Dovecot can't connect to openldap over starttls

info at gwarband.de info at gwarband.de
Mon Mar 20 21:33:51 EET 2017 

The user "dovecot" can access and read the cert.
Here is an output of the console:
https://gwarband.de/openldap/dovecot-certs.log

So I think there is nothing what prevent Dovecot to access the file.

Tobias

Am 2017-03-20 20:14, schrieb Tomas Habarta:
> Actually, I likely managed to replicate the problem itself.
> I've observed described behavior (timeout with connection error) only 
> if
> Dovecot's tls_ca_cert_file provided either non-existent file or there
> was no read access to the existing file -- found during review after
> sending my last post as I run CentOS, not Debian and didn't adjust the
> path correctly (/etc/ldap vs. /etc/openldap) in dovecot-ldap.conf when
> setting that up.
> 
> Anyway, ldapsearch uses the same library as Dovecot so if ldapsearch
> works, Dovecot _simply_ must work as well ;)
> 
> As mentioned, I normally run CentOS, where /etc/ssl/certs has SELinux
> security context; don't you by any chance run something similar which
> may prevent Dovecot from accessing the file?
> 
> I tested on Debian 8 with the standard repo software (same versions 
> you
> reported), even tried also 2.2.27 from backports and all worked ok, so
> there seems to be nothing wrong with both software at all, just some
> little thing in the configuration...
> 
> 
> Tomas
> 
> 
> On 03/20/2017 02:04 PM, info at gwarband.de wrote:
>> I've tested your soulution, but it also says the same error.
>> I've tested all combinations of:
>>        - tls_ca_cert_file = <cert>
>>        - tls = yes
>>        - tls_require_cert = demand
>> 
>> Every time it says "Connection error".
>> Only when tls is uncommented it says "TLS required".
>> 
>> Additional information from my contact with the openldap-technical
>> mailing list:
>> The ldapsearch under the user dovecot with -ZZ works fine.
>> And they mention that the ldap.conf and dovecot-ldap.conf should have 
>> no
>> differences, that is correct no differences.
>> Here is a link to the ldap.conf
>> https://gwarband.de/openldap/ldap.conf
>> And the output of ldapsearch under dovecot:
>> https://gwarband.de/openldap/ldapsearch-dovecot.log
>> 
>> Tobias
>> 
>> Am 2017-03-20 11:00, schrieb Tomas Habarta:
>>> I've finally managed that running on Debian 8 test machine by 
>>> commenting
>>>     tls_ca_cert_file =
>>> option from dovecot-ldap.conf, so only
>>>     tls = yes
>>>     tls_require_cert = demand
>>> 
>>> Not sure why is that as on my CentOS6 Dovecot works even with that
>>> commented option. May be that CentOS and Debian uses different ldap
>>> library or different versions or there's another peculiarity ...
>>> 
>>> Anyway, when tls_require_cert = demand is set, cite:
>>> --
>>> With a setting of demand the certificate is requested and a valid
>>> certificate must be provided, otherwise the session is immediately
>>> terminated.
>>> --
>>> 
>>> As that option doesn't provide any source, it is taken from
>>> /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot 
>>> client
>>> times out on validating provided certificate with
>>> 
>>> imap-login: Error: Timeout waiting for handshake from auth server.
>>> imap-login: Disconnected: Auth process broken (disconnected before 
>>> auth
>>> was ready, waited 30 secs)
>>> 
>>> 
>>> 
>>> Tomas
>>> 
>>> 
>>> On 03/18/2017 02:22 PM, info at gwarband.de wrote:
>>>> The serverlog of openldap with loglevel "any":
>>>> https://gwarband.de/openldap/openldap-connect.log
>>>> Note: openldap waits 1 Minute before he says "TLS negotiation 
>>>> failure"
>>>> after the connect.
>>>> and dovecot says direct "Connect error"
>>>> 
>>>> I've also delete the TLSCipherSuite from openldap.
>>>> 
>>>> Tobias
>>>> 
>>>> Am 2017-03-18 14:01, schrieb Tomas Habarta:
>>>>> Increase log level on server side as well to see what the server
>>>>> says...
>>>>> You may remove anything in TLSCipherSuite for the purpose of 
>>>>> testing
>>>>> too.
>>>>> 
>>>>> Hopefully anyone knowing OpenLDAP internals could help you analyse 
>>>>> it
>>>>> more deeply.
>>>>> 
>>>>> Tomas
>>>>> 
>>>>> On 03/18/2017 01:31 PM, info at gwarband.de wrote:
>>>>>> I've replicate the settings from ldapsearch to dovecot but no 
>>>>>> success.
>>>>>> To the certificate:
>>>>>> Yes it's a *.crt file but I have linked the *.pem file to it and
>>>>>> dovecot
>>>>>> has read access to that file.
>>>>>> 
>>>>>> I have enabled the debugging in dovecot and have uploaded the 
>>>>>> output:
>>>>>> https://gwarband.de/openldap/dovecot-connect.log
>>>>>> 
>>>>>> And the other site with ldapsearch:
>>>>>> https://gwarband.de/openldap/ldapsearch-connect.log
>>>>>> 
>>>>>> I'm pretty sure that there is a problem with the sslhandshaking
>>>>>> between
