"no shared cypher", no matter what I try

Aki Tuomi aki.tuomi at open-xchange.com
Sat Dec 8 12:36:12 EET 2018 

> On 08 December 2018 at 12:03 Marco Fioretti <marco.fioretti at gmail.com> wrote:
> 
> 
> Greetings,
> I have had to reinstall my email server on another Linux (centos 7.6)
> VPS, with a newer version of dovecot, other software and a brand new
> letsencrypt certificate just for email withpostfix and dovecot (that
> certificate works fine with postfix). Output of dovecot --version and
> dovecot -n on the new server is below.
> 
> Now, messages ARE delivered in the right IMAP mailboxes, but when I
> try to connect with Mutt from my home computer, mutt says, before
> prompting for a password:
> 
> gnutls_handshake: A TLS fatal alert has been received.(Handshake failed)
> 
> the corresponding output of dovecot in /var/log/maillog is below. The
> gist of it **seems** to me to be the "no shared cipher" part, but I
> may be wrong. In any case, I have already tried to search online for
> that string, and other relevant parts of the log, without success. All
> I have found is suggestions to change the values of ssl_protocols
> and/or ssl_cipher_list to some non-default value, but I have tried all
> those tips without success. Current values of those variables are
> these:
> 
> grep -v ^# /etc/dovecot/conf.d/10-ssl.conf
> 
> ssl_cert = </etc/letsencrypt/live/MYSERVERNAME/fullchain.pem
> ssl_key =  </etc/letsencrypt/live/MYSERVERNAME/privkey.pem
> ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU
> 
> any pointer to what to check or change next is VERY welcome.
> 
> Thanks in advance,
> Marco
> 
> #################################################
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x10, ret=1: before/accept initialization [47.53.159.60]
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization [47.53.159.60]
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert:
> where=0x4008, ret=552: fatal handshake failure [47.53.159.60]
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [47.53.159.60]
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [47.53.159.60]
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error:
> SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher
> Dec  8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected
> (disconnected before auth was ready, waited 0 secs): user=<>,
> rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept()
> failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher, session=<knICtX98UK4vNZ88>
> Dec  8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Dec  8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Dec  8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Dec  8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token
> secret from /var/run/dovecot/auth-token-secret.dat
> Dec  8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file
> /etc/imap.v_users: Read 1 users in 0 secs
> 
> #################################################
> dovecot --version
> 2.2.36 (1f10bfa63)
> 
> 
> # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core)  ext4
> # Hostname: MYSERVERNAME
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> mail_location = maildir:/var/mail//base/
> passdb {
>   args = /etc/imap.v_users
>   driver = passwd-file
> }
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
>   inet_listener imaps {
>     port = 993
>   }
> }
> ssl = required
> userdb {
>   args = /etc/imap.v_users
>   driver = passwd-file
> }
> verbose_ssl = yes

Can you comment out ssl_cipher_list and ssl_protocols?

Is your certificate ECC certificate? 

Aki

More information about the dovecot mailing list