[Dovecot] SSL_accept failed
Hello, I'm new to dovecot. I just installed it a few days ago on
FreeBSD via the ports and got it up and running without too much
trouble. Although yesterday I turned on the SSL/TLS features and
tried to get secure connections to work.
I don't get any error messages when launching dovecot, I saw it
successfully create the SSL parameters after first enabling the
feature yet I can't seem to get a successful connection. Normal non-
ssl connections work fine.
What happens:
1) my client claims to be attempting the connection.
2) things go on for some time with nothing happening
3) finally the dovecot log pops up with these messages
dovecot: Sep 09 02:25:23 Warning: imap-login: SSL_accept() syscall
failed: EOF [x.x.x.x]
dovecot: Sep 09 02:25:23 Info: imap-login: Disconnected:
rip=x.x.x.x, lip=x.x.x.x, TLS handshake
dovecot: Sep 09 02:26:23 Info: imap-login: Disconnected:
Inactivity: rip=x.x.x.x, lip=x.x.x.x, TLS handshake
FYI: I've regenerated a fresh cert and key, just for dovecot and I'm
using Mac OS X's Mail client.
Any clues?
.tim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi tim,
- -- On September 9, 2006 10:28:29 AM -0700 Timothy Martin instanttim@mac.com wrote:
Hello, I'm new to dovecot. I just installed it a few days ago on FreeBSD via the ports and got it up and running without too much trouble. Although yesterday I turned on the SSL/TLS features and tried to get secure connections to work.
I don't get any error messages when launching dovecot, I saw it successfully create the SSL parameters after first enabling the feature yet I can't seem to get a successful connection. Normal non- ssl connections work fine.
What happens:
- my client claims to be attempting the connection.
- things go on for some time with nothing happening
- finally the dovecot log pops up with these messages dovecot: Sep 09 02:25:23 Warning: imap-login: SSL_accept() syscall failed: EOF [x.x.x.x] dovecot: Sep 09 02:25:23 Info: imap-login: Disconnected: rip=x.x.x.x, lip=x.x.x.x, TLS handshake dovecot: Sep 09 02:26:23 Info: imap-login: Disconnected: Inactivity: rip=x.x.x.x, lip=x.x.x.x, TLS handshake
FYI: I've regenerated a fresh cert and key, just for dovecot and I'm using Mac OS X's Mail client.
i'm running dovecot on OSX, but have previously had _similar_ troubles that, eventually, turned out to be borked certs.
have you checked/verified the certs?
if not, take a look with:
(1) another server, if you have it (2) mulberry MUA (mulberrymail.com) or thunderbird. both have nice cert view capabilities. simply dunno if Mail.app does -- i don't use it (3) check your certs with, e.g.:
openssl verify -verbose -issuer_checks -purpose sslserver -CAfile 'my_CA_CERT' 'my_SVR_CERT'
fwiw, there's a useful reference starting point here:
"Certificate Management and Installation with OpenSSL" http://gagravarr.org/writing/openssl-certs/
hth,
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUDABEACgkQlffdvTZxCMbRLQCgqJ/UOWhrJYK1RdueynC+fQKt izIAoMKGMQd46gExFNIu/4B9cbgrkCCj =4mpP -----END PGP SIGNATURE-----
So thunderbird actually seems to work fine, but Mail.app doesn't. I
get the warning from thunderbird about the self-signed cert, but
mail.app doesn't give me any warning at all. I'm used to getting the
warning from Mail.app when i use my courier imap server... which
works just fine with my self-signed certs.
Do you think it makes a difference how you created the cert? Over the
years i've found two different ways to do it. One way involves making
the CA cert and creating a CSR and it's many many steps. But
alternatively I found that I can normally do it in a single step like
so:
openssl req -x509 -newkey rsa:2048 -keyout private/dovecot.key -out certs/dovecot.cert -days 365 -nodes
But admittedly, despite reading many a source on certs and ssl I
really don't understand the finer points of it.
