Dovecot can't connect to openldap over starttls

info at gwarband.de info at gwarband.de
Sat Mar 18 15:22:20 EET 2017


The serverlog of openldap with loglevel "any":
https://gwarband.de/openldap/openldap-connect.log
Note: openldap waits 1 Minute before he says "TLS negotiation failure" 
after the connect.
and dovecot says direct "Connect error"

I've also delete the TLSCipherSuite from openldap.

Tobias

Am 2017-03-18 14:01, schrieb Tomas Habarta:
> Increase log level on server side as well to see what the server 
> says...
> You may remove anything in TLSCipherSuite for the purpose of testing 
> too.
> 
> Hopefully anyone knowing OpenLDAP internals could help you analyse it
> more deeply.
> 
> Tomas
> 
> On 03/18/2017 01:31 PM, info at gwarband.de wrote:
>> I've replicate the settings from ldapsearch to dovecot but no 
>> success.
>> To the certificate:
>> Yes it's a *.crt file but I have linked the *.pem file to it and 
>> dovecot
>> has read access to that file.
>> 
>> I have enabled the debugging in dovecot and have uploaded the output:
>> https://gwarband.de/openldap/dovecot-connect.log
>> 
>> And the other site with ldapsearch:
>> https://gwarband.de/openldap/ldapsearch-connect.log
>> 
>> I'm pretty sure that there is a problem with the sslhandshaking 
>> between
>> openldap and dovecot, but I can't find the source of the problem.
>> 
>> One of the steps in the sslhandshaking is not success but in the
>> debugging output I can't find any line with a hit to it.
>> 
>> Tobias
>> 
>> Am 2017-03-18 12:30, schrieb Tomas Habarta:
>>> Well, if ldapsearch works, try to replicate its settings for dovecot
>>> client.
>>> It's not obvious what settings ldapsearch uses, have a look at 
>>> default
>>> client settings in /etc/openldap/ldap.conf, there may be something 
>>> set a
>>> slightly different way.
>>> Also double check permissions for files used by dovecot, I mean 
>>> mainly
>>> the file listed for tls_ca_cert_file as dovecot may not have an 
>>> access
>>> for reading...
>>> 
>>> I cannot see anything downright bad, just posted CA cert (which is 
>>> ok,
>>> tested) is *.crt and your config mentions *.pem but I consider it's 
>>> the
>>> same file.
>>> 
>>> Finally, I would recommend to enable debug option for dovecot's 
>>> client
>>>     debug_level = -1 (which logs all available) in your 
>>> dovecot-ldap.conf
>>> to see what the library reports and work further on that.
>>> You can compare with output from ldapsearch by adding -d-1 switch to 
>>> it.
>>> 
>>> Hard to tell more at the moment.
>>> 
>>> 
>>> Tomas
>>> 
>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote:
>>>> Hello,
>>>> 
>>>> I have also installed LE certs.
>>>> But nothing helps, I have double-checking all certs.
>>>> 
>>>> ldapsearch with -ZZ works see:
>>>> https://gwarband.de/openldap/ldapsearch.log
>>>> 
>>>> I have also uploaded the TLSCACertificateFile, maybe I have a 
>>>> failure in
>>>> the merge of the two fiels:
>>>> https://gwarband.de/openldap/LetsEncrypt.crt
>>>> 
>>>> And also I have uploaded my complete openldap configuration:
>>>> https://gwarband.de/openldap/openldap.conf
>>>> 
>>>> All other components can work and communicate with my openldap 
>>>> server.
>>>> The components are postfix, openxchange, apache (phpldapadmin).
>>>> 
>>>> My installated software is:
>>>> Debian 8
>>>> OpenLDAP 2.4.40
>>>> Dovecot 2.2.13
>>>> 
>>>> I hope you can find the issue.
>>>> 
>>>> Thanks,
>>>> Tobias
>>>> 
>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>>>>> Hi,
>>>>> 
>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over 
>>>>> the
>>>>> unix socket on the same machine, but tried over inet with STARTTLS 
>>>>> and
>>>>> it's working ok...
>>>>> 
>>>>> I would suggest double-checking key/certs setup on OpenLDAP side; 
>>>>> for
>>>>> the test I have used LE certs, utilizing following cn=config
>>>>> attributes:
>>>>> 
>>>>> olcTLSCertificateKeyFile    contains private key
>>>>> olcTLSCertificateFile        contains certificate
>>>>> olcTLSCACertificateFile        contains both certs (DST Root CA X3
>>>>>                 and Let's Encrypt Authority X3)
>>>>> 
>>>>> and used the same CA file in Dovecot's tls_ca_cert_file
>>>>> 
>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or 
>>>>> ... ?
>>>>> 
>>>>> 
>>>>> 
>>>>> Hope that helps, good luck ;)
>>>>> Tomas
>>>>> 
>>>>> 
>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote:
>>>>>> Hello guys,
>>>>>> 
>>>>>> actually I'm trying to configure dovecot to access openldap for
>>>>>> passwordcheck.
>>>>>> My openldap is only allow access over "secure ldap".
>>>>>> The dovecot can communicate with the openldap server but there is
>>>>>> maybe
>>>>>> a failure in the sslhandshake.
>>>>>> Additional information you can find in the logs or in the dump 
>>>>>> below.
>>>>>> Also I have my ldap config from dovecot in the links below.
>>>>>> 
>>>>>> I have already created an bug reporting in the system of openldap 
>>>>>> but
>>>>>> the answer was to get support from her.
>>>>>> 
>>>>>> All datalinks:
>>>>>> https://gwarband.de/openldap/dovecot.log
>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>>>>> https://gwarband.de/openldap/openldap.log
>>>>>> https://gwarband.de/openldap/trace.dump
>>>>>> 
>>>>>> The bugreportinglink from openldap:
>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>>>> 
>>>>>> I hope you can help me.
>>>>>> 
>>>>>> Regards.
>>>>>> Tobias Warband


More information about the dovecot mailing list