I have an old CentOS 7 server using dovecot 2.2.36 and OpenSSL 1.0.2k-fips that’s been fine for quite some time. Recently I started getting complaints related to SNI.
I test with this: openssl s_client -connect mail.domain.com:993 -crlf -quiet
On macOS using OpenSSL LibreSSL 3.3.6 I test and get the default dovecot domain “SomeWrongDomain.com” which causes issues.
On Oracle Linux 9 using OpenSSL 3.0.7 I get the correct response for the domain “mail.domain.com”
What could cause this?
Thank you, Steffan Cline steffan@hldns.com<mailto:steffan@hldns.com> 602-793-0014
I have an old CentOS 7 server using dovecot 2.2.36 and OpenSSL 1.0.2k-fips that’s been fine for quite some time. Recently I started getting complaints related to SNI. I test with this: openssl s_client -connect mail.domain.com:993 -crlf -quiet On macOS using OpenSSL LibreSSL 3.3.6 I test and get the default dovecot domain “SomeWrongDomain.com” which causes issues. On Oracle Linux 9 using OpenSSL 3.0.7 I get the correct response for the domain “mail.domain.com” What could cause this? Thank you, Steffan Cline steffan@hldns.com 602-793-0014
On 12/03/2024 22:54 EET steffan--- via dovecot <dovecot@dovecot.org> wrote:
I have an old CentOS 7 server using dovecot 2.2.36 and OpenSSL 1.0.2k-fips that’s been fine for quite some time. Recently I started getting complaints related to SNI.
I test with this: openssl s_client -connect mail.domain.com:993 -crlf -quiet
On macOS using OpenSSL LibreSSL 3.3.6 I test and get the default dovecot domain “SomeWrongDomain.com” which causes issues.
On Oracle Linux 9 using OpenSSL 3.0.7 I get the correct response for the domain “mail.domain.com”
What could cause this?
Thank you, Steffan Cline steffan@hldns.com<mailto:steffan@hldns.com> 602-793-0014
I have an old CentOS 7 server using dovecot 2.2.36 and OpenSSL 1.0.2k-fips that’s been fine for quite some time. Recently I started getting complaints related to SNI. I test with this: openssl s_client -connect mail.domain.com:993 -crlf -quiet On macOS using OpenSSL LibreSSL 3.3.6 I test and get the default dovecot domain “SomeWrongDomain.com” which causes issues. On Oracle Linux 9 using OpenSSL 3.0.7 I get the correct response for the domain “mail.domain.com” What could cause this? Thank you, Steffan Cline steffan@hldns.com 602-793-0014
One reason could be that Dovecot 2.3 does not support openssl3, and there is a broken patch flying around. We are close to releasing our next major release, which does include support for ossl3.
We can't really debug issues likely caused by 3rd party patch.
Try with RHEL8 or compatible, we have packages for that as well.
Aki
On 2024-03-12, steffan--- via dovecot <dovecot@dovecot.org> wrote:
I have an old CentOS 7 server using dovecot 2.2.36 and OpenSSL 1.0.2k-fips= that=92s been fine for quite some time. Recently I started getting complai= nts related to SNI.
I test with this: openssl s_client -connect mail.domain.com:993 -crlf -quie= t
On macOS using OpenSSL LibreSSL 3.3.6 I test and get the default dovecot do= main =93SomeWrongDomain.com=94 which causes issues.
On Oracle Linux 9 using OpenSSL 3.0.7 I get the correct response for the do= main =93mail.domain.com=94
That's not a valid test. openssl >=1.1.1 s_client uses SNI by default, with libressl or older openssl you need to use -servername.
On 13/03/24 22:30, Stuart Henderson wrote:
I test with this: openssl s_client -connect mail.domain.com:993 -crlf -quie= t
That's not a valid test. openssl >=1.1.1 s_client uses SNI by default, with libressl or older openssl you need to use -servername.
Indeed, you want: openssl s_client -connect mail.example.com:993 -servername mail.example.com -crlf -quiet
-servername works with newer versions of s_client but is required for older versions, if you include it in everything you can't go wrong.
Peter
participants (4)
-
Aki Tuomi
-
Peter
-
steffan@hldns.com
-
Stuart Henderson