.tim
On Sep 9, 2006, at 10:55am, OpenMacNews wrote:
i'm running dovecot on OSX, but have previously had _similar_ troubles that, eventually, turned out to be borked certs.
have you checked/verified the certs?
if not, take a look with:
(1) another server, if you have it (2) mulberry MUA (mulberrymail.com) or thunderbird. both have nice cert view capabilities. simply dunno if Mail.app does -- i don't
use it (3) check your certs with, e.g.:openssl verify -verbose -issuer_checks -purpose sslserver -CAfile 'my_CA_CERT' 'my_SVR_CERT'
fwiw, there's a useful reference starting point here:
"Certificate Management and Installation with OpenSSL" http://gagravarr.org/writing/openssl-certs/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi tim,
- -- On September 9, 2006 4:24:37 PM -0700 Timothy Martin instanttim@mac.com wrote:
So thunderbird actually seems to work fine, but Mail.app doesn't.
to be honest, that doesn't surprise me.
personally, i've given up trusting Mail.app with any 'serious' imap usage. "mebbe sumday" ...
that said, imho, there's no more robust imap client (well, gui-client, anyway) than Mulberry (http://mulberrymail.com). if only cuz the author, Cyrus Daboo, is about as 'authoritative' as it gets.
my $0.02, ymmv, caveat emptor, etc etc ...
I get the warning from thunderbird about the self-signed cert, but mail.app doesn't give me any warning at all. I'm used to getting the warning from Mail.app when i use my courier imap server... which works just fine with my self-signed certs.
i've been led astray by "works just fine"
Do you think it makes a difference how you created the cert?
short answer: yes.
forget an -x509 here, mix up a -out and a -keyout, etc & you'll like get a cert, that even "works" -- initially & kinda sorta ...
Over the years i've found two different ways to do it. One way involves making the CA cert and creating a CSR and it's many many steps.
which, ultimately, is what i've come to depend on. i've forced myself to understand what's going on in each step.
because, at my age ;-) my memory's failing, i've got it all wrapped up in a script specific to my $ENV & dir_structure.
But alternatively I found that I can normally do it in a single step like so:
openssl req -x509 -newkey rsa:2048 -keyout private/dovecot.key -out certs/dovecot.cert -days 365 -nodes
But admittedly, despite reading many a source on certs and ssl I really don't understand the finer points of it.
amen to that. but, if you're gonna depend on this AND diy, you really have little choice ...
you haven't referenced that you've tested the certs, or viewed them in detail in mulberry/thunderbird or shell, for that matter ...
if you haven't, again, i'd simply suggest that you do.
g'luck!
.tim
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUDUfwACgkQlffdvTZxCMbxuACfWVpX5jfMntUqyLAlAplpFYX0 9twAnAn1KLWjmIkvlPnY5FRb9rskGQUH =3IZg -----END PGP SIGNATURE-----
Thanks for the input so far... I hear what you're saying about
Mail.app but I provide email for a small group of friends and I need
it to work with a variety of clients.
On Sep 9, 2006, at 4:45pm, OpenMacNews wrote:
you haven't referenced that you've tested the certs, or viewed them in detail in mulberry/thunderbird or shell, for that matter ...
if you haven't, again, i'd simply suggest that you do.
I did, but i wasn't sure what it meant. I got an actual signed cert
from cacerts.org and this is what i get when i try to verify it.
dovecot.cert: /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch OK
all my self-signed certs look like this:
design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=design1st.org error 18 at 0 depth lookup:self signed certificate OK
This seemed more interesting, but also didn't help me:
design1st:/usr/local/openssl/certs root# openssl s_client -connect
