on postfix now this seems to run, and with dovecot i need also handle this two domains, but appairing this error messages. like:
Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines: ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<FdklDjkdfrkfi>
Running with Debian Buster
# dovecot --version 2.3.4.1 (f79e8e7e4)
# nmail.caloro.ch local_name nmail.caloro.ch { ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem } # nmail.calm-ness.ch local_name nmail.calm-ness.ch { ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem }
thanks for possible help
Am Mittwoch, Juni 29, 2022 21:24 CEST, schrieb Maurizio Caloro <mauric@gmx.ch>:
on postfix now this seems to run, and with dovecot i need also handle this two domains, but appairing this error messages. like:
Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines: ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<FdklDjkdfrkfi>
Running with Debian Buster
# dovecot --version 2.3.4.1 (f79e8e7e4)
# nmail.caloro.ch local_name nmail.caloro.ch { ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem } # nmail.calm-ness.ch local_name nmail.calm-ness.ch { ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem }
thanks for possible help
Hi,
the config says "You will still need a top-level default ssl_key and ssl_cert as well, or you will receive errors."
I don't know if this is also a must have for SNI, as it is noted for multipe certifcates per IP.
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#dove...
On 2022-06-29 22:00, Jürgen Echter wrote:
Am Mittwoch, Juni 29, 2022 21:24 CEST, schrieb Maurizio Caloro <mauric@gmx.ch>:
on postfix now this seems to run, and with dovecot i need also handle this two domains, but appairing this error messages. like:
Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines: ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<FdklDjkdfrkfi>
Running with Debian Buster
# dovecot --version 2.3.4.1 (f79e8e7e4)
# nmail.caloro.ch local_name nmail.caloro.ch { ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem } # nmail.calm-ness.ch local_name nmail.calm-ness.ch { ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem }
thanks for possible help
Hi,
the config says "You will still need a top-level default ssl_key and ssl_cert as well, or you will receive errors."
I don't know if this is also a must have for SNI, as it is noted for multipe certifcates per IP.
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#dove... This is also true for SNI.
From the config snippet above, configure the cert/key for nmail.caloro.ch as default ssl_cert / ssl_key, so without the local_name nmail.caloro.ch.
The nmail.calm-ness.ch can stay as is and will be served when requested through SNI.
-- Christian Kivalo
"Maurizio" == Maurizio Caloro <mauric@gmx.ch> writes:
Maurizio> on postfix now this seems to run, and with dovecot i need Maurizio> also handle this two domains, but appairing this error Maurizio> messages. like:
Why aren't you just using a single domain as the MX record for all the domains? Then you only need one SSL cert pair for all of this, and if you publish the right SPF records, each domain can send from the same MX host as well.
Maurizio> Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, Maurizio> rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines: Maurizio> ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<FdklDjkdfrkfi>
Maurizio> Running with Debian Buster
Maurizio> # dovecot --version Maurizio> 2.3.4.1 (f79e8e7e4)
Maurizio> # nmail.caloro.ch Maurizio> local_name nmail.caloro.ch { Maurizio> ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem Maurizio> ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem Maurizio> } Maurizio> # nmail.calm-ness.ch Maurizio> local_name nmail.calm-ness.ch { Maurizio> ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem Maurizio> ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem Maurizio> }
Maurizio> thanks for possible help
John please send me a direct email address
I understand what you need and my customers are all seperate certs per domain on both sides
I spent over three months setting stuff up
I wil send complete instructions for both postfix & dovecot
Plus auto scripts etc
You will need to be running a postgresql database for my stuff to work without mods
And running python 2.xx
thanks - paul Paul Kudla SCOM.CA Internet Services Inc. 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266
On Jun 29, 2022 at 16:39:29 EDT, John Stoffel <dovecot-bounces@dovecot.org> wrote:
"Maurizio" == Maurizio Caloro <mauric@gmx.ch> writes:
Maurizio> on postfix now this seems to run, and with dovecot i need Maurizio> also handle this two domains, but appairing this error Maurizio> messages. like:
Why aren't you just using a single domain as the MX record for all the domains? Then you only need one SSL cert pair for all of this, and if you publish the right SPF records, each domain can send from the same MX host as well.
Maurizio> Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, Maurizio> rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines: Maurizio> ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<FdklDjkdfrkfi>
Maurizio> Running with Debian Buster
Maurizio> # dovecot --version Maurizio> 2.3.4.1 (f79e8e7e4)
Maurizio> # nmail.caloro.ch Maurizio> local_name nmail.caloro.ch { Maurizio> ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem Maurizio> ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem Maurizio> } Maurizio> # nmail.calm-ness.ch Maurizio> local_name nmail.calm-ness.ch { Maurizio> ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem Maurizio> ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem Maurizio> }
Maurizio> thanks for possible help
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Yeah. You get a better spam score and a better rep for your server if the hostname you use as an MX record matches the reverse DNS for its IP address(es) as well and everything is correct as recommended by rfc docs. If there's outgoing mail it's all going to use the same hostname as the "ehlo" I.D. anyways, isn't it?
The big bosses and professionals are cracking down on servers etc., aren't they? I just recently tried to set up an alternate/backup server from a different provider in a very authoritarian country in northwestern/central Europe, but they borked my billing information terminated service and screwed up my domain renewal and caused a lot of other grief elsewhere in addition. Barely managed to save myself and stay online.
So we're going to see more small and medium sites kicked off the internet, and even having had one's own website and email means we're not welcome on FB, TWTR, and friends. Just squash the competition for interstate commerce, because the cartels are taking over.
On Wednesday, June 29, 2022 1:25:18 PM AKDT, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
John please send me a direct email address
I understand what you need and my customers are all seperate certs per domain on both sides
I spent over three months setting stuff up
I wil send complete instructions for both postfix & dovecot
Plus auto scripts etc
You will need to be running a postgresql database for my stuff to work without mods
And running python 2.xx
thanks - paul Paul Kudla SCOM.CA Internet Services Inc. 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax
1.888.892.7266On Jun 29, 2022 at 16:39:29 EDT, John Stoffel <dovecot-bounces@dovecot.org> wrote:
"Maurizio" == Maurizio Caloro <mauric@gmx.ch> writes:
Maurizio> on postfix now this seems to run, and with dovecot i need Maurizio> also handle this two domains, but appairing this error Maurizio> messages. like:
Why aren't you just using a single domain as the MX record for all the domains? Then you only need one SSL cert pair for all of this, and if you publish the right SPF records, each domain can send from the same MX host as well.
Maurizio> Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, Maurizio> rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines: Maurizio> ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<FdklDjkdfrkfi>
Maurizio> Running with Debian Buster
Maurizio> # dovecot --version Maurizio> 2.3.4.1 (f79e8e7e4)
Maurizio> # nmail.caloro.ch Maurizio> local_name nmail.caloro.ch { Maurizio> ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem Maurizio> ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem Maurizio> } Maurizio> # nmail.calm-ness.ch Maurizio> local_name nmail.calm-ness.ch { Maurizio> ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem Maurizio> ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem Maurizio> }
Maurizio> thanks for possible help
participants (6)
-
Christian Kivalo
-
John Stoffel
-
justina colmena ~biz
-
Jürgen Echter
-
Maurizio Caloro
-
Paul Kudla (SCOM.CA Internet Services Inc.)