[Dovecot] SSL comunication problems with client side.

Denis Iskandarov d.iskandarov at gmail.com
Mon Jun 13 16:42:52 EEST 2011 

I can get messages without SSL with no problems. but i need to setup
server accept only SSL secured connections.
I think my configuration is very proper, but cant find "obvious" problem.
Postfix 2.3.3 + dovecot 2.0.13-1_129.el5 + PostfixAdmin 2.3.3
I made own CA. configured postfix and dovecot with same cert key ca.
Same public cert i gave for client just converted it to PKCS#12.
I cant undestand valid and invalid certs strings in long, they look same.
You can check logs and config bellow.

Also some other questions regarding SSL:
1. How to make client MUA (thunderbird) automatically retrieve
certificate ? My thunderbird cant do it by itself so i'm importing
mail cert by myself.
2. If i want to setup Roundcube/Squirrelmail webmail clients with TLS
support (https) i have to provide them with same certificates as
dovecot and postfix have. Or in this case i can use whatever
certificate dedicated for with "virtualhost"?



dovecot-deliver.log:
Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get
certificate CRL: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail
Server/CN=mx.office.dev/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get
certificate CRL: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital
Network/OU=Caucasus Digital Network/CN=Caucasus Digital
Network/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 imap-login: Info: Valid certificate:
/C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus
Digital Network/CN=Caucasus Digital
Network/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 imap-login: Info: Valid certificate:
/C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail
Server/CN=mx.office.dev/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't
present valid SSL certificate
Jun 13 13:26:42 auth: Info: LOGIN(?,192.168.0.11): Client didn't
present valid SSL certificate
Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't
present valid SSL certificate
Jun 13 13:26:42 imap-login: Info: Disconnected (client sent an invalid
cert): method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, TLS


maillog.
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x10, ret=1: before/accept initialization [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: before/accept initialization [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write certificate request A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 flush data [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 flush data [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x20, ret=1: SSL negotiation finished successfully
[192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2002, ret=1: SSL negotiation finished successfully
[192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert:
where=0x4004, ret=256: warning close notify [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=256: warning close notify [192.168.0.11]


# doveconf -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-238.9.1.el5 i686 CentOS release 5.6 (Final) ext3
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_ssl_require_client_cert = yes
auth_verbose = yes
base_dir = /var/run/dovecot/
debug_log_path = /var/log/dovecot-deliver.log
dict {
  expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
  quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_gid = 12
first_valid_uid = 1001
hostname = mx.office.dev
info_log_path = /var/log/dovecot-deliver.log
last_valid_gid = 12
last_valid_uid = 1001
listen = *
mail_debug = yes
mail_gid = 12
mail_location = maildir:/home/vmail/%d/%u
mail_plugins = quota
mail_privileged_group = mail
mail_uid = 1001
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
  args = /etc/dovecot/conf.d/sql/sql.conf
  driver = sql
}
plugin {
  autocreate = Trash
  autocreate2 = Spam
  autosubscribe = Trash
  autosubscribe2 = Spam
}
postmaster_address = postmaster at office.dev
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = mail
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = mail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl_ca = </etc/pki/CA/cacert.pem
ssl_cert = </etc/pki/CA/mail/mx.office.dev.crt
ssl_key = </etc/pki/CA/mail/mx.office.dev.key
ssl_verify_client_cert = yes
userdb {
  args = /etc/dovecot/conf.d/sql/sql.conf
  driver = sql
}
verbose_ssl = yes
protocol lda {
  mail_plugins = quota autocreate
}
protocol imap {
  imap_client_workarounds = delay-newmail
  mail_plugins = quota imap_quota autocreate
}
protocol pop3 {
  mail_plugins = quota
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

More information about the dovecot mailing list