localhost:10943 -showcerts CONNECTED(00000003) depth=0 /CN=mail.design1st.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=mail.design1st.org verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=mail.design1st.org verify error:num=21:unable to verify the first certificate verify return:1Certificate chain 0 s:/CN=mail.design1st.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- MIIEWTCCAkGgAwIBAgIDAqhMMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDkwOTIzNDYzMVoXDTA3MDMwODIzNDYzMVowHTEb MBkGA1UEAxMSbWFpbC5kZXNpZ24xc3Qub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDiRDQnEyIwW6u3digVgFZpYYJ8ME7tKDSkbrm0IeSbW4qOnQJ1vTZD pYQ5EZraScR1c1eGNEzSdAXy7oEPKspNxmaslL1C+hk6hYCvVhjdgG9QmUAwhoDM komhP+YG4bO/yC3m72JKgpUPUHCXmFoWzP16B6rCDX96UV03JgE8XQIDAQABo4HJ MIHGMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMB BglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDIGCCsGAQUFBwEB BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA/BgNVHREE ODA2ghJtYWlsLmRlc2lnbjFzdC5vcmegIAYIKwYBBQUHCAWgFAwSbWFpbC5kZXNp Z24xc3Qub3JnMA0GCSqGSIb3DQEBBQUAA4ICAQB2WcnVYg8aH6Undaey/9u27EqJ F0JkEzIsW7St2eKvBdEFq3kRZYT1lbAT5rJlmBd+cy7HYPfcrd6vfZP7xrD4+gK8 jzWikQAuAH7HtKNl5mDL7WDzJrsDj9xgOddQfo2hUp2vvvDBuMPFWTVwnTKqUogH /7AKdeJsDUtXrHMqfO24AbEaxnZG9g7VuaUFMM2KXiOLuwppqs3/V80YFqE2NQW1 1n8VGagDe4WqsSNLK8INjaX8txkzgTSoC52nSw8uSnRV2OqyJk+NFN9kyOeBxMnN YTZN7KnFJNM+eL4kQcgj3X/sBod1HkFiFc9luNhs6YcSFHYDyHKTCstCVPc3maVL E5cM6infxZyQCu/lMsIQhEtOBnT5xLe4RhYLERXORgu3eusoEm6KYj1eEkLpkv0O vtCoCjeMRgoe2nRna41O1y7LDy2AHTKym1XM5+Mmt/yx9fnyOJsSVeDUx5EOBrIE DRGSJ/5VOw3LZZ0rVzNW0MsJTd8Svv5L0a0/YJ7onm22y1HOOJCdkM0ENok7008F 2/+KGvCF6lATYMzhnRRtdXn13Ci1bUK/IdZvJoXE/gS7ajDOLZzlaJHiyIOvwRDM OPlbcMjdgnSDrkxf6KAzSEb23Tk3utdyZW+P8bRfGK4ObGBgk1j2nPaFQCQJPC/Z NRO4/+zsOSMOvnQ5CA== -----END CERTIFICATE-----Server certificate subject=/CN=mail.design1st.org issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.orgNo client certificate CA names sent
SSL handshake has read 1681 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID:
1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706 Session-ID-ctx: Master-Key:
85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE286C 0008197298EC8A16CE8D11BF4B Key-Arg : None Start Time: 1157850811 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
- OK Dovecot ready.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi tim,
Thanks for the input so far... I hear what you're saying about Mail.app but I provide email for a small group of friends and I need it to work with a variety of clients.
i was simply suggesting options for you to explore/investigate your problem with tools that might be of more help, not to suggest replacing your client of choice.
if you haven't, again, i'd simply suggest that you do.
I did, but i wasn't sure what it meant. I got an actual signed cert from cacerts.org and this is what i get when i try to verify it.
given what i'm seeing below, i'm going to suggest that you step-by-step it 1st with your own, home-grown CA cert ... just to see what's happening
dovecot.cert: /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch OK
all my self-signed certs look like this:
design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=design1st.org error 18 at 0 depth lookup:self signed certificate OK
This seemed more interesting, but also didn't help me:
design1st:/usr/local/openssl/certs root# openssl s_client -connect localhost:10943 -showcerts CONNECTED(00000003) depth=0 /CN=mail.design1st.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=mail.design1st.org verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=mail.design1st.org verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/CN=mail.design1st.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE-----
Server certificate subject=/CN=mail.design1st.org issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
No client certificate CA names sent
SSL handshake has read 1681 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706 Session-ID-ctx: Master-Key: 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28 6C 0008197298EC8A16CE8D11BF4B Key-Arg : None Start Time: 1157850811 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
- OK Dovecot ready.
1st, take each of the errors and google on it ... there's lots of info out there.
unfortunately, you're gonna have to match what you find with your particular circumstance(s).
that said ... lemme guess at something here:
have you IMPORTED the cert into mail.app?
why do i ask? cref here:
Mac OS X Mail.app (native eMail application) for Signing / Encrypting http://wiki.cacert.org/wiki/EmailCertificates "these steps were needed because Apple does not ship with the cacert Root CA Certificate"
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP pwEAnRKE48MFdgacepl8qTQc6VxzWSI2 =pFSx -----END PGP SIGNATURE-----
I've successfully gone back and forth with using the same cert and
key that works with my mail client and an alternate mail server
(courier-imap) but seems to not work with with Dovecot/Apple Mail.
