[Dovecot] Intermittent "certificate cannot be verified" error

Guy wyldfury at gmail.com
Thu Jan 22 11:51:07 EET 2009 

Hi guys,

Not sure where to start looking for this. I've got a few users getting
intermittent "certificate cannot be verified" messages when connecting
through SSL to Dovecot. Connections go through haproxy to Dovecot
1.1.8 on the back end servers.
I've got verbose_ssl and auth_debug enabled.

All I'm seeing on the logs for the time the users reported the error is this:
Jan 21 23:30:51 mink dovecot: auth(default): new auth connection: pid=28811
Jan 21 23:30:51 mink dovecot: IMAP(user1 at domain1.net): Disconnected in
IDLE bytes=73/4235

Jan 21 23:24:23 mink dovecot: auth(default): new auth connection: pid=28811
Jan 21 23:24:23 mink dovecot: imap-login: Disconnected (no auth
attempts): rip=x.x.x.x, lip=x.x.x.x
Jan 21 23:24:23 mink dovecot: auth(default): new auth connection: pid=28811
Jan 21 23:24:24 mink dovecot: IMAP(user2 at domain1.net): Disconnected in
IDLE bytes=89/920

Since it's so intermittent I'm not sure where to start. Since there
are no real errors in the Dovecot logs I'm suspecting that haproxy is
perhaps not routing every packet correctly leading to Dovecot not
getting all the data needed for the connection. Are there any other
possibilities I've missed?

Thanks
Guy

root at mink:/var/log/mail# dovecot -n
# 1.1.8: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.24-23-server x86_64 Ubuntu 8.04.1
protocols: imap imaps pop3 pop3s
listen(default): *:143
listen(imap): *:143
listen(pop3): *:110
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
ssl_cert_file: /etc/ssl/certs/imapd.pem
ssl_key_file: /etc/ssl/private/imapd.pem
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_process_per_connection: no
login_processes_count: 5
login_max_processes_count: 256
max_mail_processes: 1024
verbose_proctitle: yes
mail_location: maildir:%h/Maildir/
mail_full_filesystem_access: yes
mmap_disable: yes
dotlock_use_excl: no
mail_nfs_storage: yes
mail_nfs_index: yes
lock_method: dotlock
mail_executable(default): /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/pop3
mail_process_size: 128
mail_plugins(default): imap_quota quota
mail_plugins(imap): imap_quota quota
mail_plugins(pop3): quota
mail_log_max_lines_per_sec: 30
imap_client_workarounds: outlook-idle delay-newmail
pop3_uidl_format: %08Xv%08Xu
pop3_client_workarounds: outlook-no-nuls oe-ns-eoh
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
namespace:
  type: private
  separator: /
  prefix: mail/
  location: maildir:%h/Maildir/
  hidden: yes
  subscriptions: yes
auth default:
  cache_size: 2048
  cache_ttl: 300
  cache_negative_ttl: 1
  username_chars:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@'
  master_user_separator: *
  debug: yes
  worker_max_count: 5
  passdb:
    driver: passwd-file
    args: /etc/dovecot/dovecot-master.pwd
    master: yes
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-mysql.conf
  userdb:
    driver: sql
    args: /etc/dovecot/dovecot-mysql.conf
plugin:
  quota: maildir
  quota_rule: *:storage=100M
  quota_rule2: Trash:ignore


-- 
Don't just do something...sit there!

More information about the dovecot mailing list