Client app says my chained Comodo cert is invalid

Jerry Krinock jerry at ieee.org
Wed Jul 27 21:03:11 UTC 2016 

I’ve configured Dovecot and Postfix on a new VPS running Ubuntu 16.04, using Linode’s tutorial [1], to require authentication and SSL encryption for both POP3 and SMTP.  All looks OK to me except, when my email client app (macOS Mail.app) tries to log in, it says that my cert is invalid. 

The trouble appears when I attempt to configure a client account in Mail.app on my Mac.  For the POP server name, I enter my VPS’ “45.56.81.181", because public DNS is still pointing to my existing host.  I set the account to use the Apple TLS certificate, and then click to save this new account info.  Before saving, Mail.app checks my entries by attempting to log in.  The result is: “The identify of server 45.56.81.181 cannot be verified.  The certificate for this server is invalid.”  At the same time, on my new server, some entries appear in /var/log/mail.log [2].

The certificate in question is a new PositiveSSL/Comodo cert I bought the other day.  It works OK for serving web pages - I mean, on this same Mac, when I visit my under-construction site at https://45.56.81.181 in Safari or Firefox, I get the padlock icon and no warnings.

Comodo gave me two two files, a “.crt” which contains my cert, and a “.ca-bundle.crt” which contains their certs.  Per Dovecot documentation, I concatenated these into a “chained” file containing all 3 certs, starting with mine.  In /etc/dovecot/conf.d/10-ssl.conf, I set ssl_cert = this “chained” file.

I tried adding the two original cert files to macOS Keychain.app with “Always trust” but that did not help.

Being new at this, I would appreciate any suggestions.  My `dovecot -n` output is below [3].

Thank you very much!

Jerry Krinock


[1] https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql

**************************************************

[2]  /var/log/mail.log entries when client attempts login

Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: message repeated 6 times: [ pop3-login: Debug: SSL: where=0x2001, ret=1: unknown state [24.4.251.228]]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Warning: SSL failed: where=0x2002: unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL error: Disconnected
Jul 27 12:22:19 bird dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.4.251.228, lip=45.56.81.181, TLS handshaking: Disconnected, session=<8HuX76I4p8gYBPvk>

Yes, 24.4.251.228 is the IP address of my Mac.

**************************************************

[3]  Output from `dovecot -n`

# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.5.5-x86_64-linode69 x86_64 Ubuntu 16.04 LTS ext4
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap pop3 lmtp
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
  }
}
ssl = required
ssl_cert = </etc/ssl/localcerts/sheepsystems_com_chained.crt
ssl_key = </etc/ssl/localcerts/linode.sheepsystems.com.key
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  driver = static
}
verbose_ssl = yes

More information about the dovecot mailing list