STARTTLS issue with sieve

Andreas Oster aoster at novanetwork.de
Thu Jul 13 08:21:31 EEST 2017


Am 07.07.2017 um 08:15 schrieb Andreas Oster:
> Hi all,
> 
> I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks 
> ago I had to replace our dovecot certificate due to expiration. In the 
> past I did use a self-signed certificate, but because we now have a 
> little openssl based CA I have decided to create signed certificate for 
> imaps. Dovecot is happily accepting the new certificate which has 
> integrated the whole cert-chain. Unfortunately Pigeonhole does not seem 
> to like the certificate:
> 
> <--snip
> 
> gnutls-cli --starttls -p4190 mail.novanetwork.local
> 
> Processed 173 CA certificate(s).
> Resolving 'mail.novanetwork.loc'...
> Connecting to '10.2.1.23:4190'...
> 
> - Simple Client Mode:
> 
> "IMPLEMENTATION" "Dovecot Pigeonhole"
> "SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
> comparator-i;ascii-numeric relational regex imap4flags copy include 
> variables body enotify environment mailbox date ihave"
> "NOTIFY" "mailto"
> "SASL" ""
> "STARTTLS"
> "VERSION" "1.0"
> OK "Dovecot ready."
> 
> STARTTLS
> OK "Begin TLS negotiation now."
> 
> -->
> 
> At this point the TLS process does not proceed. When I press CTRL-D I 
> get the following output:
> 
> *** Starting TLS handshake
> - Certificate type: X.509
> - Got a certificate list of 3 certificates.
> - Certificate[0] info:
>   - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA 
> Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer 
> `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA 
> Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed 
> using RSA-SHA256, activated `2017-06-23 06:58:40 UTC', expires 
> `2020-06-22 06:58:40 UTC', SHA-1 fingerprint 
> `51a9b62eaebb6b4a2b8cc9a22740dc689445da0c'
>          Public Key ID:
>                  165eaaa4b36c091ec8f32103da003a1f43b1c57d
>          Public key's random art:
>                  +--[ RSA 2048]----+
>                  |  .o..           |
>                  |. .o. . E        |
>                  |o..    .. .      |
>                  |= o    . +       |
>                  |+* o  . S        |
>                  |o==. o o         |
>                  | .=o+..          |
>                  |  .ooo           |
>                  |   .o            |
>                  +-----------------+
> 
> - Certificate[1] info:
>   - subject `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen 
> GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer 
> `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen 
> GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using 
> RSA-SHA256, activated `2016-12-05 11:40:29 UTC', expires `2026-12-03 
> 11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'
> - Certificate[2] info:
>   - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA 
> Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer 
> `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen 
> GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using 
> RSA-SHA256, activated `2016-12-05 11:36:47 UTC', expires `2036-11-30 
> 11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
> - Status: The certificate is NOT trusted. The certificate issuer is 
> unknown.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> 
> 
> I have checked the certificate with:
> 
> openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem 
> /etc/ssl/certs/mail.novanetwork.local.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
> 
> and also with:
> 
> openssl verify -verbose -CAfile 
> /etc/ssl/certs/mail.novanetwork.local.cert.pem 
> /etc/ssl/certs/mail.novanetwork.local.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
> 
> 
> 
> Does anyone have an idea what could be the cause of the problem and how 
> to fix it ?
> 
> Thank you for your kind help.
> 
> best regards
> Andreas
> 
Hi all,

in another posting Stephan Bosch pointed out that there is already a fix:

https://github.com/dovecot/pigeonhole/commit/c80aa7c25b0b4e61bb8e3a91864a355f7f2fa89f

This small change also resolved my sieve login issue.

best regards
Andreas



More information about the dovecot mailing list