Hello,
I tryed to eneble TLS connection from postfix to dovecot lmtp. Unfortunely I have problem with certificate, postfix shows,
2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I checked certs by openssl s_client: #openssl s_client -connect localhost:24 -showcerts -starttls smtp -CApath /etc/ssl/certs/
And I gets
didn't found starttls in server response, try anyway... depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=27:certificate not trusted verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=21:unable to verify the first certificate verify return:1
It look likes dovecot lmtp send 3 times the same certificate. I made the same test for imap in the same dovecot instance:
#openssl s_client -connect localhost:143 -showcerts -starttls imap -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify return:1
For imap it looks ok. Why lmtp shows wrong certs list
# dovecot --version 2.2.16
-- Pozdrawiam! / Best regards!
Piotr Rotter Konsultant IT / IT Consultant
http://www.ACTIVE24.pl - Powerful hosting - surprisingly easy
ul. BarkociĆska 6, 03-543 Warszawa PL Email: bok@active24.pl Tel: +48 222 950 446
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 27 Jul 2015, Piotr Rotter wrote:
I tryed to eneble TLS connection from postfix to dovecot lmtp. Unfortunely I have problem with certificate, postfix shows,
post the output of doveconf -n
2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I checked certs by openssl s_client: #openssl s_client -connect localhost:24 -showcerts -starttls smtp -CApath /etc/ssl/certs/
And I gets
didn't found starttls in server response, try anyway... depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=27:certificate not trusted verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=21:unable to verify the first certificate verify return:1
It look likes dovecot lmtp send 3 times the same certificate. I made the same test for imap in the same dovecot instance:
#openssl s_client -connect localhost:143 -showcerts -starttls imap -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify return:1
For imap it looks ok. Why lmtp shows wrong certs list
# dovecot --version 2.2.16
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVbYsIXz1H7kL/d9rAQIDbgf/UTzRhj6ZiiuknCHjmmFRwdbTk+qclXbo vo2XtuH6V3WcuBoHwRedOiTuGH5g8WO2A+tl9wSSSvtw9TWurt2lLMfUsemWO4r4 zv7SwkTn2CVCIbZmC/3D1kqXHm08fuSo9Vn5/tgfgdOFwt5r4VfNkkp+zm72wFWT o6uzL+EXSGEqnm/R1hFdC9cDZqKuzQ3MK+8qasoCPgMAr4svN0lwdi+yATaxzjgj MviyKpdtQmA9gKRfLhptVcIP17rRNkoZKCS/Eboy6g/Rjf8c4C4Hn7lUbnx+kCVe Xk4Z2cmlPhl17iyvzo8Tvyeuu/gxDEXfa/xgwRGhp0xx3c+WBOrJSg== =a+SK -----END PGP SIGNATURE-----
# 2.2.16: /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.7 # OS: Linux 3.18.9-hardened x86_64 Gentoo Base System release 2.2 auth_mechanisms = plain login digest-md5 cram-md5 ntlm apop auth_verbose = yes default_client_limit = 10000 default_process_limit = 1000 default_vsz_limit = 512 M deliver_log_format = from=%f, msgid=%m, psize=%p: %$ disable_plaintext_auth = no dotlock_use_excl = no doveadm_password = yjH5KiEpCWAVLHtt lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Active24 Sp. z o.o. login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %k session=<%{session}> login_trusted_networks = 192.168.67.0/27 mail_access_groups = vmail mail_fsync = always mail_gid = 502 mail_location = maildir:~/ mail_log_prefix = "%s(%u) session=<%{session}>: " mail_plugins = mail_log notify quota mail_uid = 502 maildir_very_dirty_syncs = yes mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { autosubscribe = Trash autosubscribe2 = Spam autosubscribe3 = Sent autosubscribe4 = Drafts mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append append mail_log_fields = box msgid from size quota = maildir quota2 = maildir:user quota quota_rule = *:storage=10GB quota_rule2 = *:messages=10000 quota_rule3 = Trash:storage=+10M quota_rule4 = Trash:messages=+100 quota_warning = storage=80%% quota-warning 80 %u quota_warning2 = storage=90%% quota-warning 90 %u quota_warning3 = storage=100%% quota-warning 100 %u sieve_global_path = /etc/dovecot/sieve/default.sieve } sendmail_path = /usr/sbin/postfix service auth { client_limit = 20000 unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service doveadm { unix_listener doveadm-server { mode = 0666 } } service imap-login { process_limit = 4096 process_min_avail = 6 service_count = 1000 } service imap { process_limit = 4096 process_min_avail = 6 service_count = 100 } service lmtp { inet_listener lmtp { address = 0.0.0.0 port = 24 ssl = yes } process_limit = 100 process_min_avail = 5 user = vmail } service pop3-login { process_limit = 4096 process_min_avail = 6 service_count = 1000 } service pop3 { process_limit = 4096 process_min_avail = 6 service_count = 100 } service quota-warning { executable = script /opt/bin/quota-warning unix_listener quota-warning { mode = 0600 user = vmail } user = vmail } ssl_ca =
W dniu 27.07.2015 o 15:03, Steffen Kaiser pisze:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 27 Jul 2015, Piotr Rotter wrote:
I tryed to eneble TLS connection from postfix to dovecot lmtp. Unfortunely I have problem with certificate, postfix shows,
post the output of doveconf -n
2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I checked certs by openssl s_client: #openssl s_client -connect localhost:24 -showcerts -starttls smtp -CApath /etc/ssl/certs/
And I gets
didn't found starttls in server response, try anyway... depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=27:certificate not trusted verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify error:num=21:unable to verify the first certificate verify return:1
It look likes dovecot lmtp send 3 times the same certificate. I made the same test for imap in the same dovecot instance:
#openssl s_client -connect localhost:143 -showcerts -starttls imap -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 verify return:1 depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = mail.active24.pl verify return:1
For imap it looks ok. Why lmtp shows wrong certs list
# dovecot --version 2.2.16
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVbYsIXz1H7kL/d9rAQIDbgf/UTzRhj6ZiiuknCHjmmFRwdbTk+qclXbo vo2XtuH6V3WcuBoHwRedOiTuGH5g8WO2A+tl9wSSSvtw9TWurt2lLMfUsemWO4r4 zv7SwkTn2CVCIbZmC/3D1kqXHm08fuSo9Vn5/tgfgdOFwt5r4VfNkkp+zm72wFWT o6uzL+EXSGEqnm/R1hFdC9cDZqKuzQ3MK+8qasoCPgMAr4svN0lwdi+yATaxzjgj MviyKpdtQmA9gKRfLhptVcIP17rRNkoZKCS/Eboy6g/Rjf8c4C4Hn7lUbnx+kCVe Xk4Z2cmlPhl17iyvzo8Tvyeuu/gxDEXfa/xgwRGhp0xx3c+WBOrJSg== =a+SK -----END PGP SIGNATURE-----
-- Best regards! Piotr Rotter
participants (2)
-
Piotr Rotter
-
Steffen Kaiser