LMPT SSL

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Mon Jul 27 13:03:29 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 27 Jul 2015, Piotr Rotter wrote:

> I tryed to eneble TLS connection from postfix to dovecot lmtp. Unfortunely I 
> have problem with certificate, postfix shows,

post the output of doveconf -n

>
> 2015-07-27T12:51:15.025333+02:00 k30 postfix/lmtp[4572]: Untrusted TLS 
> connection established to 192.168.67.30[192.168.67.30]:24: TLSv1.2 with 
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> I checked certs by openssl s_client:
> #openssl s_client -connect localhost:24 -showcerts -starttls smtp -CApath 
> /etc/ssl/certs/
>
> And I gets
>
> didn't found starttls in server response, try anyway...
> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
> Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
> Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
> Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> It look likes dovecot lmtp send 3 times the same certificate.
> I made the same test for imap in the same dovecot instance:
>
> #openssl s_client -connect localhost:143 -showcerts -starttls imap -CApath 
> /etc/ssl/certs/
> CONNECTED(00000003)
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify return:1
> depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
> verify return:1
> depth=0 OU = GT46258006, OU = See www.rapidssl.com/resources/cps (c)15, OU = 
> Domain Control Validated - RapidSSL(R), CN = mail.active24.pl
> verify return:1
>
> For imap it looks ok. Why lmtp shows wrong certs list
>
> # dovecot --version
> 2.2.16
>
>

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVbYsIXz1H7kL/d9rAQIDbgf/UTzRhj6ZiiuknCHjmmFRwdbTk+qclXbo
vo2XtuH6V3WcuBoHwRedOiTuGH5g8WO2A+tl9wSSSvtw9TWurt2lLMfUsemWO4r4
zv7SwkTn2CVCIbZmC/3D1kqXHm08fuSo9Vn5/tgfgdOFwt5r4VfNkkp+zm72wFWT
o6uzL+EXSGEqnm/R1hFdC9cDZqKuzQ3MK+8qasoCPgMAr4svN0lwdi+yATaxzjgj
MviyKpdtQmA9gKRfLhptVcIP17rRNkoZKCS/Eboy6g/Rjf8c4C4Hn7lUbnx+kCVe
Xk4Z2cmlPhl17iyvzo8Tvyeuu/gxDEXfa/xgwRGhp0xx3c+WBOrJSg==
=a+SK
-----END PGP SIGNATURE-----

More information about the dovecot mailing list