[Dovecot] Dovecot SSL issues
Hello all,
successfully managed to make dovecot work with horde (http://www.horde.org) and another MTA (SMTP/POP3).
I have this nagging issue with dovecot though (I suspect - it's dovecot and not the rest of the packages, please read on):
There is this special page one goes, that check if everything is ok with all the relevant software running along Horde. It's a php file called "test.php".
Now, this file shows almost everything that happens in the box. Here's a transcript of what shows when it comes to dovecot and SSL :
* Trying protocol imap/ssl, Port 993:
ERROR - The server returned the following error message:
SECURITY PROBLEM: insecure server advertised AUTH=PLAINCertificate failure for localhost: self signed certificate:
/C=GR/ST=Kerkyra/L=Kerkyra/O=The Company Name/OU=IMAP
server/CN=webmail.thecompanyname.gr/emailAddress=postmaster@webmail.thecompanyname.gr
From what I understand, it doesn't like the certificate. However, I've followed a howto document step-by-step and did what is documented.
Does anyone have any pointers on how to make secure imap for dovecot ? E.G. on ThunderBird, the settings are the following :
Tools -> Account Settings -> Server Settings : Server Name : (the server or its ip address) Username : (the username) Port : (I've manually entered "993", because by default goes to "143") Security Settings -> Connection Security : SSL/TLS (again manually entered) CHECK_ON : Use secure authentication
Now, if I click on "Get Mail" button on top of the TB window, I get a pop-up window with the following message :
Server : Location : <Servers' IP Address>:993 Certificate Status : This site attempts to identify itself with invalid information.
Wrong Site : Certificate belongs to a different site, which could indicate an identity theft.
Unknown Identity : Certificate is not trusted, because it hasn't been verified by a recognized authority.
After that, the users accepts the above by pressing ok twice. However, there's a third pop-up window with a message shown below :
You cannot log in to <servers' ip address> because you have enabled secure authentication and this serer does not support it. To log in, turn off secure authentication for this account.
Any help would be appreciated..
Thank you all for your patience,
S. Tsiolis
Spyros Tsiolis wrote:
* Trying protocol imap/ssl, Port 993: ERROR - The server returned the following error message: SECURITY PROBLEM: insecure server advertised AUTH=PLAINCertificate failure for localhost: self signed certificate: /C=GR/ST=Kerkyra/L=Kerkyra/O=The Company Name/OU=IMAP server/CN=webmail.thecompanyname.gr/emailAddress=postmaster@webmail.thecompanyname.gr
From what I understand, it doesn't like the certificate. However, I've followed a howto document step-by-step and did what is documented.
The webmail connects to server 'localhost', but the SSL certificate that is presented, does not contain hostname 'localhost', but 'webmail.thecompanyname.gr'.
This error is harmless, but you could setup dovecot to listen for both ssl and non-ssl connections, and setup your webmail to use the non-ssl connection: ssl over localhost is probably a waste of cpu cycles.
Now, if I click on "Get Mail" button on top of the TB window, I get a pop-up window with the following message :
Server : Location : <Servers' IP Address>:993 Certificate Status : This site attempts to identify itself with invalid information.
Wrong Site : Certificate belongs to a different site, which could indicate an identity theft.
This is the same issue as above: you instruct the client to connect to host '1.2.3.4', but the SSL certificate does not contain '1.2.3.4', but 'webmail.thecompanyname.gr'. TB tells you about this.
The name in the certificate (CN) must match the hostname that is used to connect to by the client. When you tell your client to connect to 'imap.thecompanyname.gr', use a certificate that contains 'imap.thecompanyname.gr' as the CN.
Unknown Identity : Certificate is not trusted, because it hasn't been verified by a recognized authority.
You use a self-segned certificate, and not one that is bought from a 'trusted' certificate authority.
You cannot log in to <servers' ip address> because you have enabled secure authentication and this serer does not support it. To log in, turn off secure authentication for this account.
Try to unset "CHECK_ON : Use secure authentication" in thunderbird. This has no use since you are already sending your password over ssl.
-- Regards, Tom
Quoting Tom Hendrikx <tom@whyscream.net>:
* Trying protocol imap/ssl, Port 993:
If you use imap/ssl/novalidate-cert it will ignore the mismatch.
From what I understand, it doesn't like the certificate.
The cerificate is fine, just a hostname mismatch as Tom Hendrikx said.
This error is harmless, but you could setup dovecot to listen for both ssl and non-ssl connections, and setup your webmail to use the non-ssl connection: ssl over localhost is probably a waste of cpu cycles.
True. Or add /novalidate-cert, which would remove the error, but still consume the cycles. The novalidate-cert would also ignore any self-signed certificate warnings...
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!
participants (3)
-
Eric Rostetter
-
Spyros Tsiolis
-
Tom Hendrikx