I've also tested with openssl s_client commands (shown below). So
given a particular cert/key the situation looks like this:
Courier + Apple Mail: works
Courier + Thunderbird: works
Dovecot + Apple Mail: doesn't work
Dovecot + Thunderbird: works
I found an old message on the mailing list that basically just said
that Apple Mail isn't working with IMAP-SSL support on dovecot, but
that seems like it must be a bug that hopefully would be fixed (if it
hasn't been already).
Does anyone else have info or experience with that?
.tim
CONNECTED(00000003) depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org verify return:1
Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org i:/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org
Server certificate -----BEGIN CERTIFICATE----- MIIDoTCCAwqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEaMBgGA1UE ChMRRGVzaWduMXN0IERvdCBPcmcxGzAZBgNVBAMTEm1haWwuZGVzaWduMXN0Lm9y ZzEnMCUGCSqGSIb3DQEJARYYZDFzdC1hZG1pbkBkZXNpZ24xc3Qub3JnMB4XDTA1 MTEwNTA2NDIwNFoXDTMzMDMyMjA2NDIwNFowgZgxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxGjAYBgNVBAoTEURl c2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2lnbjFzdC5vcmcxJzAl BgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9yZzCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAueMIqNJGCB9QIZXBZw+17iT06feMdyzi0p7rB5xt 3nz/nTSMRFTIzmabN0tR8wFJ1oA3TlHFKQ51x08ZSUPLHmVo61xZIn392mwDL9Zn ozh3FreVXkKHMhANvwTV2kqMcOJzeyNgENO0YSl6iv1MydMAM2OGbC6FdHAz6dHG 4GkCAwEAAaOB+DCB9TAdBgNVHQ4EFgQUF985KOsukGEGsY1eyBgWouDOVxIwgcUG A1UdIwSBvTCBuoAUF985KOsukGEGsY1eyBgWouDOVxKhgZ6kgZswgZgxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUx GjAYBgNVBAoTEURlc2lnbjFzdCBEb3QgT3JnMRswGQYDVQQDExJtYWlsLmRlc2ln bjFzdC5vcmcxJzAlBgkqhkiG9w0BCQEWGGQxc3QtYWRtaW5AZGVzaWduMXN0Lm9y Z4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBABwOsxpHng49aC9u eRe1a3wn5tyZDPq5YQqpACHvz5JRX54y6Dh+PB2Y0Qim6/Ihf2r91D/WnFwULHvX gllx6L4DnoB5Zq8+P+4B8m27VqgzaJAeIawXm0hXAl7E8UTUCXFCCUvuHmzVqHKl dtAuA5z38boKKywg6U1HUhbuAmd8 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org issuer=/C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=mail.design1st.org/emailAddress=d1st-admin@design1st.org
No client certificate CA names sent
SSL handshake has read 1497 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
24AA32335F51E58F94067A09F44DEF049D7B4588490046E04F9C31E91D1BF006
Session-ID-ctx:
Master-Key:
9CFE3120D1363C82003E74B01CFAAA22224BE44CCDC6915F743A9CB3593240CCFDE43795
FCF2A1E03242C9282B28CB3F
Key-Arg : None
Start Time: 1158300051
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
- OK Dovecot ready.
On Sep 9, 2006, at 9:43pm, OpenMacNews wrote:
given what i'm seeing below, i'm going to suggest that you step-by- step it 1st with your own, home-grown CA cert ... just to see what's happening
dovecot.cert: /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch OK
all my self-signed certs look like this:
design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=design1st.org error 18 at 0 depth lookup:self signed certificate OK
This seemed more interesting, but also didn't help me:
design1st:/usr/local/openssl/certs root# openssl s_client -connect localhost:10943 -showcerts CONNECTED(00000003) depth=0 /CN=mail.design1st.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=mail.design1st.org verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=mail.design1st.org verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/CN=mail.design1st.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE-----
Server certificate subject=/CN=mail.design1st.org issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
No client certificate CA names sent
SSL handshake has read 1681 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706 Session-ID-ctx: Master-Key: 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28 6C 0008197298EC8A16CE8D11BF4B Key-Arg : None Start Time: 1157850811 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
- OK Dovecot ready.
