[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Sat Sep 14 22:21:44 EEST 2013 

On Sep 13, 2013, at 9:55 PM, Noel Butler wrote:

> On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote:
> 
> 
>> Perhaps I am doing the chain incorrectly.  I just tried again.  The 
>> server is now set up with the following:
>> 
>> I have three certs in this chain file:
>> 
>> cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem > 
>> testing.chain.pem
>> 
>> 1 - the certificate issued by startssl for my server
>> 2 & 3 - the PEM files for StartSSL as found at 
>> http://www.startssl.com/certs/
>> 
> 
> 
> That is the correct chain method, and order 
> 
> 
>> $ openssl s_client -connect imaps.unixathome.org:993 -quiet
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
>> Signing/CN=StartCom Certification Authority
>> verify error:num=19:self signed certificate in certificate chain
> 
> 
> 
> Never panic about  the above, it is just indicating (rightly so) you
> have a local certificate (the first) in your chain.
> 
> 
>> ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt
>> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
> 
> correct method, so long as the cert and key files are named correctly
> and in the right location.
> 
> 
>> ssl = required
> 
> Bit dangerous... and may be the cause of your problems,  change to :
> ssl = yes
> 
> 
> We use startssl and have many  android, blackberry, and iphone users
> (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop
> types and never had any problems with them using startssl

Hmmm, I tried ssl = yes.  Mail.app still crashes when trying to connect.

I also try the cert bundle mentioned by Johan.  

The server says:

Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [173.49.195.214]
Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=173.49.195.214, lip=199.233.228.197, TLS handshaking: Disconnected, session=<8+862VzmPwCtMcPW>

What is this… read client certificate?  There is no client certification in this config.

: doveconf -n
# 2.2.5: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64  
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
  args = scheme=BLF-CRYPT /var/db/dovecot.users
  driver = passwd-file
}
protocols = imap
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    address = 199.233.228.197
  }
}
ssl_cert = </usr/local/etc/ssl/testing.chain.pem
ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
userdb {
  args = /var/db/dovecot.users
  driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}


-- 
Dan Langille - http://langille.org

More information about the dovecot mailing list