[Dovecot] SSL with startssl.com certificates
Dan Langille
dan at langille.org
Fri Sep 13 14:59:07 EEST 2013
I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for
personal use (i.e. only me).
I have success with self-signed certificates but not with others (e.g.
StartSSL.com)
With StartSSL certs:
I've been able to connect and test commands via: openssl s_client
-connect imaps.unixathome.org:993
Can you configure your iPhone or Macbook to access the above?
Authentication isn't the issue. Connection is the issue.
I've been able to get Thunderbird to connect and access my mail.
However, I've been unable to get my iPhone or my Mac configured to use
the same IMAP server. On the iPhone,
adding the new Mail account causes the Settings app to crash on a
persistently consistent basis when adding the new account.
The crash occurs when connecting to the IMAPS server. Configuration
never completes.
I suspect the problem is SSL because in both cases (iPhone and Mac), I
see these messages I see in the logs:
*** /var/log/debug.log ***
Sep 13 11:50:32 imaps dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: auth: Debug: auth client connected
(pid=31647)
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x10,
ret=1: before/accept initialization [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: before/accept initialization [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv2/v3 read client hello A [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read client hello A [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write server hello A [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write certificate A [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write server done A [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 flush data [166.137.84.11]
Sep 13 11:50:45 imaps dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [166.137.84.11]
*** /var/log/maillog ***
Sep 13 11:50:46 imaps dovecot: imap-login: Warning: SSL failed:
where=0x2002: SSLv3 read client certificate A [166.137.84.11]
Sep 13 11:50:46 imaps dovecot: imap-login: Disconnected (no auth
attempts in 1 secs): user=<>, rip=166.137.84.11, lip=199.233.228.197,
TLS handshaking: Disconnected, session=<a7AJd0LmWwCmiVQL>
/usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert
issued by StartSSL
/usr/local/etc/ssl/imaps.unixathome.org.nopassword.key contains a
no-password key generated by myself.
Output of doveconf -n:
# 2.2.5: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
args = scheme=BLF-CRYPT /var/db/dovecot.users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = 199.233.228.197
}
}
ssl = required
ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt
ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
userdb {
args = /var/db/dovecot.users
driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
--
Dan Langille - http://langille.org/
More information about the dovecot
mailing list