1st, take each of the errors and google on it ... there's lots of info out there.
unfortunately, you're gonna have to match what you find with your particular circumstance(s).
that said ... lemme guess at something here:
have you IMPORTED the cert into mail.app?
why do i ask? cref here:
Mac OS X Mail.app (native eMail application) for Signing / Encrypting http://wiki.cacert.org/wiki/EmailCertificates "these steps were needed because Apple does not ship with the cacert Root CA Certificate"
richard
/"
\ / ASCII Ribbon Campaign X against HTML email, vCards / \ & micro$oft attachments[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP pwEAnRKE48MFdgacepl8qTQc6VxzWSI2 =pFSx -----END PGP SIGNATURE-----
On Sep 15, 2006, at 2:30 AM, Timothy Martin wrote:
I've successfully gone back and forth with using the same cert and
key that works with my mail client and an alternate mail server
(courier-imap) but seems to not work with with Dovecot/Apple Mail.
I've also tested with openssl s_client commands (shown below). So
given a particular cert/key the situation looks like this: Courier + Apple Mail: works Courier + Thunderbird: works Dovecot + Apple Mail: doesn't work Dovecot + Thunderbird: worksI found an old message on the mailing list that basically just said
that Apple Mail isn't working with IMAP-SSL support on dovecot, but
that seems like it must be a bug that hopefully would be fixed (if
it hasn't been already).Does anyone else have info or experience with that?
I have had no problems with Apple Mail+Dovecot. All I had to do was
import the certificate so I wouldn't get the question about the
certificate every time I started Apple Mail.
In the account setup, in the advanced tab, the settings are Port:
993, Use SSL is checked and Authentication is Password.
I'm running Dovecot 1.0rc7 if that makes any difference.
-----Morgan
Morgan,
I looked at your server (amethyst) using "openssl s_client" and
compared it to mine, and they appear exactly the same. Is that the
server to which you connect with Apple Mail successfully?
FYI: my server is running FreeBSD 4.11 (if it matters)
I have had no problems with Apple Mail+Dovecot. All I had to do was
import the certificate so I wouldn't get the question about the
certificate every time I started Apple Mail.
I don't even get to this point. I don't get the cert warning dialog
with my dovecot server (i do for courier) -- the activity window just
shows it trying to synchronize for a very long time with no success.
In the account setup, in the advanced tab, the settings are Port:
993, Use SSL is checked and Authentication is Password.I'm running Dovecot 1.0rc7 if that makes any difference.
These are indeed the settings I am using as well, except my port is
different because my production server is using 993.
.tim
On Sep 15, 2006, at 12:01 PM, Timothy Martin wrote:
Morgan,
I looked at your server (amethyst) using "openssl s_client" and
compared it to mine, and they appear exactly the same. Is that the
server to which you connect with Apple Mail successfully?FYI: my server is running FreeBSD 4.11 (if it matters)
It's one of a few that I use. And I've built dovecot using openssl
0.9.8.
I don't even get to this point. I don't get the cert warning dialog
with my dovecot server (i do for courier) -- the activity window
just shows it trying to synchronize for a very long time with no
success.
What message do you have in the log file related to your attempted
connection? Did you get a certificate warning when trying to connect
to my server?
These are indeed the settings I am using as well, except my port is
different because my production server is using 993.
That shouldn't be an issue.
-----Morgan
On Sep 15, 2006, at 9:11am, Morgan Nightbear wrote:
On Sep 15, 2006, at 12:01 PM, Timothy Martin wrote:
Morgan,
I looked at your server (amethyst) using "openssl s_client" and
compared it to mine, and they appear exactly the same. Is that the
server to which you connect with Apple Mail successfully?FYI: my server is running FreeBSD 4.11 (if it matters)
It's one of a few that I use. And I've built dovecot using openssl
0.9.8.
OpenSSL 0.9.7c-p1
I don't even get to this point. I don't get the cert warning
dialog with my dovecot server (i do for courier) -- the activity
window just shows it trying to synchronize for a very long time
with no success.What message do you have in the log file related to your attempted
connection?
dovecot: Sep 14 23:18:05 Warning: imap-login: SSL_accept() syscall
failed: EOF [<client-ip>]
dovecot: Sep 14 23:21:05 Info: imap-login: Disconnected: Inactivity:
rip=<client-ip>, lip=<server-ip>, TLS handshake
Did you get a certificate warning when trying to connect to my server?
With Apple Mail? I just tried, and yes. The standard warning i
normally get with other servers. But this doesn't happen for my own
server...
