[Dovecot] Dovecot with sasl/imaps/postfix and thunderbird
Hi,
I have an fc18 system with postfix and dovecot-2.1.13 and have configured them to use sasl for SMTP Auth and Maildir with imaps.
The system is running now, so I'm trying to set up thunderbird to autodetect all settings during the initial account setup. However, it seems to want to use port 143 and STARTTLS, and not port 993, which is what I would expect. When I force it to use 993, I receive a certificate failure message:
Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: initializing the server-side TLS engine Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_tls_session_cache Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: connect from unknown[192.168.1.43] Mar 12 23:20:45 propnew dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.1.43, lip=66.111.222.101, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session=<BGBS5MXXhQDAqAEr> Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: lost connection after CONNECT from unknown[192.168.1.43]
These are self-signed certs created using dovecot's mkcert.sh script. Is this a problem with the cert or with the dovecot configuration?
Is it conventional to use port 143 for encrypted IMAP connections these days, and not just 993?
I'm finding that port 25 works with TLS and postfix now too, not just port 587, so I'm really confused.
I've included my doveconf output below. I'd appreciate it if someone could review it for me to be sure.
# 2.1.13: /etc/dovecot/dovecot.conf # OS: Linux 3.8.1-201.fc18.x86_64 x86_64 Fedora release 18 (Spherical Cow) ext4 auth_debug = yes auth_mechanisms = plain login auth_verbose = yes default_client_limit = 2000 disable_plaintext_auth = no lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_debug = yes mail_location = maildir:/home/%u/Maildir mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imaps { port = 993 ssl = yes } process_min_avail = 20 service_count = 0 } ssl_cert =
Thanks, Alex
Hi,
I have an fc18 system with postfix and dovecot-2.1.13 and have configured them to use sasl for SMTP Auth and Maildir with imaps.
The system is running now, so I'm trying to set up thunderbird to autodetect all settings during the initial account setup. However, it seems to want to use port 143 and STARTTLS, and not port 993, which is what I would expect. When I force it to use 993, I receive a certificate failure message:
Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: initializing the server-side TLS engine Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_tls_session_cache Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: connect from unknown[192.168.1.43] Mar 12 23:20:45 propnew dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.1.43, lip=66.111.222.101, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session=<BGBS5MXXhQDAqAEr>
After doing a bit more research, it looks like it's failing because Thunderbird doesn't prompt to accept the self-signed certificate during the "auto config" part of the setup, so just falls back to using port 143.
Although I think it's still using TLS on 143.
I'm really hoping someone can help me to clarify more specifically what's going on here.
Thanks, Alex
On 3/13/2013 12:00 AM, Alex wrote:
Hi,
Hi "Alex"
I have an fc18 system with postfix and dovecot-2.1.13 and have configured them to use sasl for SMTP Auth and Maildir with imaps.
The system is running now, so I'm trying to set up thunderbird to autodetect all settings during the initial account setup. However, it seems to want to use port 143 and STARTTLS, and not port 993, which is what I would expect. When I force it to use 993, I receive a certificate failure message:
Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: initializing the server-side TLS engine Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_tls_session_cache Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: connect from unknown[192.168.1.43] Mar 12 23:20:45 propnew dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.1.43, lip=66.111.222.101, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session=<BGBS5MXXhQDAqAEr>
After doing a bit more research, it looks like it's failing because Thunderbird doesn't prompt to accept the self-signed certificate during the "auto config" part of the setup, so just falls back to using port 143.
Although I think it's still using TLS on 143.
I just verified that TB (17.0.4) won't do STARTTLS on TCP 143 without first accepting the self signed cert.
I'm really hoping someone can help me to clarify more specifically what's going on here.
You've already clarified it. You simply can't do account auto configuration with a self signed cert, at least not with a vanilla TB setup. The only possible solution I can think of would be to preload the user profile with the certificate. I don't know how you'd do this. I think you have some research ahead of you.
-- Stan
I just verified that TB (17.0.4) won't do STARTTLS on TCP 143 without first accepting the self signed cert.
I'm really hoping someone can help me to clarify more specifically what's going on here.
You've already clarified it. You simply can't do account auto configuration with a self signed cert, at least not with a vanilla TB setup. The only possible solution I can think of would be to preload the user profile with the certificate. I don't know how you'd do this. I think you have some research ahead of you.
You can.
Select Menu Tools > Account Settings...
Below the left pane click the Account Actions button, then select Add Mail Account...
