[Dovecot] SSL with startssl.com certificates

Daniel Reinhardt cryptodan at gmail.com
Sat Sep 14 22:28:31 EEST 2013 

Are you getting asked to add an exception to the email applications
certificate dialogue box?

This is an example with Thunderbird.

http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg

Dan


On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille <dan at langille.org> wrote:

>
> On Sep 13, 2013, at 9:55 PM, Noel Butler wrote:
>
> > On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote:
> >
> >
> >> Perhaps I am doing the chain incorrectly.  I just tried again.  The
> >> server is now set up with the following:
> >>
> >> I have three certs in this chain file:
> >>
> >> cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem >
> >> testing.chain.pem
> >>
> >> 1 - the certificate issued by startssl for my server
> >> 2 & 3 - the PEM files for StartSSL as found at
> >> http://www.startssl.com/certs/
> >>
> >
> >
> > That is the correct chain method, and order
> >
> >
> >> $ openssl s_client -connect imaps.unixathome.org:993 -quiet
> >> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> >> Signing/CN=StartCom Certification Authority
> >> verify error:num=19:self signed certificate in certificate chain
> >
> >
> >
> > Never panic about  the above, it is just indicating (rightly so) you
> > have a local certificate (the first) in your chain.
> >
> >
> >> ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt
> >> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
> >
> > correct method, so long as the cert and key files are named correctly
> > and in the right location.
> >
> >
> >> ssl = required
> >
> > Bit dangerous... and may be the cause of your problems,  change to :
> > ssl = yes
> >
> >
> > We use startssl and have many  android, blackberry, and iphone users
> > (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop
> > types and never had any problems with them using startssl
>
> Hmmm, I tried ssl = yes.  Mail.app still crashes when trying to connect.
>
> I also try the cert bundle mentioned by Johan.
>
> The server says:
>
> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed:
> where=0x2002: SSLv3 read client certificate A [173.49.195.214]
> Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=173.49.195.214, lip=199.233.228.197, TLS
> handshaking: Disconnected, session=<8+862VzmPwCtMcPW>
>
> What is this… read client certificate?  There is no client certification
> in this config.
>
> : doveconf -n
> # 2.2.5: /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 9.1-RELEASE-p6 amd64
> auth_debug = yes
> auth_verbose = yes
> first_valid_gid = 1001
> first_valid_uid = 1001
> mail_debug = yes
> mail_location = maildir:~/Maildir
> mail_privileged_group = mail
> passdb {
>   args = scheme=BLF-CRYPT /var/db/dovecot.users
>   driver = passwd-file
> }
> protocols = imap
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
>   inet_listener imaps {
>     address = 199.233.228.197
>   }
> }
> ssl_cert = </usr/local/etc/ssl/testing.chain.pem
> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
> userdb {
>   args = /var/db/dovecot.users
>   driver = passwd-file
> }
> verbose_proctitle = yes
> verbose_ssl = yes
> protocol imap {
>   imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> }
>
>
> --
> Dan Langille - http://langille.org
>
>


-- 
Daniel Reinhardt
cryptodan at cryptodan.net
http://www.cryptodan.net
301-875-7018(c)
410-455-0488(h)

More information about the dovecot mailing list