"no shared cypher", no matter what I try
Greetings, I have had to reinstall my email server on another Linux (centos 7.6) VPS, with a newer version of dovecot, other software and a brand new letsencrypt certificate just for email withpostfix and dovecot (that certificate works fine with postfix). Output of dovecot --version and dovecot -n on the new server is below.
Now, messages ARE delivered in the right IMAP mailboxes, but when I try to connect with Mutt from my home computer, mutt says, before prompting for a password:
gnutls_handshake: A TLS fatal alert has been received.(Handshake failed)
the corresponding output of dovecot in /var/log/maillog is below. The gist of it **seems** to me to be the "no shared cipher" part, but I may be wrong. In any case, I have already tried to search online for that string, and other relevant parts of the log, without success. All I have found is suggestions to change the values of ssl_protocols and/or ssl_cipher_list to some non-default value, but I have tried all those tips without success. Current values of those variables are these:
grep -v ^# /etc/dovecot/conf.d/10-ssl.conf
ssl_cert =
any pointer to what to check or change next is VERY welcome.
Thanks in advance, Marco
################################################# Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<knICtX98UK4vNZ88> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
################################################# dovecot --version 2.2.36 (1f10bfa63)
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: MYSERVERNAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes mail_location = maildir:/var/mail//base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
On 08 December 2018 at 12:03 Marco Fioretti marco.fioretti@gmail.com wrote:
Greetings, I have had to reinstall my email server on another Linux (centos 7.6) VPS, with a newer version of dovecot, other software and a brand new letsencrypt certificate just for email withpostfix and dovecot (that certificate works fine with postfix). Output of dovecot --version and dovecot -n on the new server is below.
Now, messages ARE delivered in the right IMAP mailboxes, but when I try to connect with Mutt from my home computer, mutt says, before prompting for a password:
gnutls_handshake: A TLS fatal alert has been received.(Handshake failed)
the corresponding output of dovecot in /var/log/maillog is below. The gist of it **seems** to me to be the "no shared cipher" part, but I may be wrong. In any case, I have already tried to search online for that string, and other relevant parts of the log, without success. All I have found is suggestions to change the values of ssl_protocols and/or ssl_cipher_list to some non-default value, but I have tried all those tips without success. Current values of those variables are these:
grep -v ^# /etc/dovecot/conf.d/10-ssl.conf
ssl_cert =
any pointer to what to check or change next is VERY welcome.
Thanks in advance, Marco
################################################# Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [47.53.159.60] Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<knICtX98UK4vNZ88> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
################################################# dovecot --version 2.2.36 (1f10bfa63)
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: MYSERVERNAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes mail_location = maildir:/var/mail//base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
Can you comment out ssl_cipher_list and ssl_protocols?
Is your certificate ECC certificate?
Aki
Marco Fioretti skrev den 2018-12-08 11:03:
I have had to reinstall my email server on another Linux (centos 7.6)
reinstalls often helps make the same problems with precompiled distros :=)
is openssl installed or what ssl api is in use ?
did you create a bug report to centos mantainers ?
its not a postfix/dovecot problem that ssl is not working
lets encrypt is irrelevant
Have you tried connecting with openssl c_client, with a cypher list of all?
My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones.
David
I ran into that error message with a different application and it turned out that the server certificate was expired.
-- Doug
On 8 December 2018, at 12:22, David Gardner somloieater@gmail.com wrote:
Have you tried connecting with openssl c_client, with a cypher list of all?
My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones.
David
Have you tried connecting with openssl c_client, with a cypher list of all?
My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones.
David
On Sat, 2018-12-08 at 11:03 +0100, Marco Fioretti wrote:
Greetings, I have had to reinstall my email server on another Linux (centos 7.6) VPS, with a newer version of dovecot, other software and a brand new letsencrypt certificate just for email withpostfix and dovecot (that certificate works fine with postfix). Output of dovecot --version and dovecot -n on the new server is below.
