[Dovecot] ssl still not working
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
-- Levente "Si vis pacem para bellum!"
On Thu, 2003-05-15 at 01:25, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
I can say that I too have never been able to get IMAPS working with dovecot, with both self-signed generated .pem files and my apache SSL keys. I have that same error message with Mozilla Mail 1.2.1 and 1.4b.
Warren
SSL is working very well for me. I used the mkcert.sh script that comes with Dovecot - although I changed it a bit to make a certificate that lasts a year instead of one month.
Mozilla, Outlook Express, Lotus Notes - all using SSL on port 993 to communicate with Dovecot and working fine.
It _did_ take some work to get Dovecot to compile with SSL support, but it turns out that my SSL_dev package was not installed properly. (I had such a problem finding the header files that were needed that I completely upgraded the whole of Linux on that machine and then installed the DEV code from a package). Once that was done, I could coax Dovecot into compiling with SSL.
Now it works very well. Mozilla in particular immediately asks me if I want to accept the certificate permanently or temorarily - Outlook and Notes use IE's certificate store - for that I needed to tell my users to surf to https://server.com:993 - and then IE would pick up the certificate and let them add it to their trusted store.
I don't know about the Mozilla error below, I didn't get that.
Les
Leslie Viljoen Africa Missions Systems Administrator Cell: 0836186100 Work: 011 6991700 Fax: 011 7945522
Warren Togami <warren@togami.com> Sent by: dovecot-bounces@procontrol.fi 2003-05-15 10:50 PM
To: dovecot@procontrol.fi
cc:
Subject: Re: [Dovecot] ssl still not working
On Thu, 2003-05-15 at 01:25, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website
administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
I can say that I too have never been able to get IMAPS working with dovecot, with both self-signed generated .pem files and my apache SSL keys. I have that same error message with Mozilla Mail 1.2.1 and 1.4b.
Warren
Hi,
I'm running a stable debian version and had the same problem after installing the debian package. When I downloaded the latest version of openssl (openssl-0.9.7b), compiled dovecot and linked it with this openssl version the problem was solved.
regards,
Ruud
On Thu, May 15, 2003 at 01:25:01PM +0200, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
-- Levente "Si vis pacem para bellum!"
--
Ruud de Jong
Delft Universitiy of Technology
Faculty of Information Technology and Systems
Computer Graphics and CAD/CAM Group
Mekelweg 4, room 12.070, 2628 CD Delft, The Netherlands
E-mail : R.deJong@its.tudelft.nl
pgp key : http://graphics.tudelft.nl/~ruud/ruud.pgp
Phone : +31 (0)15 278 1437
Fax : +31 (0)15 278 7141
that may be the reason since I use: openssl-0.9.7a-5 openssl-devel-0.9.7a-5
Ruud de Jong wrote:
Hi,
I'm running a stable debian version and had the same problem after installing the debian package. When I downloaded the latest version of openssl (openssl-0.9.7b), compiled dovecot and linked it with this openssl version the problem was solved.
regards,
Ruud
On Thu, May 15, 2003 at 01:25:01PM +0200, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
-- Levente "Si vis pacem para bellum!"
-- Levente "Si vis pacem para bellum!"
but as I look into the source it seems redhat already include all patch for 7b:-( any other tipp?
Farkas Levente wrote:
that may be the reason since I use: openssl-0.9.7a-5 openssl-devel-0.9.7a-5
Ruud de Jong wrote:
Hi,
I'm running a stable debian version and had the same problem after installing the debian package. When I downloaded the latest version of openssl (openssl-0.9.7b), compiled dovecot and linked it with this openssl version the problem was solved.
regards,
Ruud
On Thu, May 15, 2003 at 01:25:01PM +0200, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
-- Levente "Si vis pacem para bellum!"
-- Levente "Si vis pacem para bellum!"
Did you folks have to create a pam.d file for dovecot? I'm not quite sure what to put in my pam.d dovecot file. Could this be effecting my SSL ability?
Warren
Did you folks have to create a pam.d file for dovecot? I'm not quite sure what to put in my pam.d dovecot file. Could this be effecting my SSL ability?
Warren
Warren Togami wrote: put the same to all imap, imaps, pop3, pop3s:
#%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
-- Levente "Si vis pacem para bellum!"
