TLS handshake issue

John Oliver joliver at john-oliver.net
Thu Mar 17 17:18:47 UTC 2016


dovecot-2.0.9 on CentOS 6.7

The system in question is not connected to the Internet, so I can't
copy-and-paste.  I have to type anything required :-(

Brand-new out-of-the-box install with a really minimal dovecot.conf
including:

service imap-login {
  inet_listener imaps {
    address = 192.168.1.10
    port = 143
    ssl = yes
  }
}

ssl_cert=</etc/pki/tls/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_key =</etc/pki/tls/private/dovecot.pem


That's very, very similar to an existing dovecot server on an old VM I
need to replace.  Certs are self-signed, I know that's a horrible thing
to do, but right now we don't have any choice.  I'm connecting with
Apple Mail 8.2 running on OS X 10.10.5, another thing we have no choice
about :-/  The Apple Mail just sits there stupidly.  It's "Connection
Doctor" just helpfully reports that it can't establish a connection.  I
can use 'openssl s_client -showcerts -connect mail:143' and see what I
expect to see.  The dovecot log with lots of verbosity enabled tells me:

imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200,
lip=192.168.1.10, TLS handshaking: Disconnected
auth: Debug: auth client connected (pid=21006)
imap-login: Warning: SSL: where=0x10, ret=1: before/accept
initialization [192.168.1.200]
imap-login: Warning: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.1.200]
imap-login: Warning: SSL: where=0x2002, ret=1: SSLv2/v3 read client
hello A [192.168.1.200]


And that's it... those lines get repeated every minute that Mail is
running.  I'm not seeing anything in any logs that even hints at what
it's unhappy about, or any way to increase verbosity any more.

Any hints appreciated!

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************


More information about the dovecot mailing list