[Dovecot] SSL cert problem
Hi, I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with SSL certificate not being accepted by the email client. I have my own CA and I have generated certificates for web usage without a problem.
For imaps and pop3s what I did was generate a certificate for the hostname of my dovecot server and then cat that cert with the intermediate and root CA certificates. No matter what thunderbird still complains with Unknown identity.
# 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %n disable_plaintext_auth = no log_path = /var/log/dovecot.log mail_fsync = never mail_home = /vmail/%u mail_location = maildir:~/Maildir mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { driver = pam } plugin { quota = maildir:User quota quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 lmtp sieve quota_full_tempfail = yes service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service lmtp { unix_listener lmtp { user = vmail } } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } ssl_cert = </etc/pki/dovecot/certs/mail.pem ssl_key = </etc/pki/dovecot/private/mail.example.com.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_ssl = yes protocol lmtp { mail_fsync = optimized mail_plugins = sieve quota } protocol lda { mail_plugins = sieve quota } protocol imap { mail_plugins = quota imap_quota } protocol pop3 { mail_plugins = quota
This is the log:
Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [192.168.0.1] Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts): rip=192.168.0.1, lip=192.168.1.1, TLS: SSL_read() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46
Thx in advance
Peter
Am 11.07.2013 20:47, schrieb Peter von Nostrand:
I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with SSL certificate not being accepted by the email client. I have my own CA and I have generated certificates for web usage without a problem.
For imaps and pop3s what I did was generate a certificate for the hostname of my dovecot server and then cat that cert with the intermediate and root CA certificates. No matter what thunderbird still complains with Unknown identity.
because thunderbird does not trust your own CA by default without import it there by hand - you can not expect to cat your CA to the cert for the server and that is enough to get truested by the client - if so everybody would do this to make his DNS forgery successful
please do not post debug logs anywhere without requested
This is the log: Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.1] Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.1]
the below is clear because the client does not finish the TLS handshake
Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts): rip=192.168.0.1, lip=192.168.1.1, TLS: SSL_read() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46
On 7/11/2013 11:47 AM, Peter von Nostrand wrote:
Hi, I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with SSL certificate not being accepted by the email client. I have my own CA and I have generated certificates for web usage without a problem.
For imaps and pop3s what I did was generate a certificate for the hostname of my dovecot server and then cat that cert with the intermediate and root CA certificates. No matter what thunderbird still complains with Unknown identity.
If you have access to a Unix / Linux system, you can use openssl with the s_client command to connect to your mail server, much as you would have done with telnet in the old days. openssl shows all of the key exchange in detail and should be more than enough for you to be able to debug your problem. Compare fingerprints of the keys you have stored with those being sent to/from the server.
Example:
openssl s_client -connect mail.mydomain.com:995
Dem
At 1PM -0700 on 11/07/13 you (Professa Dementia) wrote:
If you have access to a Unix / Linux system, you can use openssl with the s_client command to connect to your mail server, much as you would have done with telnet in the old days. openssl shows all of the key exchange in detail and should be more than enough for you to be able to debug your problem. Compare fingerprints of the keys you have stored with those being sent to/from the server.
Example:
openssl s_client -connect mail.mydomain.com:995
For STARTTLS that needs to be
openssl s_client -starttls imap mail.mydomain.com:143
Ben
participants (4)
-
Ben Morrow
-
Peter von Nostrand
-
Professa Dementia
-
Reindl Harald