Hi,

I'm trying to setup up a Dovecot/Postfix/OpenLDAP combo on a Fedora 43 aarch64 box with the following versions:

dovecot-2.4.2 from https://src.fedoraproject.org/rpms/dovecot/tree/rawhide and rebuilt for F43 at https://copr.fedorainfracloud.org/coprs/patrickl/dovecot/ postfix-3.10.3 openldap-2.6.10 openssl-3.5.4

Problem: I can't seem to make Dovecot (lmtp) establish a mTLS connection with the slapd server.

Postfix works fine when using /etc/postfix/ldap-aliases.cf etc to get info from the slapd server which demands that the client sends a certificate due to olcTLSVerifyClient: demand. This is with a self-signed CA, intermediate CA and client & server certificates.

Dovecot journalctl error: lmtp(92847): Error: lmtp-server: conn unix:pid=92846,uid=89 [1]: rcpt patrick@<domain>: Failed to lookup user patrick@<domain>: Internal error occurred. Refer to server log for more information.

doveadm log errors

Dec 15 22:35:41.655525 Error: auth: ldap(ldaps://<FQDN>:636): Connection lost to LDAP server, reconnecting <snipped many more of the same message>

Slapd error: TLS trace: SSL_accept:before SSL initialization <snip> TLS trace: SSL_accept:TLSv1.3 early data TLS trace: SSL_accept:error in TLSv1.3 early data TLS trace: SSL_accept:TLSv1.3 early data TLS trace: SSL3 alert write:fatal:unknown TLS trace: SSL_accept:error in error TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate. TLS accept failure error=-1 id=1178, closing conn=1178 fd=15 closed (TLS negotiation failure)

It seems that Dovecot does not send its client certificate to the slapd server when asked? Config error?

Example with postfix where this succeeds:

postmap -q info@<domain> ldap:/etc/postfix/ldap-aliases.cf

TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:before SSL initialization SSL_accept:SSLv3/TLS read SSL_accept:TLSv1.3 early data TLS trace: SSL_accept:error in TLSv1.3 early data TLS trace: SSL_accept:TLSv1.3 early data TLS certificate verification: depth: 2, err: 0, subject: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleCA issuer: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleCA TLS certificate verification: depth: 1, err: 0, subject: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleSubCA, issuer: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleCA TLS certificate verification: depth: 0, err: 0, subject: /CN=postfix-ldap, issuer: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleSubCA TLS trace: SSL_accept:TLSv1.3 read client compressed certificate TLS trace: SSL_accept:SSLv3/TLS read certificate verify TLS trace: SSL_accept:SSLv3/TLS read finished TLS trace: SSL_accept:SSLv3/TLS write session ticket TLS trace: SSL_accept:SSLv3/TLS write session ticket conn=1000 fd=13 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384

Dovecot config

dovecot -n:

2.4.2 (0962ed2104): /etc/dovecot/dovecot.conf

Pigeonhole version 2.4.2 (767418c3)

OS: Linux 6.17.11-300.fc43.aarch64 aarch64 Fedora release 43 (Forty

Three)

Hostname: <FQDN>

5 default setting changes since version 2.4.1

dovecot_config_version = 2.4.1 auth_mechanisms = plain dovecot_storage_version = 2.4.1 first_valid_uid = 1000 ldap_auth_dn = cn=dovecot,dc=hosted,dc=ldap ldap_auth_dn_password = # hidden, use -P to show it ldap_uris = ldaps://<FQDN> log_debug = category=ssl mail_driver = sdbox mail_gid = vmail mail_home = /var/mail/virtual/%{user | domain}/%{user | username} mail_path = ~/mail mail_uid = vmail protocols { imap = yes lmtp = yes } ssl = required ssl_cipher_list = PROFILE=SYSTEM ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl_min_protocol = TLSv1.3 namespace inbox { inbox = yes separator = / } ssl_server { ca_file = /etc/pki/dovecot/certs/dovecot_ca_bundle.pem cert_file = /etc/pki/dovecot/certs/kronos.laimbock.nl.crt key_file = /etc/pki/dovecot/private/kronos.laimbock.nl_nopass.key.crt prefer_ciphers = server request_client_cert = yes require_crl = no } ssl_client { ca_file = /etc/pki/dovecot/certs/dovecot_ca_bundle.pem cert_file = /etc/pki/dovecot/certs/dovecot-ldap.crt key_file = /etc/pki/dovecot/private/dovecot-ldap_nopass.key.crt require_valid_cert = yes } protocol !smtp { auth_ssl_require_client_cert = yes } passdb ldap { ldap_base = ou=People,ou=%{ user | domain },dc=hosted,dc=ldap default_password_scheme = CRYPT fields { user = %{ldap:mail} } bind = yes filter = (&(objectClass=person)(mail=%{user})) } userdb ldap { ldap_base = ou=People,ou=%{ user | domain },dc=hosted,dc=ldap fields { user = %{ldap:mail} } filter = (&(objectClass=person)(uid=%{user})) } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } }

The dovecot_ca_bundle.pem is created with

cat subca.crt ca.crt > dovecot_ca_bundle.pem

The RootCA is imported into the trust store via:

cp ca.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust extract

The public certificates live in /etc/pki/dovecot/certs:

lrwxrwxrwx. 1 root root 16 Dec 15 15:49 1c2dd8a4.0 -> dovecot-ldap.crt lrwxrwxrwx. 1 root root 22 Dec 15 15:49 8dafd16f.0 -> <FQDN>.crt lrwxrwxrwx. 1 root root 9 Dec 15 20:15 d18284cf.0 -> subca.crt -rw-r--r--. 1 root root 773 Dec 12 21:21 dhparam -rw-r--r--. 1 root root 3456 Dec 15 21:34 dovecot_ca_bundle.pem -rw-r--r--. 1 root root 1586 Dec 15 20:15 dovecot-ldap.crt -rw-r--r--. 1 root root 1655 Dec 15 20:15 <FQDN>.crt -rw-r--r--. 1 root root 1850 Dec 15 20:15 subca.crt

The private keys live in /etc/pki/dovecot/private:

-rw-------. 1 root root 1704 Dec 15 20:15 dovecot-ldap_nopass.key.crt -rw-------. 1 root root 1704 Dec 15 20:15 <FQDN>_nopass.key.crt

SELinux: there are no AVCs in /var/log/audit/audit.log but to make sure I ran:

restorecon -v -F -R /etc/dovecot

restorecon -v -F -R /etc/pki/doveecot

With setenforce 0 no change in results.

The slapd config:

dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /run/openldap/slapd.args olcPidFile: /run/openldap/slapd.pid olcPasswordCryptSaltFormat: $6$%s olcLogLevel: 1023

cat subca.crt ca.crt > slapd_ca_bundle.pem

olcTLSCACertificateFile: /etc/openldap/certs/slapd_ca_bundle.pem olcTLSCertificateFile: /etc/openldap/certs/<FQDN>.crt olcTLSCertificateKeyFile: /etc/openldap/certs/<FQDN>_nopass.key.crt olcTLSCipherSuite: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 olcTLSVerifyClient: demand olcTLSCRLCheck: none

I would appreciate any hints what I missed, what to read, where to look, etc If you need more info I'll be happy to provide. Thanks!

Cheers, Patrick