.tim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi tim,
- -- On September 14, 2006 11:30:41 PM -0700 Timothy Martin instanttim@mac.com wrote:
I've also tested with openssl s_client commands (shown below). So given a particular cert/key the situation looks like this: Courier + Apple Mail: works
tho not very informative of your issue, i can tell you simply that my current sit'n is:
Cyrus + Apple Mail: works
Cyrus + Thunderbird: works
Cyrus + Mulberry: works
Dovecot + Apple Mail: works
Dovecot + Thunderbird: works
Dovecot + Mulberry: worksI found an old message on the mailing list that basically just said that Apple Mail isn't working with IMAP-SSL support on dovecot
hmm ... are you specifically attempting to comm via imapS, init'g comms @ port 993? or via TLS, init' the transaction over port 143?
but that seems like it must be a bug that hopefully would be fixed (if it hasn't been already).
are you still seeing these errors you'd reported?
design1st:/usr/local/openssl/certs root# openssl s_client -connect
...
verify error:num=27:certificate not trusted
...
verify error:num=21:unable to verify the first certificateif you are, then, again, have you IMPORTED the cert into mail.app?
if not, then dunno what to tell you :-( except that it 'smells' like a cert problem ...
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUKrggACgkQlffdvTZxCMYW8gCgssV08XuWprI7yFpiijLKp/+W sI8AoJPtnEZX3xfAEVgaMO62raqpGDPh =A8T1 -----END PGP SIGNATURE-----
On Sep 15, 2006, at 6:43am, OpenMacNews wrote:
hmm ... are you specifically attempting to comm via imapS, init'g
comms @ port 993? or via TLS, init' the transaction over port 143?
I'm using "imaps" with "ssl_listen = *:10993" because i'm running a
my production mail server at the same time as i evaluate and test
dovecot. To clear up any questions i've enclosed my configuration
file (with most of the comments and used stuff removed) below.
but that seems like it must be a bug that hopefully would be fixed (if it hasn't been already).
are you still seeing these errors you'd reported?
design1st:/usr/local/openssl/certs root# openssl s_client -connect ... verify error:num=27:certificate not trusted ... verify error:num=21:unable to verify the first certificate
if you are, then, again, have you IMPORTED the cert into mail.app?
I have made certs in a couple different ways, plus gotten a signed
cert from CAcerts.org. The errors above (27/21) was from the
cacerts.org signed cert. The error:num=18's are from the self-signed
certs. I can successfully use those same certs with my other IMAP
server, so if it's a cert problem it's something that is explicitly
acting differently with dovecot. I wish i could get some better
debugging or logging info out of dovecot.
.tim
## Dovecot configuration file
base_dir = /var/run/dovecot/
protocols = imap imaps
disable_plaintext_auth = no
log_path = /var/log/dovecot
## ## SSL settings ##
ssl_disable = no
ssl_cert_file = /usr/local/openssl/certs/test.cert ssl_key_file = /usr/local/openssl/private/test.key
#ssl_key_password = #ssl_ca_file = #ssl_verify_client_cert = no #ssl_parameters_regenerate = 168 #ssl_cipher_list = ALL:!LOW
verbose_ssl = yes
## ## Login processes ##
login_process_size = 64
## ## Mailbox locations and namespaces ##
default_mail_env = maildir:/email/test/%u
mail_extra_groups = mail
## ## Mail processes ##
verbose_proctitle = yes
first_valid_uid = 90 last_valid_uid = 90
first_valid_gid = 0
## ## IMAP specific settings ##
protocol imap {
listen = *:10143 ssl_listen = *:10993
mail_plugins = quota imap_quota mail_plugin_dir = /usr/local/lib/dovecot/imap
imap_client_workarounds = delay-newmail outlook-idle }
## ## LDA specific settings ##
protocol lda {
postmaster_address = postmaster@example.com
sendmail_path = /usr/sbin/sendmail }
## ## Authentication processes ##
auth_verbose = yes auth_debug = no auth_debug_passwords = no
auth default {
mechanisms = plain
passdb sql { args = /usr/local/etc/dovecot-sql.conf }
userdb sql { args = /usr/local/etc/dovecot-sql.conf }
user = vexim }
dict {
}
## ## Plugin settings ##
plugin {
quota = maildir:storage=10240 }
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
tim,
I'm using "imaps" with "ssl_listen = *:10993" because i'm running a my production mail server at the same time as i evaluate and test dovecot. To clear up any questions i've enclosed my configuration file (with most of the comments and used stuff removed) below.
