[Dovecot] SSL comunication problems with client side.
I can get messages without SSL with no problems. but i need to setup server accept only SSL secured connections. I think my configuration is very proper, but cant find "obvious" problem. Postfix 2.3.3 + dovecot 2.0.13-1_129.el5 + PostfixAdmin 2.3.3 I made own CA. configured postfix and dovecot with same cert key ca. Same public cert i gave for client just converted it to PKCS#12. I cant undestand valid and invalid certs strings in long, they look same. You can check logs and config bellow.
Also some other questions regarding SSL:
- How to make client MUA (thunderbird) automatically retrieve certificate ? My thunderbird cant do it by itself so i'm importing mail cert by myself.
- If i want to setup Roundcube/Squirrelmail webmail clients with TLS support (https) i have to provide them with same certificates as dovecot and postfix have. Or in this case i can use whatever certificate dedicated for with "virtualhost"?
dovecot-deliver.log: Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get certificate CRL: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail Server/CN=mx.office.dev/emailAddress=hostmaster@office.dev Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get certificate CRL: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus Digital Network/CN=Caucasus Digital Network/emailAddress=hostmaster@office.dev Jun 13 13:26:42 imap-login: Info: Valid certificate: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus Digital Network/CN=Caucasus Digital Network/emailAddress=hostmaster@office.dev Jun 13 13:26:42 imap-login: Info: Valid certificate: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail Server/CN=mx.office.dev/emailAddress=hostmaster@office.dev Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't present valid SSL certificate Jun 13 13:26:42 auth: Info: LOGIN(?,192.168.0.11): Client didn't present valid SSL certificate Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't present valid SSL certificate Jun 13 13:26:42 imap-login: Info: Disconnected (client sent an invalid cert): method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, TLS
maillog. Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate request A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [192.168.0.11]
# doveconf -n # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-238.9.1.el5 i686 CentOS release 5.6 (Final) ext3 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_ssl_require_client_cert = yes auth_verbose = yes base_dir = /var/run/dovecot/ debug_log_path = /var/log/dovecot-deliver.log dict { expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } first_valid_gid = 12 first_valid_uid = 1001 hostname = mx.office.dev info_log_path = /var/log/dovecot-deliver.log last_valid_gid = 12 last_valid_uid = 1001 listen = * mail_debug = yes mail_gid = 12 mail_location = maildir:/home/vmail/%d/%u mail_plugins = quota mail_privileged_group = mail mail_uid = 1001 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/sql/sql.conf driver = sql } plugin { autocreate = Trash autocreate2 = Spam autosubscribe = Trash autosubscribe2 = Spam } postmaster_address = postmaster@office.dev service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = postfix } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl_ca = </etc/pki/CA/cacert.pem ssl_cert = </etc/pki/CA/mail/mx.office.dev.crt ssl_key = </etc/pki/CA/mail/mx.office.dev.key ssl_verify_client_cert = yes userdb { args = /etc/dovecot/conf.d/sql/sql.conf driver = sql } verbose_ssl = yes protocol lda { mail_plugins = quota autocreate } protocol imap { imap_client_workarounds = delay-newmail mail_plugins = quota imap_quota autocreate } protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
I've tried next thing: ssl = required ssl_verify_client_cert = no auth_ssl_require_client_cert = no
And began getting emails. Successful logs attached. But i cant understand if data was passed with TLS. How can i enable those 2 options "ssl_verify_client_cert", "auth_ssl_require_client_cert" and get em working ?
