Client app says my chained Comodo cert is invalid
I’ve configured Dovecot and Postfix on a new VPS running Ubuntu 16.04, using Linode’s tutorial [1], to require authentication and SSL encryption for both POP3 and SMTP. All looks OK to me except, when my email client app (macOS Mail.app) tries to log in, it says that my cert is invalid.
The trouble appears when I attempt to configure a client account in Mail.app on my Mac. For the POP server name, I enter my VPS’ “45.56.81.181", because public DNS is still pointing to my existing host. I set the account to use the Apple TLS certificate, and then click to save this new account info. Before saving, Mail.app checks my entries by attempting to log in. The result is: “The identify of server 45.56.81.181 cannot be verified. The certificate for this server is invalid.” At the same time, on my new server, some entries appear in /var/log/mail.log [2].
The certificate in question is a new PositiveSSL/Comodo cert I bought the other day. It works OK for serving web pages - I mean, on this same Mac, when I visit my under-construction site at https://45.56.81.181 in Safari or Firefox, I get the padlock icon and no warnings.
Comodo gave me two two files, a “.crt” which contains my cert, and a “.ca-bundle.crt” which contains their certs. Per Dovecot documentation, I concatenated these into a “chained” file containing all 3 certs, starting with mine. In /etc/dovecot/conf.d/10-ssl.conf, I set ssl_cert = this “chained” file.
I tried adding the two original cert files to macOS Keychain.app with “Always trust” but that did not help.
Being new at this, I would appreciate any suggestions. My dovecot -n
output is below [3].
Thank you very much!
Jerry Krinock
[1] https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mys...
[2] /var/log/mail.log entries when client attempts login
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [24.4.251.228] Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [24.4.251.228] Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: unknown state [24.4.251.228] Jul 27 12:22:19 bird dovecot: message repeated 6 times: [ pop3-login: Debug: SSL: where=0x2001, ret=1: unknown state [24.4.251.228]] Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: unknown state [24.4.251.228] Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: unknown state [24.4.251.228] Jul 27 12:22:19 bird dovecot: pop3-login: Warning: SSL failed: where=0x2002: unknown state [24.4.251.228] Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL error: Disconnected Jul 27 12:22:19 bird dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.4.251.228, lip=45.56.81.181, TLS handshaking: Disconnected, session=<8HuX76I4p8gYBPvk>
Yes, 24.4.251.228 is the IP address of my Mac.
[3] Output from dovecot -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.5.5-x86_64-linode69 x86_64 Ubuntu 16.04 LTS ext4 auth_mechanisms = plain login mail_location = maildir:/var/mail/vhosts/%d/%n mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap pop3 lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 } } ssl = required ssl_cert =
participants (1)
-
Jerry Krinock