Fill in the first name and email address. Uncheck Remember password and leave the password field blank. Click the Continue button.
VERY QUICKLY!!! As soon as the next window opens, click the Manual Config button at the bottom.
Fill in the proper data. Under SSL select None and None. Under Authentication, select Normal Password for both fields.
Make sure the ports have real numbers, not Auto. For POP use 110, for IMAP use 143, for SMTP use 25.
The "Done" button should undim and be clickable. Click it.
You will get a red window warning about no encryption. Check the "I understand ..." box and click Done.
Select the account you just created in the left pane, then fix all the settings to use SSL, etc.
Dem
Interesting, thanks Prof.
Looks like I have some experimenting to do to see what about:config options this sets, so I can add them to my list.
On 2013-03-13 2:31 AM, Professa Dementia professa@dementianati.com wrote:
I just verified that TB (17.0.4) won't do STARTTLS on TCP 143 without first accepting the self signed cert.
I'm really hoping someone can help me to clarify more specifically what's going on here.
You've already clarified it. You simply can't do account auto configuration with a self signed cert, at least not with a vanilla TB setup. The only possible solution I can think of would be to preload the user profile with the certificate. I don't know how you'd do this. I think you have some research ahead of you.
You can.
Select Menu Tools > Account Settings...
Below the left pane click the Account Actions button, then select Add Mail Account...
Fill in the first name and email address. Uncheck Remember password and leave the password field blank. Click the Continue button.
VERY QUICKLY!!! As soon as the next window opens, click the Manual Config button at the bottom.
Fill in the proper data. Under SSL select None and None. Under Authentication, select Normal Password for both fields.
Make sure the ports have real numbers, not Auto. For POP use 110, for IMAP use 143, for SMTP use 25.
The "Done" button should undim and be clickable. Click it.
You will get a red window warning about no encryption. Check the "I understand ..." box and click Done.
Select the account you just created in the left pane, then fix all the settings to use SSL, etc.
Dem
--
Best regards,
Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6224 | 678.514.6299 fax
On 03/13/2013 01:51 AM, Stan Hoeppner wrote:
On 3/13/2013 12:00 AM, Alex wrote:
I just verified that TB (17.0.4) won't do STARTTLS on TCP 143 without first accepting the self signed cert.
I'm really hoping someone can help me to clarify more specifically what's going on here.
You've already clarified it. You simply can't do account auto configuration with a self signed cert, at least not with a vanilla TB setup. The only possible solution I can think of would be to preload the user profile with the certificate. I don't know how you'd do this. I think you have some research ahead of you.
It's relatively easy. On first starting TB with no account, cancel the wizard. The use "Edit" -> "Preferences" or "≡" -> "Options..." -> "Options..." to get to TB's configuration pages. There, use "Advanced" -> "Certificates" -> "View Certificates" -> "Servers" and finally "Import..."
After you've imported the needed cert, you can re-open the wizard with "Create new account".
You can also use this method to import a self-signed certificate authority if you want to run your own signing operation.
Phil
On 3/13/2013 8:01 AM, Phil Turmel wrote:
On 03/13/2013 01:51 AM, Stan Hoeppner wrote:
On 3/13/2013 12:00 AM, Alex wrote:
I just verified that TB (17.0.4) won't do STARTTLS on TCP 143 without first accepting the self signed cert.
I'm really hoping someone can help me to clarify more specifically what's going on here.
You've already clarified it. You simply can't do account auto configuration with a self signed cert, at least not with a vanilla TB setup. The only possible solution I can think of would be to preload the user profile with the certificate. I don't know how you'd do this. I think you have some research ahead of you.
It's relatively easy. On first starting TB with no account, cancel the wizard. The use "Edit" -> "Preferences" or "≡" -> "Options..." -> "Options..." to get to TB's configuration pages. There, use "Advanced" -> "Certificates" -> "View Certificates" -> "Servers" and finally "Import..."
After you've imported the needed cert, you can re-open the wizard with "Create new account".
You can also use this method to import a self-signed certificate authority if you want to run your own signing operation.
How does he do this at scale Phil?
That's what I was commenting on. Importing the cert manually into each client profile probably isn't a realistic option here.
Alex is not a sysadmin but a solutions provider. He needs to drop the server in place and get out with minimal fuss, and without walking around to each user desktop at his clients' sites. Which is why Alex wanted to use auto configuration to begin with, I'd guess.