>>>>>> openldap and dovecot, but I can't find the source of the problem.
>>>>>> 
>>>>>> One of the steps in the sslhandshaking is not success but in the
>>>>>> debugging output I can't find any line with a hit to it.
>>>>>> 
>>>>>> Tobias
>>>>>> 
>>>>>> Am 2017-03-18 12:30, schrieb Tomas Habarta:
>>>>>>> Well, if ldapsearch works, try to replicate its settings for 
>>>>>>> dovecot
>>>>>>> client.
>>>>>>> It's not obvious what settings ldapsearch uses, have a look at
>>>>>>> default
>>>>>>> client settings in /etc/openldap/ldap.conf, there may be 
>>>>>>> something
>>>>>>> set a
>>>>>>> slightly different way.
>>>>>>> Also double check permissions for files used by dovecot, I mean
>>>>>>> mainly
>>>>>>> the file listed for tls_ca_cert_file as dovecot may not have an
>>>>>>> access
>>>>>>> for reading...
>>>>>>> 
>>>>>>> I cannot see anything downright bad, just posted CA cert (which 
>>>>>>> is
>>>>>>> ok,
>>>>>>> tested) is *.crt and your config mentions *.pem but I consider
>>>>>>> it's the
>>>>>>> same file.
>>>>>>> 
>>>>>>> Finally, I would recommend to enable debug option for dovecot's
>>>>>>> client
>>>>>>>     debug_level = -1 (which logs all available) in your
>>>>>>> dovecot-ldap.conf
>>>>>>> to see what the library reports and work further on that.
>>>>>>> You can compare with output from ldapsearch by adding -d-1 
>>>>>>> switch to
>>>>>>> it.
>>>>>>> 
>>>>>>> Hard to tell more at the moment.
>>>>>>> 
>>>>>>> 
>>>>>>> Tomas
>>>>>>> 
>>>>>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote:
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> I have also installed LE certs.
>>>>>>>> But nothing helps, I have double-checking all certs.
>>>>>>>> 
>>>>>>>> ldapsearch with -ZZ works see:
>>>>>>>> https://gwarband.de/openldap/ldapsearch.log
>>>>>>>> 
>>>>>>>> I have also uploaded the TLSCACertificateFile, maybe I have a
>>>>>>>> failure in
>>>>>>>> the merge of the two fiels:
>>>>>>>> https://gwarband.de/openldap/LetsEncrypt.crt
>>>>>>>> 
>>>>>>>> And also I have uploaded my complete openldap configuration:
>>>>>>>> https://gwarband.de/openldap/openldap.conf
>>>>>>>> 
>>>>>>>> All other components can work and communicate with my openldap
>>>>>>>> server.
>>>>>>>> The components are postfix, openxchange, apache (phpldapadmin).
>>>>>>>> 
>>>>>>>> My installated software is:
>>>>>>>> Debian 8
>>>>>>>> OpenLDAP 2.4.40
>>>>>>>> Dovecot 2.2.13
>>>>>>>> 
>>>>>>>> I hope you can find the issue.
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> Tobias
>>>>>>>> 
>>>>>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>>>>>>>>> Hi,
>>>>>>>>> 
>>>>>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally
>>>>>>>>> over the
>>>>>>>>> unix socket on the same machine, but tried over inet with 
>>>>>>>>> STARTTLS
>>>>>>>>> and
>>>>>>>>> it's working ok...
>>>>>>>>> 
>>>>>>>>> I would suggest double-checking key/certs setup on OpenLDAP
>>>>>>>>> side; for
>>>>>>>>> the test I have used LE certs, utilizing following cn=config
>>>>>>>>> attributes:
>>>>>>>>> 
>>>>>>>>> olcTLSCertificateKeyFile    contains private key
>>>>>>>>> olcTLSCertificateFile        contains certificate
>>>>>>>>> olcTLSCACertificateFile        contains both certs (DST Root 
>>>>>>>>> CA X3
>>>>>>>>>                 and Let's Encrypt Authority X3)
>>>>>>>>> 
>>>>>>>>> and used the same CA file in Dovecot's tls_ca_cert_file
>>>>>>>>> 
>>>>>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles 
>>>>>>>>> or
>>>>>>>>> ... ?
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Hope that helps, good luck ;)
>>>>>>>>> Tomas
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote:
>>>>>>>>>> Hello guys,
>>>>>>>>>> 
>>>>>>>>>> actually I'm trying to configure dovecot to access openldap 
>>>>>>>>>> for
>>>>>>>>>> passwordcheck.
>>>>>>>>>> My openldap is only allow access over "secure ldap".
>>>>>>>>>> The dovecot can communicate with the openldap server but 
>>>>>>>>>> there is
>>>>>>>>>> maybe
>>>>>>>>>> a failure in the sslhandshake.
>>>>>>>>>> Additional information you can find in the logs or in the 
>>>>>>>>>> dump
>>>>>>>>>> below.
>>>>>>>>>> Also I have my ldap config from dovecot in the links below.
>>>>>>>>>> 
>>>>>>>>>> I have already created an bug reporting in the system of 
>>>>>>>>>> openldap
>>>>>>>>>> but
>>>>>>>>>> the answer was to get support from her.
>>>>>>>>>> 
>>>>>>>>>> All datalinks:
>>>>>>>>>> https://gwarband.de/openldap/dovecot.log
>>>>>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>>>>>>>>> https://gwarband.de/openldap/openldap.log
>>>>>>>>>> https://gwarband.de/openldap/trace.dump
>>>>>>>>>> 
>>>>>>>>>> The bugreportinglink from openldap:
>>>>>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>>>>>>>> 
>>>>>>>>>> I hope you can help me.
>>>>>>>>>> 
>>>>>>>>>> Regards.
>>>>>>>>>> Tobias Warband

More information about the dovecot mailing list