Dovecot dsync 'ssl_client_ca'

Markus Ueberall ueberall at projektzentrisch.de
Mon Feb 6 14:05:24 UTC 2017 

Dear Thierry,

- Have you checked that port 12345 as specified below is open/forwarded
and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
- Did you retrace your steps and have you verified that synchronisation
works with ssl disabled?
- Did you verify your certificate files (e.g., "openssl verify -verbose
-CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?

Personally, I prefer to use a single, specialised tool to manage
certificates/encryption (which in my case is stunnel); all other
programs are set up using (link-)local ip addresses only. If everything
but encryption works with your setup, this might be a possible
"workaround". (Apart from that, stunnel debug mode is very detailed and
can help you to rule out problems with the certificates/connections
between two nodes.)
And once the latter works but the dovecot setup below still does not, it
would also point to a problem with certificate handling by dovecot
(could be library related).

KR, Markus


Am 06.02.2017 um 07:36 schrieb Thierry:
> Hi Aki,
>
> I do  not have any error message but (on both server):
>
> doveadm replicator status '*'
> doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
>
> Thx
>
>
> Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
>
>> Please keep responses in list. rm -f 
>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
>
>> On 2017-02-03 17:00, Thierry wrote:
>>> Hi,
>>>
>>> I have removed the '<' :
>>>
>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>>>
>>> But now:
>>>
>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>
>>> Any idea ?
>>>
>>> Thx
>>>
>>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name.
>>>> Aki
>>>> On 2017-02-03 15:13, Thierry wrote:
>>>>> Hi,
>>>>>
>>>>> I have made change:
>>>>>
>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>> ssl = required
>>>>> verbose_ssl = no
>>>>> ssl_key = </etc/ssl/private/private.key
>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>>>
>>>>>
>>>>> # Create a listener for doveadm-server
>>>>> service doveadm {
>>>>>     user = vmail
>>>>>     inet_listener {
>>>>>       port = 12345
>>>>>       ssl= yes
>>>>>     }
>>>>> }
>>>>>
>>>>> and  doveadm_port = 12345    // mail_replica = tcps:server2.domain.ltd # use doveadm_port
>>>>>
>>>>> And now:
>>>>>
>>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long
>>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>>>
>>>>> Thx for your support
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
>>>>>
>>>>>> Hello,
>>>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Still working with my dsync pb.
>>>>>>> I have done a clone (vmware) of my email server.
>>>>>>> Today   I   have   two  strictly  identical  emails  servers (server1
>>>>>>> (main) and server2 (bck) (except IP, hostname and  mail_replica).
>>>>>>>
>>>>>>> The ssl config on my both server:
>>>>>>>
>>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>>> ssl = required
>>>>>>> verbose_ssl = no
>>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>>>> I think it should be ssl_client_ca_file =
>>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>>>> This  config  is  working   for  my   email  client  and my email web
>>>>>>> interface ...
>>>>>>>
>>>>>>> Are they on the right order ?
>>>>>>>
>>>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd
>>>>>>>
>>>>>>> There is trafic on my iptables rules on my both  servers:
>>>>>>>
>>>>>>> 60  3600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4711
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> My  error message from server1 (main server):
>>>>>>>
>>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>
>>>>>>> No logs from server2
>>>>>>>
>>>>>>> Any ideas ?
>>>>>>>
>>>>>>> Thx for your support
>>>>>>>
>>>>>>>
>
>

More information about the dovecot mailing list