So assuming these are MS Windows desktops, I'd think he'd need to use one of the Windows specific deployment tools to preload each user profile with the cert. That's why I said he had some research ahead of him. Unless someone here has that answer at hand.
-- Stan
Hi guys,
It's relatively easy. On first starting TB with no account, cancel the wizard. The use "Edit" -> "Preferences" or "≡" -> "Options..." -> "Options..." to get to TB's configuration pages. There, use "Advanced" -> "Certificates" -> "View Certificates" -> "Servers" and finally "Import..."
After you've imported the needed cert, you can re-open the wizard with "Create new account".
You can also use this method to import a self-signed certificate authority if you want to run your own signing operation.
How does he do this at scale Phil?
All of these options suck, frankly. I should have mentioned, however, that this is only for the test server. There's an actual signed cert for the production server, which is really the same server.
So, the test server is mail1.prop.example.com, which will be renamed to just mail.prop.example.com after the staff complete their test.
The trouble is staff are basically end-users, so documenting these steps really sucks. That's where I'm at right now. The damn software works fine (thanks to everyone's help and clarifications); it's just finding the easiest way to convince them it's working that's become the problem. They're going to want screenshots, blah, blah, blah...
I do have other questions (of course), but I'm still reading and absorbing all that everyone has written thus far.
Had I had more time, I would have just made them create another cert for the test server, but I didn't anticipate the difficulty with thunderbird and/or outlook and using self-signed certs.
Thanks, Alex
Hi guys,
It's relatively easy. On first starting TB with no account, cancel the wizard. The use "Edit" -> "Preferences" or "≡" -> "Options..." -> "Options..." to get to TB's configuration pages. There, use "Advanced" -> "Certificates" -> "View Certificates" -> "Servers" and finally "Import..."
After you've imported the needed cert, you can re-open the wizard with "Create new account".
You can also use this method to import a self-signed certificate authority if you want to run your own signing operation.
How does he do this at scale Phil?
It appears that if you delete all the unsigned certs, then set up the account using all the proper ports and auth types, then just restart thunderbird, it works as expected. Upon restarting thunderbird, it will prompt you to "confirm security exception", then it automatically imports the cert for 993. It somehow seemed to automatically import the cert for 587.
Can someone else confirm that restarting Thunderbird is a way around having to manually import the certs or change them later through the account settings menu?
Does anyone have any experience with configuring Outlook to use self-signed certs?
Thanks, Alex
On 14 Mar 2013 03:38, "Alex" mysqlstudent@gmail.com wrote:
Hi guys,
It's relatively easy. On first starting TB with no account, cancel
the
wizard. The use "Edit" -> "Preferences" or "≡" -> "Options..." -> "Options..." to get to TB's configuration pages. There, use "Advanced" -> "Certificates" -> "View Certificates" -> "Servers" and finally "Import..."
After you've imported the needed cert, you can re-open the wizard with "Create new account".
You can also use this method to import a self-signed certificate authority if you want to run your own signing operation.
How does he do this at scale Phil?
It appears that if you delete all the unsigned certs, then set up the account using all the proper ports and auth types, then just restart thunderbird, it works as expected. Upon restarting thunderbird, it will prompt you to "confirm security exception", then it automatically imports the cert for 993. It somehow seemed to automatically import the cert for 587.
Can someone else confirm that restarting Thunderbird is a way around having to manually import the certs or change them later through the account settings menu?
Does anyone have any experience with configuring Outlook to use self-signed certs?
Thanks, Alex
Import it using internet explorer. Follow the prompts. http://www.google.com/search?hl=en&gl=GB&ie=UTF-8&q=outlook+self+signed+certificate++how-to
Simon
On 3/13/2013 9:38 PM, Alex wrote:
Hi guys,
It's relatively easy. On first starting TB with no account, cancel the wizard. The use "Edit" -> "Preferences" or "≡" -> "Options..." -> "Options..." to get to TB's configuration pages. There, use "Advanced" -> "Certificates" -> "View Certificates" -> "Servers" and finally "Import..."
After you've imported the needed cert, you can re-open the wizard with "Create new account".
You can also use this method to import a self-signed certificate authority if you want to run your own signing operation. How does he do this at scale Phil? It appears that if you delete all the unsigned certs, then set up the account using all the proper ports and auth types, then just restart thunderbird, it works as expected. Upon restarting thunderbird, it will prompt you to "confirm security exception", then it automatically imports the cert for 993. It somehow seemed to automatically import the cert for 587.