ah. fwiw, i'm using TLS over port 143 ... i don't currently use imaps.
miht be an/the issue ... just dunno.
ssl_cert_file = /usr/local/openssl/certs/test.cert ssl_key_file = /usr/local/openssl/private/test.key
# ssl_key_password = # ssl_ca_file = # ssl_verify_client_cert = no # ssl_parameters_regenerate = 168 # ssl_cipher_list = ALL:!LOW
verbose_ssl = yes
just fyi, the ssl config i'm successfully using for/with apple mail is:
ssl_disable = no disable_plaintext_auth = yes ssl_ca_file = /var/CERTS/mydomain.com.CA.cert.rsa.pem ssl_cert_file = /var/CERTS/server.mydomain.com.cert.rsa.pem ssl_key_file = /var/PRIVATE_KEYS/server.mydomain.com.privkey.rsa.pem ssl_verify_client_cert = no ssl_parameters_regenerate = 0 ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUK1NEACgkQlffdvTZxCMa9owCgilr456kyQQyuDcxz39amJIRu bGsAn2IeRJ0zcNZQ3uEguars4BZjEkpA =G1Sr -----END PGP SIGNATURE-----
On Sep 14, 2006, at 11:30 PM, Timothy Martin wrote:
I found an old message on the mailing list that basically just said
that Apple Mail isn't working with IMAP-SSL support on dovecot, but
that seems like it must be a bug that hopefully would be fixed (if
it hasn't been already).
Which version of Apple Mail? And Mac OS X? I have demonstrable
problems with the Apple Mail on Mac OS 10.3.9. I do NOT have the
same problems with the one on Mac OS 10.4+.
If my 2 year old ever gives me more than 45 minutes in the middle of
the night to work on the problem, I'll hunt it up. . . :-(
Sean
I solved the original problem here: it turns out that Apple Mail.app
doesn't work with custom port numbers with SSL turned on. It accepts
the change and doesn't complain, but there's a bug in the code that
makes it fail silently when you have an IMAP SSL connection assigned
to any port that isn't 993.
So it's all up and running now.
Am Sonntag, 10. September 2006 01:45 schrieb OpenMacNews:
So thunderbird actually seems to work fine, but Mail.app doesn't.
to be honest, that doesn't surprise me.
personally, i've given up trusting Mail.app with any 'serious' imap usage. "mebbe sumday" ...
Hmm, I've been using Mail.app for about the last 3 years with imap (most of the time with courier) and to be honest never experienced any serious problems so far. To be exact: I never experienced any problem at all. It's not a very great or very fancy client but just does it's job, as far as I'm concerned.
that said, imho, there's no more robust imap client (well, gui-client, anyway) than Mulberry (http://mulberrymail.com). if only cuz the author, Cyrus Daboo, is about as 'authoritative' as it gets.
I'm also currently trying out Mulberry. Besides the widget-set being absolutely horrible it does quite well. On OS X. The current Linux Version (4.0.5) seems to have a serious problem encoding mails. It only produces utf-8 encoded mails (despite what you set in the preferences) but these are completely broken when using the linux client. Whatever it produces - it's for sure not valid utf-8. Strangely utf-8 works with the mac version although it's the same version allegedly coming from the same source. Another funny thing with respect to robustness: I experienced some crashes on OS X within a few weeks and the Linux version isn't able to quit without segmentation fault at all. No, you are definitely exaggerating. Mulberry has some good ideas and the Mac version is quite ok (besides the really lousy gui) but at least the Linux version is still more than a little buggy.
Do you think it makes a difference how you created the cert?
short answer: yes.
I guess so. I just went the normal way (setting up CA, request, signing the request) and it just worked out of the box with Mail.app (and Mulberry, kmail, sylpheed) and dovecot. So there is IMHO nothing wrong with Mail.app and SSL per se.
Marcus
No, you are definitely exaggerating.
in addition to my plethora of caveats -- 'personally', 'imho', 'ymmv', 'my $0.02', etc etc -- i'm not exaggerating.
i'm simply stating my opinions based on my experiences.
if your experiences/opinions are different, then that's gr8.
the effort was to provide tim with some options, not to get into a debate about mail.app.
--
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6
participants (6)
-
Marcus Jodorf
-
Morgan Nightbear
-
OpenMacNews
-
Sean Kamath
-
Timothy Martin
-
Timothy Martin