-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, I have a dual stack server with Dovecot 2.1.10 listening on v4 and v6
Dovecot has a Comodo SSL certificate issued via NameCheap that works as expected with IPv4
in 10-ssl.conf I have enabled these configuraction directives:
ssl = yes ssl_cert = < /path/to/file.crt ssl_key = < /path/to/file.key ssl_parameters_regenerate = 202 hours
If I connect to Dovecot using the IPv6 address of the server with Thunderbird 15.0.1 uising CRAM-MD5 averything is ok.
If I enable SSL _and_ IPv6 on Thunderbird I get this error:
Oct 5 20:05:04 mail dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2001:470:1f09:203:fdbf:508e:4a29:56c5, lip=2001:470:1f09:203::badd:ecaf, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<ZcMRtlPLqgAgAQRwHwkCA/2/UI5KKVbF>
Ciao, luigi
/ +--[Luigi Rosa]-- \
I will tell you a great secret, Captain. Perhaps the greatest of all time. The molecules of your body are the same molecules that make up this station and the nebula outside, that burn inside the stars themselves. We are star stuff, we are the universe made manifest, trying to figure itself out. As we have both learned, sometimes the universe requires a change of perspective." --Delenn, "Distant Star", Babylon 5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBvI50ACgkQ3kWu7Tfl6ZRBSACfRkp4FYpWaEZUQhIh0t6Vfs/I JbcAoKGZ769yogYS7faCXKvPTuhQiHA8 =jxCB -----END PGP SIGNATURE-----
Luigi Rosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, I have a dual stack server with Dovecot 2.1.10 listening on v4 and v6
Dovecot has a Comodo SSL certificate issued via NameCheap that works as expected with IPv4
in 10-ssl.conf I have enabled these configuraction directives:
ssl = yes ssl_cert =< /path/to/file.crt ssl_key =< /path/to/file.key ssl_parameters_regenerate = 202 hours
If I connect to Dovecot using the IPv6 address of the server with Thunderbird 15.0.1 uising CRAM-MD5 averything is ok. If I enable SSL _and_ IPv6 on Thunderbird I get this error: How do you enable this in Thunderbird? If by "enabling IPv6" you mean you put in the IPv6 address in stead of the hostname, that's probably where you're wrong. The certificate contains your hostname, not the IP-address so the hostname verification check fails if you insert the IPv6 address (i.e. hostname.tld != 2001:470:1f09:203:fdbf:508e:4a29:56c5so your connection fails). I've verified this by changing the hostname to IPv6 in Thunderbird and got the same error as you do. You would get the same error if you configure the IPv4 address in TB. Oct 5 20:05:04 mail dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2001:470:1f09:203:fdbf:508e:4a29:56c5, lip=2001:470:1f09:203::badd:ecaf, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<ZcMRtlPLqgAgAQRwHwkCA/2/UI5KKVbF> This is a valid connection when I use the hostname:
2012-10-04T18:07:51.614187+02:00 mail dovecot: imap-login: Login: user=<user@domain>, method=CRAM-MD5, rip=yyyy:yyyy:::yyyy, lip=xxxx:xxxx:::xxxx, mpid=58179, TLS, TLSv1 with cipher RC4-MD5 (128/128 bits)
Configure your DNS so your hostname points to both the IPv6 and IPv4 address. Your client will take take whichever protocol is preferred (IPv4 or IPv6).
Rgds, N.
Ciao, luigi
/ +--[Luigi Rosa]-- \
I will tell you a great secret, Captain. Perhaps the greatest of all time. The molecules of your body are the same molecules that make up this station and the nebula outside, that burn inside the stars themselves. We are star stuff, we are the universe made manifest, trying to figure itself out. As we have both learned, sometimes the universe requires a change of perspective." --Delenn, "Distant Star", Babylon 5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla -http://www.enigmail.net/
iEYEARECAAYFAlBvI50ACgkQ3kWu7Tfl6ZRBSACfRkp4FYpWaEZUQhIh0t6Vfs/I JbcAoKGZ769yogYS7faCXKvPTuhQiHA8 =jxCB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Nick Rosier said the following on 05/10/12 22:47:
How do you enable this in Thunderbird? If by "enabling IPv6" you mean you put in the IPv6 address in stead of the hostname, that's probably where you're wrong. The certificate contains your hostname, not the IP-address so the hostname verification check fails if you insert the IPv6 address (i.e. hostname.tld != 2001:470:1f09:203:fdbf:508e:4a29:56c5so your connection fails).
Good point. But does not explain why it works if I put the IPv4 address of the server (the local LAN IPv4, not the public IPv4).
I've verified this by changing the hostname to IPv6 in Thunderbird and got the same error as you do. You would get the same error if you configure the IPv4 address in TB.
The server I am referring to has 2 NICs one with a public IP and the other with a local IP address (10.0.0.254)
If I put 10.0.0.254 instead of the IPv6 address I can successfully connect using TLS:
Oct 6 07:13:44 mail dovecot: imap-login: Login: user=<lrosa@hypertrek.info>, method=CRAM-MD5, rip=10.0.0.155, lip=10.0.0.254, mpid=17812, TLS, session=<LZhzDV3LMQAKE0Ob>
Configure your DNS so your hostname points to both the IPv6 and IPv4 address. Your client will take take whichever protocol is preferred (IPv4 or IPv6).
Thunderbird uses IPv4 as mail protocol, I wanted to test IPv6...