dovecot-deliver.log Jun 13 14:40:17 lda: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:17 lda: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:17 lda: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:17 lda: Debug: auth input: test@office.dev home=/home/vmail/office.dev/test/ mail=maildir:/home/vmail/office.dev/test/ uid=1001 gid=12 quota=maildir:storage=10240000 Jun 13 14:40:17 lda: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:17 lda: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:17 lda(test@office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:17 lda(test@office.dev): Debug: Quota root: name=storage=10240000 backend=maildir args= Jun 13 14:40:17 lda(test@office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:17 lda(test@office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 Jun 13 14:40:17 lda(test@office.dev): Debug: quota: No quota setting - plugin disabled Jun 13 14:40:17 lda(test@office.dev): Debug: none: root=, index=, control=, inbox= Jun 13 14:40:17 lda(test@office.dev): Debug: Destination address: test@office.dev (source: user@hostname) Jun 13 14:40:17 auth: Info: mysql(localhost): Connected to database postfix Jun 13 14:40:17 lda(test@office.dev): Info: msgid=<20110613104017.30B331B09AB@mx.office.dev>: saved mail to INBOX Jun 13 14:40:27 imap-login: Info: Login: user=<test@office.dev>, method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, mpid=7927, TLS Jun 13 14:40:27 imap: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:27 imap: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:27 imap: Debug: Module loaded: /usr/lib/dovecot/lib11_imap_quota_plugin.so Jun 13 14:40:27 imap: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:27 imap: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:27 imap: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:27 imap(test@office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:27 imap(test@office.dev): Debug: Quota root: name=storage=10240000 backend=maildir args= Jun 13 14:40:27 imap(test@office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:27 imap(test@office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 Jun 13 14:40:37 imap-login: Info: Login: user=<test@office.dev>, method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, mpid=7929, TLS Jun 13 14:40:37 imap: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:37 imap: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:37 imap: Debug: Module loaded: /usr/lib/dovecot/lib11_imap_quota_plugin.so Jun 13 14:40:37 imap: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:37 imap: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:37 imap: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:37 imap(test@office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:37 imap(test@office.dev): Debug: Quota root: name=storage=10240000 backend=maildir args= Jun 13 14:40:37 imap(test@office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:37 imap(test@office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 Jun 13 14:40:38 imap-login: Info: Login: user=<test@office.dev>, method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, mpid=7931, TLS Jun 13 14:40:38 imap: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:38 imap: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:38 imap: Debug: Module loaded: /usr/lib/dovecot/lib11_imap_quota_plugin.so Jun 13 14:40:38 imap: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:38 imap: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:38 imap: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:38 imap(test@office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:38 imap(test@office.dev): Debug: Quota root: name=storage=10240000 backend=maildir args= Jun 13 14:40:38 imap(test@office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:38 imap(test@office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1
maillog Jun 13 14:40:17 cent56dev postfix/smtpd[7912]: connect from mx.office.dev[127.0.0.1] Jun 13 14:40:17 cent56dev postfix/smtpd[7912]: 30B331B09AB: client=mx.office.dev[127.0.0.1] Jun 13 14:40:17 cent56dev postfix/cleanup[7920]: 30B331B09AB: message-id=<20110613104017.30B331B09AB@mx.office.dev> Jun 13 14:40:17 cent56dev postfix/qmgr[5910]: 30B331B09AB: from=<postfix@office.dev>, size=461, nrcpt=1 (queue active) Jun 13 14:40:17 cent56dev postfix/smtpd[7912]: disconnect from mx.office.dev[127.0.0.1] Jun 13 14:40:17 cent56dev postfix/pipe[7921]: 30B331B09AB: to=<test@office.dev>, relay=dovecot, delay=0.27, delays=0.04/0.03/0/0.2, dsn=2.0.0, status=sent (delivered via dovecot service) Jun 13 14:40:17 cent56dev postfix/qmgr[5910]: 30B331B09AB: removed Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11]
On Mon, Jun 13, 2011 at 5:42 PM, Denis Iskandarov <d.iskandarov@gmail.com> wrote:
I can get messages without SSL with no problems. but i need to setup server accept only SSL secured connections. I think my configuration is very proper, but cant find "obvious" problem. Postfix 2.3.3 + dovecot 2.0.13-1_129.el5 + PostfixAdmin 2.3.3 I made own CA. configured postfix and dovecot with same cert key ca. Same public cert i gave for client just converted it to PKCS#12. I cant undestand valid and invalid certs strings in long, they look same. You can check logs and config bellow.