Here is my 10-ssl.conf on my CentOS box. I am using the TLS config from https://weakdh.org/sysadmin.html
ssl = yes
ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
#regenerates every week ssl_dh_parameters_length = 2048
ssl_cert =
My hook script for letsencrypt copies the cert and key into /etc/pki/tls/. Check to make sure selinux is not denying access to /etc/letsencrypt for dovecot.
You can also test with gnutls-cli or openssl. E.g.
openssl s_client -host imap.XXXXX -port 993 or gnutls-cli --port 993 imap.XXXXX
-- Greg
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS).
However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem -r--------. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem -r--------. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(00000003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 305 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok)
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert =
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<H8roHLp86psvNZ88> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
Hi!
You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it.
Aki
On 11.12.2018 11.58, Marco Fioretti wrote:
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS).
However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem -r--------. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem -r--------. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(00000003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 305 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok)
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert =
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<H8roHLp86psvNZ88> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
Hello Aki,
maybe I misunderstood you, but both adding an "ssl = yes" line to this section of dovecot.conf, and commenting out the whole "four lines starting at "inet_listener imaps" do not have any effect :
service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } }
this is the error I still get after restarting dovecot, and trying again to connect with mutt:
ogin: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=server.ip.address, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<zdRFPbx8xp4vNZ88> Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users Il giorno mar 11 dic 2018 alle ore 11:01 Aki Tuomi aki.tuomi@open-xchange.com ha scritto:
Hi!
You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it.
Aki
On 11.12.2018 11.58, Marco Fioretti wrote:
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS).
However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem -r--------. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem -r--------. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(00000003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 305 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok)
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert =
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<H8roHLp86psvNZ88> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
Marco Fioretti skrev den 2018-12-11 11:12:
maybe I misunderstood you, but both adding an "ssl = yes" line to this section of dovecot.conf, and commenting out the whole "four lines starting at "inet_listener imaps" do not have any effect :
you should not edit dovecot.conf :/
edit config files in conf.d
start from zerro now
The problem is solved, thanks to Aki. I was missing the "include" directive in dovecot.conf, because it was not needed in the dovecot version I was using previously.
Now I have a related question, and... another problem :-)
The question: what is a safer/more sensible value for ssl_cipher_list than the current "ALL"?
The problem: now that I can login, a permission/ownership problem came out. In the old server, the mailboxes were owned by user mail_manager, group mail_management
In the new server I recreated those users, copied the mailboxes as they were. Postfix / procmail are using that userid, and can write successfully to the mailboxes.
Dovecot, instead, cannot. Even if I added the dovecot user to the mail_management group, it keeps generating plenty of errors like this
Dec 11 12:34:13 SERVERNAME dovecot: imap(USERNAME): Error: file_dotlock_create(/var/mail/mymail_storage/base/.archive.2018.12/dovecot-uidlist) failed: Permission denied (euid=5000(<unknown>) egid=5000(mail_management) missing +w perm: /var/mail/mymail_storage/base/.archive.2018.12, dir owned by 1001:5000 mode=0755)
of course it cannot create the log file because the owner is the mail_manager user (euid 5000)
so the question is: what is the good/best practice now? Make dovecot run as user mail_manager? And if yes, how? Or should I change the permissions of all the mailboxes and mail files with chmod -r 775 ?
Thanks, Marco
Ah, the actual problem appears to be that you are not including the conf.d directory at all in your config, so you are ending up with no certificate at all. This is handled better in 2.3.x.
Aki
On 11.12.2018 12.01, Aki Tuomi wrote:
Hi!
You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it.
Aki
On 11.12.2018 11.58, Marco Fioretti wrote:
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS).
However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem -r--------. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem -r--------. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(00000003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 305 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok)
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert =
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<H8roHLp86psvNZ88> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
participants (6)
-
Aki Tuomi
-
Benny Pedersen
-
David Gardner
-
Doug Hardie
-
Greg Wildman
-
Marco Fioretti