[Dovecot] problems with imaps

Reindl Harald h.reindl at thelounge.net
Fri Feb 22 19:05:53 EET 2013



Am 22.02.2013 17:21, schrieb Matthias Leopold:
> Am 2013-02-22 17:02, schrieb Daniel Luttermann:
>> On 2013-02-22, Matthias Leopold wrote:
>>
>>> with thunderbird 10.0.12 i can't connect to port 993 and get errors in
>>> the logs like
>>
>>> TLS: SSL_read() failed: error:14094412:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>>
>>> (certificate generated by dovecot mkcert.sh)
>>
>>> or
>>
>>> TLS: SSL_read() failed: error:14094418:SSL
>>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>
>>> (certificate generated by own openssl cmdline)
>>
>> Did you create a Root CA certificate? If not, I would prefer to create
>> your own CA and sign all certs with this Root CA certificate. You'll
>> have to import the created Root CA certificate in Thunderbird and/or
>> the Microsoft Certificate Store so that the applications can trust the
>> self signed certificates.
>>
>> You could also use a free Certificate Authority like StartSSL but the
>> Root CA certificate must also be available in the certificate store of
>> the application (Thunderbird, MS, Opera...).
>>
>> -- 
>> Daniel
>>
> thx, but this is not an option as this server is used by our customers who won't be willing to import this CA
> certificate. i know about the limitations of self signed certificates and i think it's ok for a user to import an
> "unsecure" certificate once. after all this does work for starttls and works for some clients with imaps. i didn't
> find any hint that i can't use self signed certificates for imaps/pops

surely, you can, but it makes only troubles as you see
as CUSTOMER if i pay for your services i would consider search
someone how is willing to spend a little amount of money for
a certificate which does not greet me with a warning

it is up to the client how he handles untrusted certs

however, with the scripts below generated PEM-files
are working with any known client and imaps/pop3s
as well as STARTTLS or use them for Apache or postfix
submission as also port 465
_______________________________________________

[root at buildserver:/buildserver/ssl-cert]$ cat generate-cert.sh
#!/usr/bin/bash
WORKING_DIR="/buildserver/ssl-cert"
OUT_DIR="$WORKING_DIR/$1"
mkdir $OUT_DIR 2> /dev/null
chmod 700 $OUT_DIR
if [ "$1" == "" ]; then
 exit
fi
rm -f $OUT_DIR/$1.key
rm -f $OUT_DIR/$1.csr
rm -f $OUT_DIR/$1.crt
rm -f $OUT_DIR/$1.pem
sed "s/my_common_name/$1/g" $WORKING_DIR/openssl.conf.template > $WORKING_DIR/openssl.conf
openssl genrsa -out $OUT_DIR/$1.key 2048
openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out $OUT_DIR/$1.csr
openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out $OUT_DIR/$1.crt
cat $OUT_DIR/$1.crt $OUT_DIR/$1.key > $OUT_DIR/$1.pem
echo ""
echo $OUT_DIR/$1.key
echo $OUT_DIR/$1.csr
echo $OUT_DIR/$1.crt
echo $OUT_DIR/$1.pem
echo ""
chmod 600 $OUT_DIR/*
ls -l -h --color=tty -X --group-directories-first --time-style=long-iso $OUT_DIR/
echo ""
rm -f $WORKING_DIR/openssl.conf
_______________________________________________

[root at buildserver:/buildserver/ssl-cert]$ cat openssl.conf.template
[ req ]
prompt                          = yes
default_bits                    = 2048
distinguished_name              = req_DN
string_mask                     = nombstr

[ req_DN ]
countryName                     = "1. Landeskennung  "
countryName_default             = "AT"
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = "2. Bundesland  "
stateOrProvinceName_default     = "Vienna"
localityName                    = "3. Stadt  "
localityName_default            = "Vienna"
0.organizationName              = "4. Firmenname  "
0.organizationName_default      = "the lounge interactive design gmbh"
organizationalUnitName          = "5. Abteilung  "
organizationalUnitName_default  = "Administration"
commonName                      = "6. Server-Name  "
commonName_max                  = 64
commonName_default              = "my_common_name"
emailAddress                    = "7. Mail-Adresse  "
emailAddress_max                = 40
emailAddress_default            = "hostmaster at thelounge.net"




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130222/40ec29e6/attachment-0003.bin>


More information about the dovecot mailing list