[Dovecot] SSL with startssl.com certificates
Dan Langille
dan at langille.org
Sun Oct 6 23:42:16 EEST 2013
On Sep 17, 2013, at 10:59 AM, Bruno Tréguier wrote:
> Le 17/09/2013 à 16:32, Dan Langille a écrit :
>> $ openssl s_client -connect imaps.unixathome.org:993 -quiet
>> depth=0
>> /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
>>
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0
>> /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
>>
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0
>> /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
>>
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>> IDLE AUTH=PLAIN] Dovecot ready.
>>
>> Somewhere, somehow, there is something vastly different and not working.
>
> Hi,
>
> Something is definitely wrong with your certificate chain. The first
> certificate listed in your chain (depth 2) should be StartCom's root CA,
> bearing "CN = StartCom Certification Authority", the 2nd one (depth 1)
> should be the intermediate cert, bearing "CN = StartCom Class 1 Primary
> Intermediate Server CA" and the last one (depth 0) should be yours.
>
> You told in an earlier message that you had put the 3 certs (yours, then
> the intermediate, and then the root) in your crt file. Is it still the
> case ? If not, you really *must* do it, even if you find it makes no
> difference. Maybe there's another problem somewhere else, but this chain
> is a prerequisite for many clients to work.
After a long delay, I'm ready to tackle this again.
This is my configuration:
# dovecot -n
# 2.2.6: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=SHA512-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
address = 199.233.228.197
port = 0
}
inet_listener imaps {
address = 199.233.228.197
}
}
ssl_cert = </usr/local/etc/ssl/dovecot.pem
ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
/usr/local/etc/ssl/dovecot.pem was created via:
cat imaps.unixathome.org.crt sub.class2.server.ca.pem ca.pem > dovecot.pem
All the certs are startssl.com certs.
Testing via the command line gives:
$ openssl s_client -connect imaps.unixathome.org:993
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHsjCCBpqgAwIBAgIDAaiZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMDA2MTIzODI3
WhcNMTUxMDA2MjA1NzI4WjCBsjEZMBcGA1UEDRMQVndoZEppMHNMSFAzQkR0UTEL
MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEOMAwGA1UEBxMFTWVk
aWExGDAWBgNVBAoTD0RhbmllbCBMYW5naWxsZTEdMBsGA1UEAxMUaW1hcHMudW5p
eGF0aG9tZS5vcmcxKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAdW5peGF0aG9t
ZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQLgy4N8rCnhZS5t
uwA0/4gTmMNdNflfwUgWGGUoeOC3qcodt2EitcnuhLfvDJORrpZtxKYYK0SMAlJt
RHg+DTp+9mSCicDWjoxOcc1WbUUkAiFdkL155LtMEd2xSB/NaEbjeone86ln5erz
4BLJqiaaubOkhAwXrJy/Owfp6RUbqEKUToGI1bF+q5EFFGqh3rO7/3Gpx0qihScx
6sGa04CgqhT0G6JOw6zJ5zJE0PSX4U/S7nAJCA/ktXNU3v23Jd+RYIOqrmuyHnf6
dISQH8HQKr83L3D3Yq64GCadvf0Nv/xrxc/4UO2mpiZlZppf+8Q+vTgfwl98OH62
mqdUM8hspGMAtRGmt8ccB73ukmqHvY9QJEGNNvx181VlTTcAygi/R5LiEtwFewAj
Zk4QvC4O3O3Rxl6VKfEgmoO93EXFfbVylv7MQqs6NKGeIdMgBpcxdsrlXo8ofVCz
uIQvJV8G8mlejP/RstZAoGxtUP5BRrLbcke3q77l6d6DYrTAhb7SgxP31AYrSknj
I+sCNb5IJvrrZe9lZt8OYlm3Yog8wjiTCgeBlytes7L95Dr0Xn8jZk4Dzg59HbO4
AIlSVdMistZatAvM9QFBPUdt36dyNkFOGpAtNblfmV3pB1Wyz0LlxhS2n3XFxSJB
ZgHvBYV891UoSm6julSzeE2i/6liIQIDAQABo4IC8zCCAu8wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1Ud
DgQWBBTuSWRJewXVTNYjoX6gw/DdaXcDqTAfBgNVHSMEGDAWgBQR2yNF/VTManFv
hIoD1773AS8mhjAvBgNVHREEKDAmghRpbWFwcy51bml4YXRob21lLm9yZ4IOdW5p
eGF0aG9tZS5vcmcwggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgIwggE7BgsrBgEE
AYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
L3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1
ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAyIFZhbGlkYXRpb24gcmVxdWlyZW1l
bnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9y
IHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlp
bmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9j
cmwuc3RhcnRzc2wuY29tL2NydDItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5
BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIv
c2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9j
ZXJ0cy9zdWIuY2xhc3MyLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDov
L3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBHkfLREbnBtJUE
MPDsaHEZSEDe5uagtAvuNMQh03qcu5UG2x5KkjeT6OK7JwrrjEehA+m5t2JcGtPY
dLN8VB9w7WdPg4ezNR/F4sKdeOPNl8+Us5pWMXRPnLN8EqAp4Kg5KzfJli8Jnaxw
Snbs1Itmwxm19lYF2nWPUMMBru4CxHN7U5jbii+wqpi3LhRK/okuMEbG7xogcboP
n2CDTFk6Yc9W0BE7XBwr1t0xE8KFgvlKu87RS3C+d1AkzM92NUDgS0JQgmO6F2T/
nBsediEpNGORzEvSuq/4wVych5tUKFkksy5X4CHXZw86YjZccPcrtpLrWxs5EhUD
s+tkDOSK
-----END CERTIFICATE-----
subject=/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6672 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4098 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: AE8788A1289F10CB6417E4578F2EB86AFC132B3637748B237C559C72ECE26D77
Session-ID-ctx:
Master-Key: 9D2151FF1BB2C45F32C1DBB1E49E45FA1E03F82387EE9FCCB50D7F2DB02BB0169D82B4ED386DCD17221856DD35CB1617
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - a4 61 9f 61 21 7e 67 45-71 2d 46 97 c7 4c 6c 99 .a.a!~gEq-F..Ll.
0010 - e8 7a 4b 5b 5d f5 32 e7-fe 1d 78 fa 4e 43 72 6e .zK[].2...x.NCrn
0020 - 68 22 4b 60 68 91 98 39-d1 50 09 0a 2a 08 f0 ae h"K`h..9.P..*...
0030 - a9 6e 14 b8 d9 82 09 3b-7d ef 1a b0 f1 d8 a7 c4 .n.....;}.......
0040 - 2c 83 57 a1 03 6e 17 89-13 ff 82 e0 06 88 c9 a1 ,.W..n..........
0050 - dc 79 e7 3f 3b d4 da da-47 d8 63 07 71 6c df 2b .y.?;...G.c.ql.+
0060 - 39 b2 0f f7 bf ac 8e b3-37 24 6f 58 83 1f 2a 65 9.......7$oX..*e
0070 - 7f 19 fb 1c 9a 46 1f 35-73 b1 cb 73 6b b5 c6 84 .....F.5s..sk...
0080 - dc d3 4b cb e7 db bb 7c-f3 52 b4 69 1b 42 9e 21 ..K....|.R.i.B.!
0090 - 4d c0 50 19 d2 98 77 be-b8 0e 9e 66 e7 d7 d9 52 M.P...w....f...R
Start Time: 1381089774
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
I can login fine. This is the temporary login and password. There is nothing private in there at present. If anyone wishes to confirm this works, please feel free to connect in. I'm especially interested in those of you with Mac or iPhones. Is this only me? All Mac/iPhone?
a1 login dan password
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
and commands work OK:
a3 examine inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1379426958] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [NOMODSEQ] No permanent modsequences
a3 OK [READ-ONLY] Examine completed (0.014 secs).
Logout:
a5 LOGOUT
* BYE Logging out
a5 OK Logout completed.
closed
All looks good.
/var/log/maillog shows:
Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=<fYUwEhjoVgBib5Pc>
Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691
I have Thunderbird working just fine on my Macbook.
But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are:
Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220]
Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=<Ux8HRBjo7QBib5Pc>
Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far.
Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1.
--
Dan Langille - http://langille.org
More information about the dovecot
mailing list