Can someone else confirm that restarting Thunderbird is a way around having to manually import the certs or change them later through the account settings menu?
Does anyone have any experience with configuring Outlook to use self-signed certs?
Thanks, Alex
This sounds like you're working on a fairly big project, so spend $20 and 15 minutes to get a REAL certificate for the test domain from one of the countless online vendors.
Surely your time is worth something --- you've spent two days futzing around with this already, and aren't done yet.
-- Noel Jones
Hi,
Can someone else confirm that restarting Thunderbird is a way around having to manually import the certs or change them later through the account settings menu?
Does anyone have any experience with configuring Outlook to use self-signed certs?
This sounds like you're working on a fairly big project, so spend $20 and 15 minutes to get a REAL certificate for the test domain from one of the countless online vendors.
Yeah, tell me about it. The problem is politics and the difference between when the project is expected to be done and the amount of time involved with getting the certificate, explaining what is needed, etc.
It still might be worth it, though. I'll send them an email and see what they say.
Thanks, Alex
On 3/13/2013 10:23 PM, Alex wrote:
Hi,
Can someone else confirm that restarting Thunderbird is a way around having to manually import the certs or change them later through the account settings menu?
Does anyone have any experience with configuring Outlook to use self-signed certs?
This sounds like you're working on a fairly big project, so spend $20 and 15 minutes to get a REAL certificate for the test domain from one of the countless online vendors. Yeah, tell me about it. The problem is politics and the difference between when the project is expected to be done and the amount of time involved with getting the certificate, explaining what is needed, etc.
It still might be worth it, though. I'll send them an email and see what they say.
Thanks, Alex
If they're paying you for this, it's worth $20 out of pocket to just get it done and out of your hair.
If they're not paying you, tell them you need to borrow a credit card and they can watch.
https://www.rapidsslonline.com/ less than $20/year, takes literally 15 minutes from start to having a certificate. Well, maybe 30 minutes the first time when you need to read everything.
There are probably dozens of other sites offering similar services; I've used this one several times.
-- Noel Jones
On 14/03/2013 03:36, Noel wrote:
https://www.rapidsslonline.com/ less than $20/year, takes literally 15 minutes from start to having a certificate. Well, maybe 30 minutes the first time when you need to read everything.
There are probably dozens of other sites offering similar services; I've used this one several times.
Namecheap reseller: $5/year
https://www.cheapssls.com/(I just buy 5 year SSLs at that price... How can you refuse?)
https://www.rapidsslonline.com/ less than $20/year, takes literally 15 minutes from start to having a certificate. Well, maybe 30 minutes the first time when you need to read everything.
There are probably dozens of other sites offering similar services; I've used this one several times.
Namecheap reseller: $5/year
I ended up buying one from rapidsslonline, after I learned they require authorization from only the subdomain, not the top-level. I'll check out cheapssls.com as well.
I'm not quite sure yet, but it seems these are only supported with the most current browsers? If a customer visits with, say, IE8 or IE6, are they going to have an issue? (not that they ever should be, or that it would probably affect my purchasing choice; I was just curious because I'm seeing some old browsers and fielding some support issues now.)
Thanks, Alex
On 18/03/2013 03:10, Alex wrote:
https://www.rapidsslonline.com/ less than $20/year, takes literally 15 minutes from start to having a certificate. Well, maybe 30 minutes the first time when you need to read everything.
There are probably dozens of other sites offering similar services; I've used this one several times. Namecheap reseller: $5/year
https://www.cheapssls.com/I ended up buying one from rapidsslonline, after I learned they require authorization from only the subdomain, not the top-level. I'll check out cheapssls.com as well.
I'm not quite sure yet, but it seems these are only supported with the most current browsers? If a customer visits with, say, IE8 or IE6, are they going to have an issue? (not that they ever should be, or that it would probably affect my purchasing choice; I was just curious because I'm seeing some old browsers and fielding some support issues now.)
It's not clear if you mean cheapssls.com by the above?
However, I just tried Win XP 32bit with IE8 on one of my certs from cheapssls and saw no problems...
