[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Fri Oct 11 02:33:59 EEST 2013 

On Oct 10, 2013, at 2:26 PM, Dan Langille wrote:

> On Oct 9, 2013, at 11:43 PM, Noel Butler wrote:
> 
>> On 10/10/2013 13:36, Noel Butler wrote:
>>> I can't recall if we previously discussed it, but, why the fascination
>>> with imaps, why not use TLS on 143, or wont that connect either? tried
>>> pop3 TLS ? pop3s?
>>> and when you test, use -CAfile /path/to/(startssl's)CA.pem
>>> I see no auth mech statement, so using hte default is limited, IIRC, login is re
>>> auth_mechanisms = plain login
>> 
>> bugger......  stupid webmail... as I was trying to say, IIRC type login is required for ssl
>> ,at least with winblow sclients, try adding the above and see what goes.
>> plain is preferred, but that's because TLS is preferred.
> 
> To be clear, I am using this now:
> 
> auth_mechanisms = plain login
> 
>> use the  local - int- ca  > cert.pem
> 
> I have all three in there.
> 
>> and remove the ssl_ca option
> 
> Removed.
> 
> Restarted dovecot.
> 
> Mail on the Macbook reports:
> 
> "There may be a problem with the mail server or network. Verify the settings for account “Langille” or try again.
> 
> The server returned the error: Mail was unable to connect to server “test1.langille.org” using SSL on port 993. Verify that this server supports SSL and that your account settings are correct."
> 
> /var/log/maillog shows:
> 
> Oct 10 18:25:19 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, session=<5fLNH2foGABib5Pc>
> Oct 10 18:25:19 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, session=<5gDPH2fokABib5Pc>
> 
> I should have four separate IMAP instances ready later today.

I created those instances.  But the new StartCOM 4096-bit cert I created works just fine.  So why did the original problem cert fail?  I tried it on the new server.  It failed there two. Exact same configuration.  One cert works. The other cert fails.

So what's different?

The anomaly has been found.

First, the cause of the problem is something I did.

The problem cert is 4098-bits.

Two more than the usual 4096-bits.

DOH.

I must give credit to StartCOM.  They pointed out this difference just now.  And you can see yourself here: http://dan.langille.org/2013/10/10/one-startcom-cert-works-the-other-does-not/

I'll be raising a bug with Apple.

My thanks for the help.  My apologies for the noise.

-- 
Dan Langille - http://langille.org

More information about the dovecot mailing list