 (0.0024) C>S TCP FI
Darren
On Sep 2, 2008, at 9:50 PM, dovecot@feb17.org wrote:
On Tue, Sep 02, 2008 at 02:19:39PM -0400, Charles Marcus wrote:
You're not using self-signed certs by any chance?
Yes, I am,
I guess you mean self-created CA which has signed the server and
client certs? I don't think it would work otherwise..
On Tue, Sep 02, 2008 at 02:19:39PM -0400, Charles Marcus wrote:
You're not using self-signed certs by any chance?
Yes, I am,
I guess you mean self-created CA which has signed the server and
client certs? I don't think it would work otherwise..
Yes, I created a CA and signed the server and client certs.
Darren
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
on 9/3/08 3:57 AM dovecot@feb17.org said the following:
On Tue, Sep 02, 2008 at 02:19:39PM -0400, Charles Marcus wrote:
You're not using self-signed certs by any chance? Yes, I am, I guess you mean self-created CA which has signed the server and
client certs? I don't think it would work otherwise..Yes, I created a CA and signed the server and client certs.
Darren
Are you still having problems with this? I've got an iphone runing 2.0.x software working with 2 dovecot servers running 1.0.10 and 1.0.14 respectively. both using self-signed certificates for SSL.
I didn't have any really big issues aside from having to hit "continue anyways" when the iphone displayed a "can't verify this SSL certificate" (or something like that) dialog box
Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjA70gACgkQE2gsBSKjZHRxMQCeOLS6FIiuzcOky/JGuzn5/Cqf Z80AoJ0/BneFQDhbvUrk5vylz7v7E0UQ =0Dyg -----END PGP SIGNATURE-----
On 9/5/2008, Alan Premselaar (alien@12inch.com) wrote:
I didn't have any really big issues aside from having to hit "continue anyways" when the iphone displayed a "can't verify this SSL certificate" (or something like that) dialog box
That did indeed work on the first iPhone, but the new 3G iPhone won't let you do that any more.
I finally found a link that advised to just upload the pub cert to an accessible subdirectory on a web server, then just use the iPhone and browse to the http://www.example.com/directory/cert.name, and then it prompts you to install the cert.
--
Best regards,
Charles
On Friday 05 September 2008 10:35:21 Alan Premselaar wrote:
Are you still having problems with this? I've got an iphone runing 2.0.x software working with 2 dovecot servers running 1.0.10 and 1.0.14 respectively. both using self-signed certificates for SSL.
I didn't have any really big issues aside from having to hit "continue anyways" when the iphone displayed a "can't verify this SSL certificate" (or something like that) dialog box
And you are using client certs for authentication? That was the original context of the thread, if I understood it correctly. I did't get that to work at all up to now.
Alan
Rainer
Inxmail GmbH rainer.frey@inxmail.de, www.inxmail.de
Handelsregister Freiburg, HRB 5870 Ust.-ID: DE198371679 Geschäftsleitung: Martin Bucher, Peter Ziras
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
on 9/5/08 7:35 PM Rainer Frey said the following:
On Friday 05 September 2008 10:35:21 Alan Premselaar wrote:
Are you still having problems with this? I've got an iphone runing 2.0.x software working with 2 dovecot servers running 1.0.10 and 1.0.14 respectively. both using self-signed certificates for SSL.
I didn't have any really big issues aside from having to hit "continue anyways" when the iphone displayed a "can't verify this SSL certificate" (or something like that) dialog box
And you are using client certs for authentication? That was the original context of the thread, if I understood it correctly. I did't get that to work at all up to now.
Ahh, no, sorry I must have overlooked that part. I'm just using standard self-signed certificates on the server side.
Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjGKZgACgkQE2gsBSKjZHRttACbBUWFcVY64KboeC7Yzooa+wqc 4TwAoNvNQzxsZ0cpZudxqLlC7YemZ4g+ =OP8n -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 9/9/08 7:59 PM, Charles Marcus wrote:
On 9/9/2008, Alan Premselaar (alien@12inch.com) wrote:
Ahh, no, sorry I must have overlooked that part. I'm just using standard self-signed certificates on the server side.
Then if this is a 3G iPhone, my last response is the solution.
I've got a 3G iPhone. Here in Japan the original iPhone was never released.
Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIxlejE2gsBSKjZHQRAm3tAJ0QTNzh6qR0YMuTIegLQ0mtqkwG1QCgpDKU ass5Wi6CZet52e5aFDuAoys= =Illb -----END PGP SIGNATURE-----
Ahh, no, sorry I must have overlooked that part. I'm just using standard self-signed certificates on the server side.
Then if this is a 3G iPhone, my last response is the solution.
I've got a 3G iPhone. Here in Japan the original iPhone was never released.
Hmmm...
And I just realized that I too had thought that you were using actual Client certs, and never sent my reply with the solution. It is quite simple actually.
Just upload the public cert to a publicly accessible directory on a webserver, then navigate there (including the full name of the cert) in Safari on your iPhone, and you'll get a prompt to install the cert, then it will 'just work'...
--
Best regards,
Charles
tanstaafl_bh wrote:
And I just realized that I too had thought that you were using actual Client certs, and never sent my reply with the solution. It is quite simple actually.
Just upload the public cert to a publicly accessible directory on a webserver, then navigate there (including the full name of the cert) in Safari on your iPhone, and you'll get a prompt to install the cert, then it will 'just work'...
if that doesn't work, and you're on a Mac, try this: http://www.blackfinsoftware.com/wordpress/?p=6
-- View this message in context: http://www.nabble.com/iphone-connection-problem-tp19274040p19444259.html Sent from the Dovecot mailing list archive at Nabble.com.
On Tuesday 09 September 2008 12:59:10 Charles Marcus wrote:
[...]
Please, folks, leave me out of CC. Answers to the list are sufficient!
Thanks Rainer
On Tue, Sep 09, 2008 at 06:59:10AM -0400, Charles Marcus wrote:
On 9/9/2008, Alan Premselaar (alien@12inch.com) wrote:
Ahh, no, sorry I must have overlooked that part. I'm just using standard self-signed certificates on the server side.
Then if this is a 3G iPhone, my last response is the solution.
Sorry for delay picking this up again - it's been so frustrating I needed to take a break - have sunk too many hours into it. To answer the various questions,
I was trying this with the original iphone (have subsequently tested with 3G, no difference).
I am using self signed certs. I am trying to use client certs, not just server certs. I have been emailing p12 attachments via gmail. My attempts to download mobileconfig from webserver weren't successful.
If I understand the various suggestions:
don't use a self-signed cert (I have made the self-CA and the mail certs slightly different),
make the public CA cert available via webserver ( I have installed root cert via email and that didn't help).
I will try installing root cert via browser and see if that helps. If that fails, I'll try a proper CA, not self signed. I'm sceptical that's the problem. If all that fails, I'll just throw security overboard and stick with simple password auth, life is too short. I'd still love an error message that meant something ;)
Darren
On 9/11/2008, daz@feb17.org (daz@feb17.org) wrote:
I will try installing root cert via browser and see if that helps. If that fails, I'll try a proper CA, not self signed. I'm sceptical that's the problem. If all that fails, I'lljust throw security overboard and stick with simple password auth, life is too short.
Since simple self-signed server based certs work fine, wouldn't that be better than no security at all?
--
Best regards,
Charles
daz@feb17.org wrote:
On Tue, Sep 09, 2008 at 06:59:10AM -0400, Charles Marcus wrote:
On 9/9/2008, Alan Premselaar (alien@12inch.com) wrote:
Ahh, no, sorry I must have overlooked that part. I'm just using standard self-signed certificates on the server side. Then if this is a 3G iPhone, my last response is the solution.
Sorry for delay picking this up again - it's been so frustrating I needed to take a break - have sunk too many hours into it. To answer the various questions,
I was trying this with the original iphone (have subsequently tested with 3G, no difference).
I am using self signed certs. I am trying to use client certs, not just server certs. I have been emailing p12 attachments via gmail. My attempts to download mobileconfig from webserver weren't successful.
If I understand the various suggestions:
- don't use a self-signed cert (I have made the self-CA and the mail certs slightly different),
I think that is likely to be a red herring. The only thing you get in this circumstance from a commercial cert is (hopefully) rigorous technical correctness in the cert construction and signing. If you want to use client certs, you will have to manage your own PKI to some degree anyway, and that means getting all of the details right *with understanding*, not just finding a cargo-cult fix. I think you are doing the right thing in trying to get this working with your own certs, as that painful process assures that you will gain useful clues.