Cheapssl appears to be a reseller for the cheapo positive positivessl and rapidssl certs. There is a couple of $ difference in price between the two cert types. The other cheap end cert seller is godaddy who also offer extremely cheap certs, and in particular they are the only sensibly priced offering that I'm aware of for certs with multiple domains on them (alternative SAN certs), ie for moderate money they will give you a cert for domain abcd.com *and* defg.com on the same cert - this can be useful for mail/web servers which need to answer to multiple domain names (not just wildcard). Of course there is an amount of backlash against godaddy, so choose your politics
Oh, I did also manage to get through the bureaucracy of startcom.org and of course if you are happy with their quirky infrastructure then they offer very inexpensive certs, especially for the more unusual types such as wildcards and multiple SAN. I haven't yet taken a cert from them, but it seems workable now that I got my account created.
Good luck
Ed W
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 13 Mar 2013, Stan Hoeppner wrote:
You simply can't do account auto configuration with a self signed cert, at least not with a vanilla TB setup. The only possible solution I can think of would be to preload the user profile with the certificate. I don't know how you'd do this. I think you have some research ahead of you.
I create a profile manually, import our self-signed root CA cert,& copy the cert8.db to <mozilla program base>\defaults\profile\cert8.db . For notebooks and workstations, that are not administrated centrally, there is are install scripts that do this.
Now profiles are initialized with the settings of "default". That seems to fail now and then, if the user's profile is located on a network share in Windows.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUUcjFF3r2wJMiz2NAQInmAf/ek40TL2xvQtMZ4n05c+DNi5zbgaFbW78 +gvmusQAskbWoirASeHxmtFZnvilobLdZBbtwPVcz1k/YBB3Ummu0hKRT3YNpt9x XJmZ8YupYxiV/hNgCxRL06hM8qi8kDMpDRnXT91CcOAt7Emqla3sm0d8j4lX74dX 19wz53X8e9P0ReRgxmqHZbiF307C1JPv+bnGPrD+jQqG6oVoMIdg0BChkFvDkrgQ Hv0sI9+rKpVTxM50cKikKW3A273rL23Q1TRSQhr4wnHDLWV6xwAOnjIYguNEmeur J1r7tPzzasYp7XA/ua9ZxdN989zAQGmHELWYy3YzCe/WeUNuP22i/w== =3IaC -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 18 Mar 2013, Steffen Kaiser wrote:
I create a profile manually, import our self-signed root CA cert,& copy the cert8.db to <mozilla program base>\defaults\profile\cert8.db . For notebooks and workstations, that are not administrated centrally, there is are install scripts that do this.
Now profiles are initialized with the settings of "default". ^ New profiles are ...
That seems to fail now and then, if the user's profile is located on a network share in Windows.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUUckWF3r2wJMiz2NAQKRVggAwpoKTLrELvTl3ua3nb8f2a6tx6WOfHim cG6MEEtIRvhcox53pij1SUa8jBFe9+qOV9qu4dCYSIuJz2I9JIO7WIWkT8pT5vHt O5JPwkKQ+ACrRKpDw/lukl8bhk9TfgfjwlDRXCO+yrBAY4wV6oLRGEfuwN3nf2J+ z0KC2q/Q7A40dV+pciv9BA58tGB1vWu0o60heY/4+7wkwcvnI0wqE1JiH3nuBX5v npCccGs98N5Dm7kAorS8HjNqS+7hspzxxSqG7vXNXeZXHW9ll4/Q+Sxgybhiy++K AdjdrQ0wlvw9EYQjOzcFe6sejD/wYkPce0m+iotnUyCvgNhqG6k8qA== =1cGd -----END PGP SIGNATURE-----
On 2013-03-13 12:37 AM, Alex mysqlstudent@gmail.com wrote:
Is it conventional to use port 143 for encrypted IMAP connections these days, and not just 993?
Port 143 uses STARTTLS, port 993 uses SSL/TLS... been that way for a long time, and yes there is a (slight) difference. STARTTLS *begins* as an unencrypted session, but immediately negotiates the encrypted session. SSL is encrypted from the very beginning of the connection.
I'm finding that port 25 works with TLS and postfix now too, not just port 587, so I'm really confused.
Both ports 25 and 587 have always worked with STARTTLS... although unless you have a very, very specific need, you will never FORCE STARTTLS on port 25, unlike port 587 where you (should) always *require* it.
--
Best regards,
Charles
participants (9)
-
Alex
-
Charles Marcus
-
Ed W
-
Noel
-
Phil Turmel
-
Professa Dementia
-
Simon Brereton
-
Stan Hoeppner
-
Steffen Kaiser