[Dovecot] iphone connection problem

Wed Sep 17 08:58:59 EEST 2008

All sage advice.  I've gone back to basics, and installed the root CA
on the phone via safari rather than email (apple's mobile config package).
I discovered just now to my horror after some frustration that one logging option wasn't working
that my binary is picking up a different config file ;(  so I need to go
back and go through the differences now and see what I was actually running.
Hopefully this will clean things up.  I think your point#3 is the most useful ;)
I'm mainly doing this b/c it was the dovecot default and I like security but
for this much aggravation I probably don't need it.  I was running without client
certs for mail retrieval happily for a long time,

Darren

> I think that is likely to be a red herring. The only thing you get in 
> this circumstance from a commercial cert is (hopefully) rigorous 
> technical correctness in the cert construction and signing. If you want 
> to use client certs, you will have to manage your own PKI to some degree 
> anyway, and that means getting all of the details right *with 
> understanding*, not just finding a cargo-cult fix. I think you are doing 
> the right thing in trying to get this working with your own certs, as 
> that painful process assures that you will gain useful clues.
> 
> 
> >* make the public CA cert available via webserver ( I have installed root 
> >cert via email and that didn't help).
> >
> >I will try installing root cert via browser and see if that helps.  If 
> >that fails,  I'll try a proper CA, not
> >self signed.  I'm sceptical that's the problem.  If all that fails,  I'll 
> >just throw security overboard and stick
> >with simple password auth,  life is too short.  I'd still love an error 
> >message that meant something ;)
> 
> 1. You may find it easiest to debug the certs using a web server and 
> Safari on the iPhone rather than Dovecot and Mail, because you are 
> likely to be able to instrument it better, get better error descriptions 
> from the client, and be given more options on how to fix the problem.
> 
> 2. Since you have CA, server, and client certs, it might help to not 
> think of these as "self-signed" since at most only the CA really is 
> that. The server cert and the client certs are signed by the CA cert, 
> and the only difference between this setup and one using commercial 
> certs is that you have to get your CA cert treated and trusted in the 
> same way as a commercial root CA cert *by both ends*. 
> 
> 3. Client certs do not really add a great deal of security over just 
> requiring auth to be done inside a TLS session. In some ways they are a 
> security trade-off, rather than a clear improvement. If your PKI and device 
> config processes are not very rigorous, you can end up in a risky 
> circumstance by trusting client certs that you are dropping onto devices 
> that can easily land in the wrong hands. I can say from first-hand 
> experience that the iPhone version of Mail will work with Dovecot using a 
> real self-signed cert and only allowing auth inside an encrypted session, 
> so you do not need to completely throw security overboard. 