STARTTLS issue with sieve

Andreas Oster aoster at novanetwork.de
Fri Jul 7 09:15:05 EEST 2017 

Hi all,

I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks 
ago I had to replace our dovecot certificate due to expiration. In the 
past I did use a self-signed certificate, but because we now have a 
little openssl based CA I have decided to create signed certificate for 
imaps. Dovecot is happily accepting the new certificate which has 
integrated the whole cert-chain. Unfortunately Pigeonhole does not seem 
to like the certificate:

<--snip

gnutls-cli --starttls -p4190 mail.novanetwork.local

Processed 173 CA certificate(s).
Resolving 'mail.novanetwork.loc'...
Connecting to '10.2.1.23:4190'...

- Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."

STARTTLS
OK "Begin TLS negotiation now."

-->

At this point the TLS process does not proceed. When I press CTRL-D I 
get the following output:

*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
  - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA 
Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer 
`C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA 
Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed 
using RSA-SHA256, activated `2017-06-23 06:58:40 UTC', expires 
`2020-06-22 06:58:40 UTC', SHA-1 fingerprint 
`51a9b62eaebb6b4a2b8cc9a22740dc689445da0c'
         Public Key ID:
                 165eaaa4b36c091ec8f32103da003a1f43b1c57d
         Public key's random art:
                 +--[ RSA 2048]----+
                 |  .o..           |
                 |. .o. . E        |
                 |o..    .. .      |
                 |= o    . +       |
                 |+* o  . S        |
                 |o==. o o         |
                 | .=o+..          |
                 |  .ooo           |
                 |   .o            |
                 +-----------------+

- Certificate[1] info:
  - subject `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen 
GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer 
`C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen 
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using 
RSA-SHA256, activated `2016-12-05 11:40:29 UTC', expires `2026-12-03 
11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'
- Certificate[2] info:
  - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA 
Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer 
`C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen 
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using 
RSA-SHA256, activated `2016-12-05 11:36:47 UTC', expires `2036-11-30 
11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed


I have checked the certificate with:

openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem 
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK

and also with:

openssl verify -verbose -CAfile 
/etc/ssl/certs/mail.novanetwork.local.cert.pem 
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK



Does anyone have an idea what could be the cause of the problem and how 
to fix it ?

Thank you for your kind help.

best regards
Andreas

More information about the dovecot mailing list