Problem with TLS and Outlook 2010

Wayne Andersen wayne.andersen at clima-tech.com
Thu Dec 11 23:06:30 UTC 2014 

Dovecot 2.0.9

 

So I am trying to get my Outlook 2010 client to use TLS with Dovecot.

The Outlook error that I get is: 

 

Log onto incoming mail server (IMAP): A secure connection to the server
cannot be established.

I have set the port to 143,993,995 none of them work, and the security to
TLS.

 

I have all of the certificates in the full chain installed on my machine and
when viewing them they all show “This certificate is OK.”

 

I have turned on Outlook logging and am seeing this:

 

C:\PROGRA~2\MICROS~2\Office14\OUTLMIME.DLLIMAP: 14:48:40 [db] 

 

Intializing connection [131383B0]

 

IMAP: 14:48:40 [db] Setting internal codepage to 1200

 

IMAP: 14:48:40 [db] Connecting to 'mail.mydomain.com' on port 143.

IMAP: 14:48:40 [db] OnNotify: asOld = 0, asNew = 2, ae = 0

IMAP: 14:48:40 [db] srv_name = "mail.mydomain.com" srv_addr =
174.46.198.101:143

IMAP: 14:48:40 [db] OnNotify: asOld = 2, asNew = 3, ae = 1

IMAP: 14:48:40 [db] OnNotify: asOld = 3, asNew = 4, ae = 0

IMAP: 14:48:40 [db] OnNotify: asOld = 4, asNew = 5, ae = 2

IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 4

IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3

IMAP: 14:48:40 [rx] * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.    ß----- not seeing the STARTTLS
capability here.

IMAP: 14:48:40 [tx] sx59 CAPABILITY

IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3

IMAP: 14:48:40 [rx] * CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN
AUTH=LOGIN

IMAP: 14:48:40 [rx] sx59 OK Capability completed.

IMAP: 14:48:40 [db] ERROR: "A secure connection to the server cannot be
established.", hr=0x800CCCE1

IMAP: 14:48:40 [db] Connection to 'mail.mydomain.com' closed.

IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 0, ae = 5

 

 

>From a windows 7 client if I do a telnet mail.mydomain.com 143 I get:

* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN]
Dovecot ready. ß---  do not see STARTTLS in the capability list.

 

Same windows client:

C:\OpenSSL-Win64\bin>openssl.exe s_client -connect mail.mydomain.com:993

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Loading 'screen' into random state - done

CONNECTED(0000018C)

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority

verify error:num=20:unable to get local issuer certificate  ß--- Yes I see
this and it may be an issue, but this certificate exist and is valid.

verify return:0

---

Certificate chain

0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com

   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA

1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA

   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority

2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority

   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB

kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G




fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/OU=COMODO SSL
Wildcard/CN=*.mydomain.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA

---

No client certificate CA names sent

---

SSL handshake has read 5169 bytes and written 497 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : DHE-RSA-AES256-GCM-SHA384

    Session-ID:
281D21C81FA6E7656B9CA2BD13590DDE0094CC8FA43FFD31DFEEDEC74F2511BF

    Session-ID-ctx:

    Master-Key:
AF36CFDBBAA955270A48E2E9740F671299511DA1B3EEAFFAEC582E100DE519EC7CBC612ED686
DBBBFE06B9D6E535B837

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - 1d 2a e7 fd 94 9d a2 84-90 52 32 2f e7 89 28 59
.*.......R2/..(Y

    0010 - 12 d5 b3 56 0e a7 71 c4-84 53 01 ec 95 97 59 4e
...V..q..S....YN

    0020 - ac 17 3f 3f dc b6 b0 db-0f 47 0c 88 5a c2 7b a7
..??.....G..Z.{.

    0030 - d0 73 ff 19 ec 6f cd 67-d5 58 3e cd 91 eb 79 90
.s...o.g.X>...y.

    0040 - 76 a9 d9 f2 17 dc da c4-bd ba 69 b4 11 c7 65 f9
v.........i...e.

    0050 - 71 42 01 3b bd 6f a5 3a-9f 34 48 36 9e 31 4e 1c
qB.;.o.:.4H6.1N.

    0060 - 93 24 75 7f 8a c6 7f 7a-4c cd 93 bd 92 4c 9d 7f
.$u....zL....L..

    0070 - df 47 11 3e 93 11 73 8e-09 5c ef 85 e2 aa bc 77
.G.>..s..\.....w

    0080 - eb 29 fa c6 30 5b 27 de-50 98 47 7b 55 f0 84 91
.)..0['.P.G{U...

    0090 - 97 da 66 29 1c c9 7e 63-56 8b a7 80 57 4b 2f 2c
..f)..~cV...WK/,

 

    Start Time: 1418336961

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

e logout

closed

 

 

 

 

>From a linux client I get :

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

I do see STARTTLS  here.

 

>From a linux client:

openssl s_client -connect localhost:993

 

CONNECTED(00000003)

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root

verify return:1

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited,
CN = COMODO RSA Domain Validation Secure Server CA

verify return:1

depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN =
*.mydomain.com

verify return:1

---

Certificate chain

0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com

   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA

1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA

   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority

2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority

   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB




fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/OU=COMODO SSL
Wildcard/CN=*.mydomain.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA

---

No client certificate CA names sent

---

SSL handshake has read 5169 bytes and written 453 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : DHE-RSA-AES256-GCM-SHA384

    Session-ID:
8357FF1D37476EEF1BE64DE443EFFBBED9CE375EA8CA5F1C5ED628B52E723D8F

    Session-ID-ctx:

    Master-Key:
D6906D40FF47E7ED278AF4D0B143407A53955DA97365A09881EA0C68AAF3B879CB3136A7783B
18A46FD0A0634CBDC17D

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - cb 06 13 9a c9 2a 67 b7-3d 5b 5b 33 3b fe 1e 2e
.....*g.=[[3;...

    0010 - 18 73 2d ae 9e 4d f3 69-aa 13 ca 9c 07 94 73 cb
.s-..M.i......s.

    0020 - 02 a2 74 c9 df 70 ed 1b-33 f8 fb cb 97 1d 12 f5
..t..p..3.......

    0030 - 88 21 4e fd 7e be 69 b8-88 30 c9 99 70 f4 ea f3
.!N.~.i..0..p...

    0040 - b0 90 c8 ab a6 f4 e5 37-c8 3e 4e 33 24 f9 cd 37
.......7.>N3$..7

    0050 - f8 b0 8a 9a f3 44 39 27-e3 3d 96 3b ba a2 4e 85
.....D9'.=.;..N.

    0060 - 77 5f a7 f7 6e 12 76 59-51 94 da 63 dd 99 cc 74
w_..n.vYQ..c...t

    0070 - 1b 1b 1f 33 02 5f 3d ed-9a 57 e8 63 87 d4 8f d5
...3._=..W.c....

    0080 - d5 fc 8c bf 89 4d 4d 91-bc 4f c7 67 79 c4 ec e9
.....MM..O.gy...

    0090 - 47 68 0f 21 47 58 8a c9-10 a0 3b 46 e9 3b 08 cb
Gh.!GX....;F.;..

 

    Start Time: 1418337012

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

e logout

closed

 

 

 

doveconf –n | grep ssl

 

# 2.0.9: /etc/dovecot/dovecot.conf

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL

ssl_key = </etc/pki/dovecot/private/dovecot.key

More information about the dovecot mailing list