I am using shadow authentication, not Pam, so I don't know.
Here are my /usr/local/etc/dovecot.conf entries:
auth_userdb = passwd auth_passdb = shadow
Les
Leslie Viljoen Africa Missions Systems Administrator Cell: 0836186100 Work: 011 6991700 Fax: 011 7945522
Warren Togami <warren@togami.com> Sent by: dovecot-bounces@procontrol.fi 2003-05-16 12:45 PM
To: dovecot@procontrol.fi
cc:
Subject: Re: [Dovecot] ssl still not working
Did you folks have to create a pam.d file for dovecot? I'm not quite sure what to put in my pam.d dovecot file. Could this be effecting my SSL ability?
Warren
On Fri, 16 May 2003, Ruud de Jong wrote:
Hi,
I'm running a stable debian version and had the same problem after installing the debian package. When I downloaded the latest version of openssl (openssl-0.9.7b), compiled dovecot and linked it with this openssl version the problem was solved.
Yeah I've been noticing that. The Debian package is compiled with gnutls which appears to be somewhat broken (at least on stable.) I'm going to do a new version today compiled against openssl.
-- Jaldhar H. Vyas <jaldhar@debian.org> La Salle Debain - http://www.braincells.com/debian/
On Thu, 2003-05-15 at 14:25, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
If you set verbose_ssl = yes, I guess you'll see something like this in log file:
imap-login: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
I'm beginning to think that this has something to do with RSA keys .. because I don't provide it large enough RSA key and I don't create any temporary RSA keys. Or maybe the same with DH keys.
I wish someone with more understanding on SSL protocol wrote the SSL stuff to Dovecot :) I can only guess how they probably work.
My guess is that I should either generate a new temporary RSA key when it's asked (which I think would be very slow since every session might create new one) or that I pregenerated a few keys with specific sizes (512 and 1024bits?) and used only them, or let login process signal master process that we need a new key with bit size xyz, then wait for master process to create it and let all the new processes use it. I think the last one would work best.
Timo Sirainen wrote:
On Thu, 2003-05-15 at 14:25, Farkas Levente wrote:
hi, I'm just download the latest cvs and try to use imaps. in mozilla I've got the following message window:
mail.int.bppiac.hu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator.
and there is only one OK button:-) and this happens always. what can be the reason and what can I do? thanks.
If you set verbose_ssl = yes, I guess you'll see something like this in log file:
imap-login: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
I'm beginning to think that this has something to do with RSA keys .. because I don't provide it large enough RSA key and I don't create any temporary RSA keys. Or maybe the same with DH keys.
I wish someone with more understanding on SSL protocol wrote the SSL stuff to Dovecot :) I can only guess how they probably work.
My guess is that I should either generate a new temporary RSA key when it's asked (which I think would be very slow since every session might create new one) or that I pregenerated a few keys with specific sizes (512 and 1024bits?) and used only them, or let login process signal master process that we need a new key with bit size xyz, then wait for master process to create it and let all the new processes use it. I think the last one would work best.
here is the result:
imap-login: May 21 10:35:39 Warning: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [192.168.0.50] imap-login: May 21 10:35:39 Info: Disconnected [192.168.0.50] imap-login: May 21 10:35:39 Warning: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [192.168.0.50] imap-login: May 21 10:35:39 Info: Disconnected [192.168.0.50] imap-login: May 21 10:35:39 Warning: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [192.168.0.50] imap-login: May 21 10:35:39 Info: Disconnected [192.168.0.50] imap-login: May 21 10:35:43 Warning: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [192.168.0.50] imap-login: May 21 10:35:43 Info: Disconnected [192.168.0.50] imap-login: May 21 10:35:43 Warning: SSL_accept() failed: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [192.168.0.50] imap-login: May 21 10:35:43 Info: Disconnected [192.168.0.50]
this is with the latest patch (it's actualy the today cvs version). I don't use dovecot's generated certs, I manualy generate certificate for all of our services https, imaps, vpn... with one common global CA for the whole company. ssl still not working.
-- Levente "Si vis pacem para bellum!"
participants (6)
-
Farkas Levente
-
Jaldhar H. Vyas
-
leslie_viljoen@icoc.org
-
Ruud de Jong
-
Timo Sirainen
-
Warren Togami