Also some other questions regarding SSL:
- How to make client MUA (thunderbird) automatically retrieve certificate ? My thunderbird cant do it by itself so i'm importing mail cert by myself.
- If i want to setup Roundcube/Squirrelmail webmail clients with TLS support (https) i have to provide them with same certificates as dovecot and postfix have. Or in this case i can use whatever certificate dedicated for with "virtualhost"?
dovecot-deliver.log: Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get certificate CRL: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail Server/CN=mx.office.dev/emailAddress=hostmaster@office.dev Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get certificate CRL: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus Digital Network/CN=Caucasus Digital Network/emailAddress=hostmaster@office.dev Jun 13 13:26:42 imap-login: Info: Valid certificate: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus Digital Network/CN=Caucasus Digital Network/emailAddress=hostmaster@office.dev Jun 13 13:26:42 imap-login: Info: Valid certificate: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail Server/CN=mx.office.dev/emailAddress=hostmaster@office.dev Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't present valid SSL certificate Jun 13 13:26:42 auth: Info: LOGIN(?,192.168.0.11): Client didn't present valid SSL certificate Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't present valid SSL certificate Jun 13 13:26:42 imap-login: Info: Disconnected (client sent an invalid cert): method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, TLS
maillog. Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate request A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [192.168.0.11] Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [192.168.0.11]
# doveconf -n # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-238.9.1.el5 i686 CentOS release 5.6 (Final) ext3 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_ssl_require_client_cert = yes auth_verbose = yes base_dir = /var/run/dovecot/ debug_log_path = /var/log/dovecot-deliver.log dict { expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } first_valid_gid = 12 first_valid_uid = 1001 hostname = mx.office.dev info_log_path = /var/log/dovecot-deliver.log last_valid_gid = 12 last_valid_uid = 1001 listen = * mail_debug = yes mail_gid = 12 mail_location = maildir:/home/vmail/%d/%u mail_plugins = quota mail_privileged_group = mail mail_uid = 1001 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/sql/sql.conf driver = sql } plugin { autocreate = Trash autocreate2 = Spam autosubscribe = Trash autosubscribe2 = Spam } postmaster_address = postmaster@office.dev service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = postfix } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl_ca = </etc/pki/CA/cacert.pem ssl_cert = </etc/pki/CA/mail/mx.office.dev.crt ssl_key = </etc/pki/CA/mail/mx.office.dev.key ssl_verify_client_cert = yes userdb { args = /etc/dovecot/conf.d/sql/sql.conf driver = sql } verbose_ssl = yes protocol lda { mail_plugins = quota autocreate } protocol imap { imap_client_workarounds = delay-newmail mail_plugins = quota imap_quota autocreate } protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
again me. i got idea that i need crl but i didn't understand where it should be located? (and yes i read wiki but still...)
from config above u can see my certs location: ssl_ca = </etc/pki/CA/cacert.pem ssl_cert = </etc/pki/CA/mail/mx.office.dev.crt ssl_key = </etc/pki/CA/mail/mx.office.dev.key
so i did next command for cacert and mail cert: openssl ca -gencrl -crldays 3650 -keyfile mail/mx.office.dev.key -cert mail/mx.office.dev.crt -out mail/mx.office.dev.crl openssl ca -gencrl -crldays 3650 -keyfile private/cakey.pem -cert cacert.pem -out cacert.crl
so for that momment i had: /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.crl and /etc/pki/CA/mail/mx.office.dev.crt /etc/pki/CA/mail/mx.office.dev.crl
still no luck ...geting "Invalid certificate: unable to get certificate CRL:" and they are in .Pem format, but i still renamed them into "cacert.crl.pem" and "mx.office.dev.crl"
no luck....
Pleaseeeeee, how to make this work ?
