[Dovecot] iphone connection problem

Bill Cole dovecot-20061108 at billmail.scconsult.com
Fri Sep 12 21:03:53 EEST 2008


daz at feb17.org wrote:
> On Tue, Sep 09, 2008 at 06:59:10AM -0400, Charles Marcus wrote:
>> On 9/9/2008, Alan Premselaar (alien at 12inch.com) wrote:
>>> Ahh, no, sorry I must have overlooked that part.  I'm just using
>>> standard self-signed certificates on the server side.
>> Then if this is a 3G iPhone, my last response is the solution.
>>
> 
> Sorry for delay picking this up again - it's been so frustrating I needed to 
> take a break - have sunk too many hours into it.  To answer the various
> questions,  
> 
> * I was trying this with the original iphone (have subsequently tested with 3G, no difference).  
> 
> * I am using self signed certs.  I am trying to use client certs, not just server certs.  I have been emailing p12 attachments
> via gmail.  My attempts to download mobileconfig from webserver weren't successful.
> 
> If I understand the various suggestions:
> 
> * don't use a self-signed cert (I have made the self-CA and the mail certs slightly different),  

I think that is likely to be a red herring. The only thing you get in 
this circumstance from a commercial cert is (hopefully) rigorous 
technical correctness in the cert construction and signing. If you want 
to use client certs, you will have to manage your own PKI to some degree 
anyway, and that means getting all of the details right *with 
understanding*, not just finding a cargo-cult fix. I think you are doing 
the right thing in trying to get this working with your own certs, as 
that painful process assures that you will gain useful clues.


> * make the public CA cert available via webserver ( I have installed root cert via email and that didn't help).
> 
> I will try installing root cert via browser and see if that helps.  If that fails,  I'll try a proper CA, not
> self signed.  I'm sceptical that's the problem.  If all that fails,  I'll just throw security overboard and stick
> with simple password auth,  life is too short.  I'd still love an error message that meant something ;)

1. You may find it easiest to debug the certs using a web server and 
Safari on the iPhone rather than Dovecot and Mail, because you are 
likely to be able to instrument it better, get better error descriptions 
from the client, and be given more options on how to fix the problem.

2. Since you have CA, server, and client certs, it might help to not 
think of these as "self-signed" since at most only the CA really is 
that. The server cert and the client certs are signed by the CA cert, 
and the only difference between this setup and one using commercial 
certs is that you have to get your CA cert treated and trusted in the 
same way as a commercial root CA cert *by both ends*. 

3. Client certs do not really add a great deal of security over just requiring auth to be done inside a TLS session. In some ways they are a security trade-off, rather than a clear improvement. If your PKI and device config processes are not very rigorous, you can end up in a risky circumstance by trusting client certs that you are dropping onto devices that can easily land in the wrong hands. I can say from first-hand experience that the iPhone version of Mail will work with Dovecot using a real self-signed cert and only allowing auth inside an encrypted session, so you do not need to completely throw security overboard. 




More information about the dovecot mailing list