Dovecot POP3 STARTTLS works on Thunderbird but not on Gmail

Aleš Grm

16 Nov 2014 16 Nov '14

3:05 p.m.

Hello,

I have configured Dovecot to work perfectly on Thundrebird using SSL certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

Nov 16 14:04:17 mail dovecot: auth: Debug: auth client connected (pid=31587) Nov 16 14:04:17 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=209.85.160.136, lip=192.168.100.94, session=

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no hostname = kopitarna.eu mail_debug = yes mail_location = maildir:~/Maildir namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } postmaster_address = postmaster@kopitarna.eu protocols = " imap pop3" ssl_cert =

Any idea why does it work with Thunderbird and not with Gmail?

Show replies by date

Reindl Harald

16 Nov 16 Nov

3:19 p.m.

Am 16.11.2014 um 14:05 schrieb Aleš Grm:

...

I have configured Dovecot to work perfectly on Thundrebird using SSL certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

Any idea why does it work with Thunderbird and not with Gmail?

surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept self signed certificates BTW

Aleš Grm

3:39 p.m.

Ok, I tried on port 995, and on Gmail I get "SSL error: unable to verify the first certificate". Certificate is not self-signed (using StartCOM). The log now shows:

Nov 16 14:37:52 mail dovecot: auth: Debug: auth client connected (pid=31923) Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [209.85.213.23] Nov 16 14:37:53 mail dovecot: pop3-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [209.85.213.23] Nov 16 14:37:53 mail dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=209.85.213.23, lip=192.168.100.94, TLS: Disconnected, session= ^C

Could the form of public part of certificate be wrong? I'm using only .CRT.

Kopitarna Sevnica d. d.

Prvomajska ulica 8 8290 SEVNICA SLOVENIA www.kopitarna.eu Cell: +386 31 899 993 Land: +386 7 81 63 440

On 16 November 2014 14:19, Reindl Harald h.reindl@thelounge.net wrote:

...

Am 16.11.2014 um 14:05 schrieb Aleš Grm:

...
I have configured Dovecot to work perfectly on Thundrebird using SSL certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

Any idea why does it work with Thunderbird and not with Gmail?

surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept self signed certificates BTW

Sean Kamath

21 Nov 21 Nov

7:58 a.m.

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1....

Sean

On Nov 16, 2014, at 5:39 AM, Aleš Grm ales.grm@kopitarna.eu wrote:

...

Ok, I tried on port 995, and on Gmail I get "SSL error: unable to verify the first certificate". Certificate is not self-signed (using StartCOM). The log now shows:

Nov 16 14:37:52 mail dovecot: auth: Debug: auth client connected (pid=31923) Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [209.85.213.23] Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [209.85.213.23] Nov 16 14:37:53 mail dovecot: pop3-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [209.85.213.23] Nov 16 14:37:53 mail dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=209.85.213.23, lip=192.168.100.94, TLS: Disconnected, session= ^C

Could the form of public part of certificate be wrong? I'm using only .CRT.

Kopitarna Sevnica d. d.

Prvomajska ulica 8 8290 SEVNICA SLOVENIA www.kopitarna.eu Cell: +386 31 899 993 Land: +386 7 81 63 440

On 16 November 2014 14:19, Reindl Harald h.reindl@thelounge.net wrote:

...
Am 16.11.2014 um 14:05 schrieb Aleš Grm:

...
I have configured Dovecot to work perfectly on Thundrebird using SSL certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

Any idea why does it work with Thunderbird and not with Gmail?

surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept self signed certificates BTW

Aleš Grm

16 Nov 16 Nov

4:27 p.m.

Ok, I tried on port 995, and on Gmail I get "SSL error: unable to verify the first certificate". Certificate is not self-signed (using StartCOM). The log now shows:

Nov 16 14:37:52 mail dovecot: auth: Debug: auth client connected (pid=31923)

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [209.85.213.23]

Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [209.85.213.23]

Nov 16 14:37:53 mail dovecot: pop3-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [209.85.213.23]

Nov 16 14:37:53 mail dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=209.85.213.23, lip=192.168.100.94, TLS: Disconnected, session=

Could the form of public part of certificate be wrong? I'm using only .CRT. On 16 Nov 2014 14:19, "Reindl Harald" h.reindl@thelounge.net wrote:

...

Am 16.11.2014 um 14:05 schrieb Aleš Grm:

...
I have configured Dovecot to work perfectly on Thundrebird using SSL certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

Any idea why does it work with Thunderbird and not with Gmail?

surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept self signed certificates BTW

Reindl Harald

4:34 p.m.

Am 16.11.2014 um 15:27 schrieb Aleš Grm:

...

Ok, I tried on port 995, and on Gmail I get "SSL error: unable to verify the first certificate". Certificate is not self-signed (using StartCOM)

Could the form of public part of certificate be wrong? I'm using only .CRT

on *any* server you need to setup the chain correctly https://www.google.at/#q=startssl+intermediate+certificate

that's not dovecot specific and not doing so means you rely on the grace of the client which may or may not have the full chain in his trust store

P.S.: for clients like MS Outlook you need port 993/995 anyways

...

On 16 Nov 2014 14:19, "Reindl Harald" h.reindl@thelounge.net wrote:

...
Am 16.11.2014 um 14:05 schrieb Aleš Grm:

...
I have configured Dovecot to work perfectly on Thundrebird using SSL certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

Any idea why does it work with Thunderbird and not with Gmail?

surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept self signed certificates BTW

Aleš Grm

4:59 p.m.

That was it, thank you very much. I forgot about it when I read the docs.

On 16 November 2014 15:34, Reindl Harald h.reindl@thelounge.net wrote:

...

Am 16.11.2014 um 15:27 schrieb Aleš Grm:

...
Ok, I tried on port 995, and on Gmail I get "SSL error: unable to verify the first certificate". Certificate is not self-signed (using StartCOM)

Could the form of public part of certificate be wrong? I'm using only .CRT

on *any* server you need to setup the chain correctly https://www.google.at/#q=startssl+intermediate+certificate

that's not dovecot specific and not doing so means you rely on the grace of the client which may or may not have the full chain in his trust store

P.S.: for clients like MS Outlook you need port 993/995 anyways

On 16 Nov 2014 14:19, "Reindl Harald" h.reindl@thelounge.net wrote:

...
...
Am 16.11.2014 um 14:05 schrieb Aleš Grm:

I have configured Dovecot to work perfectly on Thundrebird using SSL

...
certificates with STARTTLS on port 110. When I try to add this account on Gmail I get the error:

In Gmail my settings include port 110 and the use of SSL is checked. Dovecot configuration:

Any idea why does it work with Thunderbird and not with Gmail?

surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept self signed certificates BTW

3614

Age (days ago)

3619

Last active (days ago)

List overview

6 comments

4 participants

participants (4)

Aleš Grm
Aleš Grm
Reindl Harald
Sean Kamath