Doveadm replicator ssl issues

Aki Tuomi aki.tuomi at open-xchange.com
Wed Nov 20 08:54:03 EET 2019 

On 18.11.2019 22.30, Miro Igov via dovecot wrote:
>
> Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard
> certificates.
>
> Email clients connect fine, https://www.immuniweb.com/ssl/ tests show
> certificates are ok.
>
> However I can’t make replication work when I add ssl = yes.
>
> Without ssl it works ok.
>
>  
>
> I added verbose_ssl  in config and error log shows:
>
> dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()
> failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol
>
>  
>
> From the other server 149.x.x.x I tested with openssl:
>
>  
>
> openssl s_client -connect 188.x.x.x:12333 –crlf -CAfile
> /etc/pki/tls/cert.pem
>
>  
>
> CONNECTED(00000003)
>
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
>
> verify return:1
>
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
> Limited, CN = Sectigo RSA Organization Validation Secure Server CA
>
> verify return:1
>
> depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier,
> street = 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN =
> *.domain.com
>
> verify return:1
>
>>
>>
> SSL-Session:
>
>     Protocol  : TLSv1.2
>
>     Cipher    : ECDHE-RSA-AES256-SHA384
>
>     Session-ID:
> 95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC
>
>     Session-ID-ctx:
>
>     Master-Key:
> ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F241BD4B3C4B9E1AB6A929
>
>     Key-Arg   : None
>
>     Krb5 Principal: None
>
>     PSK identity: None
>
>     PSK identity hint: None
>
>     Start Time: 1574108251
>
>     Timeout   : 300 (sec)
>
>     Verify return code: 0 (ok)
>
>  
>
> The configuration of the 2 servers below.
>
>  
>
> 188.x.x.x
>
>  
>
> # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
>
> # Pigeonhole version 0.5.8 (b7b03ba2)
>
> # OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)
>
> # Hostname: login.domain.com
>
> default_vsz_limit = 512 M
>
> doveadm_password = # hidden, use -P to show it
>
> mail_plugins = " notify replication"
>
> managesieve_notify_capability = mailto
>
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
>
> mbox_write_locks = fcntl
>
> namespace inbox {
>
>   inbox = yes
>
>   location =
>
>   mailbox Drafts {
>
>     special_use = \Drafts
>
>   }
>
>   mailbox Junk {
>
>     special_use = \Junk
>
>   }
>
>   mailbox Sent {
>
>     special_use = \Sent
>
>   }
>
>   mailbox "Sent Messages" {
>
>     special_use = \Sent
>
>   }
>
>   mailbox Trash {
>
>     special_use = \Trash
>
>   }
>
>   prefix =
>
> }
>
> passdb {
>
>   driver = pam
>
> }
>
> plugin {
>
>   mail_replica = tcp:149.x.x.x:12333
>
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>
> }
>
> protocols = imap pop3
>
> replication_full_sync_interval = 10 mins
>
> service aggregator {
>
>   fifo_listener replication-notify-fifo {
>
>     mode = 0666
>
>   }
>
>   unix_listener replication-notify {
>
>     mode = 0666
>
>   }
>
> }
>
> service doveadm {
>
>   inet_listener {
>
>     port = 12333
>
>     ssl = yes
>
>   }
>
> }
>
> service replicator {
>
>   process_min_avail = 1
>
>   unix_listener replicator-doveadm {
>
>     mode = 0666
>
>   }
>
> }
>
> ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ssl_cipher_list =
> ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED
>
> ssl_client_ca_file = /etc/pki/tls/cert.pem
>
> ssl_dh = # hidden, use -P to show it
>
> ssl_key = # hidden, use -P to show it
>
> userdb {
>
>   driver = passwd
>
> }
>
> verbose_ssl = yes
>
> local 91.x.x.x {
>
>   protocol imap {
>
>     ssl_cert = </etc/dovecot/ssl_chain.pem
>
>     ssl_key = # hidden, use -P to show it
>
>   }
>
> }
>
> local 91.x.x.x {
>
>   protocol pop3 {
>
>     ssl_cert = </etc/dovecot/ssl_chain.pem
>
>     ssl_key = # hidden, use -P to show it
>
>   }
>
> }
>
>  
>
>  
>
> 149.x.x.x
>
>  
>
>  
>
> # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
>
> # OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)
>
> # Hostname: prime.domain.com
>
> auth_mechanisms = plain login
>
> default_vsz_limit = 1 G
>
> disable_plaintext_auth = no
>
> doveadm_password = # hidden, use -P to show it
>
> mail_location = maildir:~/Maildir
>
> mail_plugins = " notify replication"
>
> mbox_write_locks = fcntl
>
> namespace inbox {
>
>   inbox = yes
>
>   location =
>
>   mailbox Archive {
>
>     auto = subscribe
>
>     special_use = \Archive
>
>   }
>
>   mailbox Drafts {
>
>     special_use = \Drafts
>
>   }
>
>   mailbox Junk {
>
>    special_use = \Junk
>
>   }
>
>   mailbox Sent {
>
>     special_use = \Sent
>
>   }
>
>   mailbox "Sent Messages" {
>
>     special_use = \Sent
>
>   }
>
>   mailbox Spam {
>
>     auto = subscribe
>
>     special_use = \Junk
>
>   }
>
>   mailbox Trash {
>
>     special_use = \Trash
>
>   }
>
>   prefix =
>
> }
>
> passdb {
>
>   args = session=yes setcred=yes failure_show_msg=yes dovecot
>
>   driver = pam
>
> }
>
> plugin {
>
>   mail_replica = tcp:188.x.x.x:12333
>
> }
>
> protocols = imap pop3
>
> replication_full_sync_interval = 10 mins
>
> replication_max_conns = 11
>
> service aggregator {
>
>   fifo_listener replication-notify-fifo {
>
>     mode = 0666
>
>   }
>
>   unix_listener replication-notify {
>
>     mode = 0666
>
>   }
>
> }
>
> service auth {
>
>   unix_listener /var/spool/postfix/private/auth {
>
>     group = postfix
>
>     mode = 0666
>
>     user = postfix
>
>   }
>
> }
>
> service doveadm {
>
>   inet_listener {
>
>     port = 12333
>
>     ssl = yes
>
>   }
>
> }
>
> service replicator {
>
>   process_min_avail = 1
>
>   unix_listener replicator-doveadm {
>
>     mode = 0666
>
>   }
>
> }
>
> ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ssl_cipher_list =
> ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED
>
> ssl_client_ca_file = /etc/pki/tls/cert.pem
>
> ssl_dh = # hidden, use -P to show it
>
> ssl_key = # hidden, use -P to show it
>
> userdb {
>
>   driver = passwd
>
> }
>
> protocol imap {
>
>   mail_max_userip_connections = 50
>
> }
>
> protocol pop3 {
>
>   pop3_uidl_format = %08Xu%08Xv
>
> }
>
> local 178.x.x.x {
>
>   protocol imap {
>
>     ssl_cert = </etc/dovecot/ssl_chain.pem
>
>     ssl_key = # hidden, use -P to show it
>
>   }
>
> }
>
> local 178.x.x.x {
>
>   protocol pop3 {
>
>     ssl_cert = </etc/dovecot/ssl_chain.pem
>
>     ssl_key = # hidden, use -P to show it
>
>   }
>
> }
>
>  
>
>  
>
>  
>
>

Hi!

You need to use tcps in mail_replica.

Aki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191120/b5b6447e/attachment-0001.html>

More information about the dovecot mailing list