- make the public CA cert available via webserver ( I have installed root cert via email and that didn't help).
I will try installing root cert via browser and see if that helps. If that fails, I'll try a proper CA, not self signed. I'm sceptical that's the problem. If all that fails, I'll just throw security overboard and stick with simple password auth, life is too short. I'd still love an error message that meant something ;)
You may find it easiest to debug the certs using a web server and Safari on the iPhone rather than Dovecot and Mail, because you are likely to be able to instrument it better, get better error descriptions from the client, and be given more options on how to fix the problem.
Since you have CA, server, and client certs, it might help to not think of these as "self-signed" since at most only the CA really is that. The server cert and the client certs are signed by the CA cert, and the only difference between this setup and one using commercial certs is that you have to get your CA cert treated and trusted in the same way as a commercial root CA cert *by both ends*.
Client certs do not really add a great deal of security over just requiring auth to be done inside a TLS session. In some ways they are a security trade-off, rather than a clear improvement. If your PKI and device config processes are not very rigorous, you can end up in a risky circumstance by trusting client certs that you are dropping onto devices that can easily land in the wrong hands. I can say from first-hand experience that the iPhone version of Mail will work with Dovecot using a real self-signed cert and only allowing auth inside an encrypted session, so you do not need to completely throw security overboard.
All sage advice. I've gone back to basics, and installed the root CA on the phone via safari rather than email (apple's mobile config package). I discovered just now to my horror after some frustration that one logging option wasn't working that my binary is picking up a different config file ;( so I need to go back and go through the differences now and see what I was actually running. Hopefully this will clean things up. I think your point#3 is the most useful ;) I'm mainly doing this b/c it was the dovecot default and I like security but for this much aggravation I probably don't need it. I was running without client certs for mail retrieval happily for a long time,
Darren
I think that is likely to be a red herring. The only thing you get in this circumstance from a commercial cert is (hopefully) rigorous technical correctness in the cert construction and signing. If you want to use client certs, you will have to manage your own PKI to some degree anyway, and that means getting all of the details right *with understanding*, not just finding a cargo-cult fix. I think you are doing the right thing in trying to get this working with your own certs, as that painful process assures that you will gain useful clues.
- make the public CA cert available via webserver ( I have installed root cert via email and that didn't help).
I will try installing root cert via browser and see if that helps. If that fails, I'll try a proper CA, not self signed. I'm sceptical that's the problem. If all that fails, I'll just throw security overboard and stick with simple password auth, life is too short. I'd still love an error message that meant something ;)
You may find it easiest to debug the certs using a web server and Safari on the iPhone rather than Dovecot and Mail, because you are likely to be able to instrument it better, get better error descriptions from the client, and be given more options on how to fix the problem.
Since you have CA, server, and client certs, it might help to not think of these as "self-signed" since at most only the CA really is that. The server cert and the client certs are signed by the CA cert, and the only difference between this setup and one using commercial certs is that you have to get your CA cert treated and trusted in the same way as a commercial root CA cert *by both ends*.
Client certs do not really add a great deal of security over just requiring auth to be done inside a TLS session. In some ways they are a security trade-off, rather than a clear improvement. If your PKI and device config processes are not very rigorous, you can end up in a risky circumstance by trusting client certs that you are dropping onto devices that can easily land in the wrong hands. I can say from first-hand experience that the iPhone version of Mail will work with Dovecot using a real self-signed cert and only allowing auth inside an encrypted session, so you do not need to completely throw security overboard.
Charles Marcus wrote:
You're not using self-signed certs by any chance?
I have had good success using the cheapo certs from GoDaddy - they offer a cert with multiple Alt names so you can connect using a variety of server names. Quite inexpensive and the whole setup was very smooth (they are just a cheapo registrar who verify you based on the WHOIS info only)
Ed W
participants (10)
-
alan premselaar
-
Alan Premselaar
-
Bill Cole
-
Charles Marcus
-
daz@feb17.org
-
dovecot@feb17.org
-
Ed W
-
Rainer Frey
-
tcowin
-
Timo Sirainen