Thank you for your help
Ciao, luigi
/ +--[Luigi Rosa]-- \
Success is 99% failure. --Soichiro Honda -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBvv4kACgkQ3kWu7Tfl6ZQp2wCgvXPgRGANlAIaVkMvXZHIThYE OiwAoIOqIMD+3mT1znMl6lCCbHanwBta =B/r2 -----END PGP SIGNATURE-----
On Oct 5, 2012, at 10:20 PM, Luigi Rosa <lists@luigirosa.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Nick Rosier said the following on 05/10/12 22:47:
How do you enable this in Thunderbird? If by "enabling IPv6" you mean you put in the IPv6 address in stead of the hostname, that's probably where you're wrong. The certificate contains your hostname, not the IP-address so the hostname verification check fails if you insert the IPv6 address (i.e. hostname.tld != 2001:470:1f09:203:fdbf:508e:4a29:56c5so your connection fails).
Good point. But does not explain why it works if I put the IPv4 address of the server (the local LAN IPv4, not the public IPv4).
I've verified this by changing the hostname to IPv6 in Thunderbird and got the same error as you do. You would get the same error if you configure the IPv4 address in TB.
The server I am referring to has 2 NICs one with a public IP and the other with a local IP address (10.0.0.254)
If I put 10.0.0.254 instead of the IPv6 address I can successfully connect using TLS:
Oct 6 07:13:44 mail dovecot: imap-login: Login: user=<lrosa@hypertrek.info>, method=CRAM-MD5, rip=10.0.0.155, lip=10.0.0.254, mpid=17812, TLS, session=<LZhzDV3LMQAKE0Ob>
And do you have a PTR record for 10.0.0.254?
Sean
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sean Kamath said the following on 06/10/12 07:44:
Oct 6 07:13:44 mail dovecot: imap-login: Login: user=<lrosa@hypertrek.info>, method=CRAM-MD5, rip=10.0.0.155, lip=10.0.0.254, mpid=17812, TLS, session=<LZhzDV3LMQAKE0Ob>
And do you have a PTR record for 10.0.0.254?
No, no PTR o other DNS entry for that address.
No entry of that address in /etc/hosts on the Linux with Thunderbird or on the Linux with Dovecot.
Ciao, luigi
/ +--[Luigi Rosa]-- \
The past was erased, the erasure was forgotten, the lie became truth. --George Orwell, "1984" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBv0LsACgkQ3kWu7Tfl6ZRTUgCgh1epu40NUiZ6CPlBrcFZezt/ nMYAnjUS5IxodwJfW7o9pJHfKoVCc9xK =8O4T -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Patrick Westenberg said the following on 06/10/12 09:29:
Can you provide the output of doveconf -n?
Sure, here it is:
# 2.1.10: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-308.1.1.el5.centos.plus x86_64 CentOS release 5.8 (Final) auth_cache_negative_ttl = 0 auth_cache_size = 100 k auth_cache_ttl = 8 hours auth_mechanisms = plain login digest-md5 cram-md5 auth_verbose = yes base_dir = /var/run/dovecot/ login_greeting = Ready. login_trusted_networks = 10.0.0.0/24 mail_plugins = " stats" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve stats_refresh = 10s stats_track_cmds = yes } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl_cert = </etc/path/to/file.crt ssl_key = </etc/path/to/file.key ssl_parameters_regenerate = 202 hours syslog_facility = local5 userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } verbose_proctitle = yes protocol lmtp { mail_plugins = sieve } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_plugins = " stats imap_stats" } protocol pop3 { pop3_client_workarounds = outlook-no-nuls pop3_uidl_format = %08Xu%08Xv }
Ciao, luigi
/ +--[Luigi Rosa]-- \
I will tell you a great secret, Captain. Perhaps the greatest of all time. The molecules of your body are the same molecules that make up this station and the nebula outside, that burn inside the stars themselves. We are star stuff, we are the universe made manifest, trying to figure itself out. As we have both learned, sometimes the universe requires a change of perspective." --Delenn, "Distant Star", Babylon 5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBv538ACgkQ3kWu7Tfl6ZRsYACgzxbZjPbuiAKDNmMPphmiL1Li UuYAnAopP2AJE6GYyNRhBVYmUuFBqdkG =62M+ -----END PGP SIGNATURE-----
Hi Luigi,
with regard to SSL my configuration is much more simple and it works fine with IPv4 and IPv6. But you have of course to use a hostname matching the certificates common name.
# 2.1.6: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.5 auth_mechanisms = plain login director_mail_servers = 172.17.1.1 172.17.1.2 director_servers = 172.17.1.3 172.17.1.4 lmtp_proxy = yes log_path = /var/log/dovecot.log managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacati on subaddress comparator-i;ascii-numeric relational regex imap4flags copy includ e variables body enotify environment mailbox date ihave protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { user = dovecot } } service director { fifo_listener login/proxy-notify { mode = 0666 } inet_listener { address = 172.17.1.3 port = 9090 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director } service lmtp { inet_listener lmtp { address = 172.17.1.3 port = 24 } } service managesieve-login { executable = managesieve-login director inet_listener sieve { port = 4190 } } service pop3-login { executable = pop3-login director } ssl_cert = </etc/ssl/certs/imap.xxx.de.crt ssl_key = </etc/ssl/private/imap.xxx.key protocol !smtp { passdb { args = proxy=y nopassword=y starttls=any-cert driver = static } } protocol smtp { passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } } protocol lmtp { auth_socket_path = director-userdb }
Regards Patrick
On 10/06/2012 12:02 PM, Patrick Westenberg wrote:
Hi Luigi,
with regard to SSL my configuration is much more simple and it works fine with IPv4 and IPv6. But you have of course to use a hostname matching the certificates common name.
You could add additional hostnames in the certificate by specifying them in SubjectAltName. I use that so my certificate works with both the public FQDN going over the Internet as well as the internal hostname when using a VPN or on the local LAN.
Regards, Patrick
participants (5)
-
Luigi Rosa
-
Nick Rosier
-
Patrick Lists
-
Patrick Westenberg
-
Sean Kamath