On 6/13/2011 8:44 AM, Denis Iskandarov wrote:
I've tried next thing: ssl = required ssl_verify_client_cert = no auth_ssl_require_client_cert = no
And began getting emails. Successful logs attached. But i cant understand if data was passed with TLS. How can i enable those 2 options "ssl_verify_client_cert", "auth_ssl_require_client_cert" and get em working ?
So do you want the client to authenticate with a certificate, or a username and password?
If you set up SSL on the server then things will be encrypted between the client and server similar to how HTTPS works (only the server presents a certificate).
ssl_verify_client_cert, and auth_ssl_require_client_cert also expects for the client to present its own certificate to the server. So there would be a certificate for the server and one for each client in that case.
Willie
i want users to login with username and password, but be sure that whole traffic betwen clint/server would be encrypted. after reading mailing list and google finally just a momment ago i have fixed problem with certs and this 2 options. my problem was in crl and i didnt understood how is should follow cacert. here is mini howto for openssl usage on mail server. please include in wiki, it will help many others!!!
prepare environment for openssl mkdir /etc/pki/CA/newcerts mkdir /etc/pki/CA/crl cd /etc/pki/CA echo 01 > serial touch index.txt echo 01 > crlnumber ln -s /etc/pki/tls/openssl.cnf openssl.cnf Edit /etc/pki/tls/openssl.cnf change CA directory to /etc/pki/CA change nsComment to whatever you want change other settings you want (default variables for certs)
Make your own CA openssl req -new -x509 -extensions v3_ca -utf8 -newkey rsa:2048 -sha1 -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
Make default CRL openssl ca -gencrl -crlexts crl_ext -md sha1 -utf8 -config ./openssl.cnf -crldays 30 -out crl/crl.pem
combine your root cert with default empty CRL cat cacert.pem ./crl/crl.pem > cacrl.pem
make request for mail server certificate mkdir mail openssl req -new -nodes -newkey rsa:2048 -sha1 -utf8 -out mail/mail.req -keyout mail/mail.key -config ./openssl.cnf
issue certificate openssl ca -out mail/mail.pem -md sha1 -utf8 -days 3650 -config ./openssl.cnf -infiles mail/mail.req
convert root certificate to DER format openssl x509 -in cacert.pem -outform DER -out company.root.cert.der
convert mail cert into windows readable format PKCS#12. (or convert it to same .der format to secure key file) openssl pkcs12 -export -out mail/mail.p12 -inkey mail/mail.key -in mail/mail.pem -name "MyCompany Mail Server"
Give company.root.cert.der and mail.p12 certs to client for integration with his application (outlook, thunderbird, etc ...)
Edit your Dovecot ssl configuration and tell him location of cert files. ssl_cert = </etc/pki/CA/mail/mail.pem ssl_key = </etc/pki/CA/mail/mail.key ssl_ca = </etc/pki/CA/cacrl.pem
PS.: Btw hope to receive answers on other questions from my very first post. Regards.
On Tue, Jun 14, 2011 at 12:13 PM, Willie Gillespie <wgillespie+dovecot@es2eng.com> wrote:
On 6/13/2011 8:44 AM, Denis Iskandarov wrote:
I've tried next thing: ssl = required ssl_verify_client_cert = no auth_ssl_require_client_cert = no
And began getting emails. Successful logs attached. But i cant understand if data was passed with TLS. How can i enable those 2 options "ssl_verify_client_cert", "auth_ssl_require_client_cert" and get em working ?
So do you want the client to authenticate with a certificate, or a username and password?
If you set up SSL on the server then things will be encrypted between the client and server similar to how HTTPS works (only the server presents a certificate).
ssl_verify_client_cert, and auth_ssl_require_client_cert also expects for the client to present its own certificate to the server. So there would be a certificate for the server and one for each client in that case.
Willie
participants (2)
-
Denis Iskandarov
-
Willie Gillespie