[Dovecot] CaCert certificate configuration help needed
I was not able to find specific help for configuring the crt file for CaCert. I gleaned from examples the following order:
server certificate CaCert class 3 certificate Cacert root certificate
However, when I try to configure my mail reading for IMAP, Dovecot shows the following error in the log:
dovecot: imap-login: Aborted login (no auth attempts):
I am assuming, based on searches for this error, that my crt file is not correct but I don't know what to do at this point. Can someone steer me in the right direction? TIA.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/CaCert-certificate-configuration-help-n... Sent from the Dovecot mailing list archive at Nabble.com.
Zitat von gw1500se <i_was_yah00ed@yahoo.com>:
I was not able to find specific help for configuring the crt file for CaCert. I gleaned from examples the following order:
server certificate CaCert class 3 certificate Cacert root certificate
However, when I try to configure my mail reading for IMAP, Dovecot shows the following error in the log:
dovecot: imap-login: Aborted login (no auth attempts):
I am assuming, based on searches for this error, that my crt file is not correct but I don't know what to do at this point. Can someone steer me in the right direction? TIA.
The server (dovecot) needs the server certificate, the matching
private key and the intermediate CAs, not the root-CA. The client need
the root-CA in it's "trust store" so you have to make your client
trusting the CaCert root-CA. For the dovcot side have a look here:
http://wiki2.dovecot.org/SSL/DovecotConfiguration
Regards
Andreas
Thanks for the reply. I guess I should have been more complete in my description. That is where I first started. Not only did that give me the error above but an additional error telling me I was missing the root CA for the signing authority. Searches on that error pointed me to the chained SSL certificates section. That eliminated the root CA error but I still have the posted error.
Perhaps I am still not recognizing which specific section I should be using in that document.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/CaCert-certificate-configuration-help-n... Sent from the Dovecot mailing list archive at Nabble.com.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 4 Jul 2013, gw1500se wrote:
Perhaps I am still not recognizing which specific section I should be using in that document.
increase logging http://wiki2.dovecot.org/Logging esp. section "Logging verbosity", then try again and check what the MUA is displaying. If it disconnects because of cert errors, the MUA displays the error.
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUdVZZV3r2wJMiz2NAQKpIwf/ZCiL2b+jDU+asctSVTHz7TlkPxzQujGf 0eoW1Rn+O+jEiTdtHC1S3KLDHqTiCQv+dnt7urH+PFymOkK4LMoZQ0omO0k3iNSY mQp5U855vY9LgVfuEVtCyUg+yGxjXhWgUA9qbJI6bZGUMRu4/mX4aGbK/YdjTZ35 HQNvRHgK+Tg52CSumIAK+As/FDr5ftKzEwT2K5bocb250VxcE673vs+5vDphu8j9 RB+kIi2K3xKoM/sIb3ZV2QBCCs5xLF+jj1FY19+DL/tw3lTQf/zvt6ckrOAcFCi/ FQhYFIbY+yB0hLBAftiVheCrxN+s0JNNfv25NQoKMF/k5Lc98EbG0g== =i6sh -----END PGP SIGNATURE-----
Thanks. I think I turned on all the debug I can but the result is not at all helpful (to me).
Jul 4 13:33:02 public dovecot: auth: Debug: auth client connected (pid=29195) Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jul 4 13:33:02 public dovecot: imap-login: Aborted login (no auth attempts): rip=74.176.153.21, lip=69.64.71.47, TLS Jul 4 13:33:02 public dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify
-- View this message in context: http://dovecot.2317879.n4.nabble.com/CaCert-certificate-configuration-help-n... Sent from the Dovecot mailing list archive at Nabble.com.
FWIW, here is my doveconf output:
# 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_debug_passwords = yes base_dir = /var/run/dovecot/ login_greeting = Dovecot on mydomain.com ready. mail_location = maildir:~/Maildir mbox_write_locks = fcntl passdb { driver = pam } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ssl_cert = </etc/postfix/SSL/server.crt ssl_key = </etc/postfix/SSL/server.key userdb { driver = passwd } verbose_ssl = yes protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv }
-- View this message in context: http://dovecot.2317879.n4.nabble.com/CaCert-certificate-configuration-help-n... Sent from the Dovecot mailing list archive at Nabble.com.
I think I am now close on this. It appears that the user is successfully authenticating via IMAP. However, I am getting permissions errors when it tries to write to the Maildir.
dovecot: imap(dap): Error: mkdir(/home/dap/Maildir/.imap/INBOX) failed: Operation not permitted Jul 4 15:02:04 public dovecot: imap(dap): Error: chown(/home/dap/Maildir/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=500(dap), group based on /var/mail/dap)
What am I missing in the previously posted doveconf? TIA.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/CaCert-certificate-configuration-help-n... Sent from the Dovecot mailing list archive at Nabble.com.
Got it. It seems that when Dovecot tries to create the user's local mail directory, it attempts to set the group as it is in /var/mail. This is not mentioned in the documentation anywhere I could find. That is where it fails. However, it turns out that if you turn off group permissions (0600) in /var/mail/* it will not try to set the group and the local directory is created successfully.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/CaCert-certificate-configuration-help-n... Sent from the Dovecot mailing list archive at Nabble.com.
participants (3)
-
gw1500se
-
lst_hoe02@kwsoft.de
-
Steffen Kaiser