[SOLVED] Doveadm replicator ssl issues

Miro Igov miro.igov at gmail.com
Wed Nov 20 12:05:18 EET 2019


Solved, thank you. TCPS was the issue.

 

From: Aki Tuomi <aki.tuomi at open-xchange.com> 
Sent: Wednesday, November 20, 2019 08:54
To: Miro Igov <miro.igov at gmail.com>; dovecot at dovecot.org
Subject: Re: Doveadm replicator ssl issues

 

 

On 18.11.2019 22.30, Miro Igov via dovecot wrote:

Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard
certificates.

Email clients connect fine, https://www.immuniweb.com/ssl/ tests show
certificates are ok. 

However I can't make replication work when I add ssl = yes.

Without ssl it works ok.

 

I added verbose_ssl  in config and error log shows:

dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 

>From the other server 149.x.x.x I tested with openssl:

 

openssl s_client -connect 188.x.x.x:12333 -crlf -CAfile
/etc/pki/tls/cert.pem

 

CONNECTED(00000003)

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Organization Validation Secure Server CA

verify return:1

depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier, street
= 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN = *.domain.com

verify return:1

.

.

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-SHA384

    Session-ID:
95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC

    Session-ID-ctx:

    Master-Key:
ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F2
41BD4B3C4B9E1AB6A929

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1574108251

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

 

The configuration of the 2 servers below.

 

188.x.x.x

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.5.8 (b7b03ba2)

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: login.domain.com

default_vsz_limit = 512 M

doveadm_password = # hidden, use -P to show it

mail_plugins = " notify replication"

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

plugin {

  mail_replica = tcp:149.x.x.x:12333

  sieve = file:~/sieve;active=~/.dovecot.sieve
<file://~/sieve;active=~/.dovecot.sieve> 

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list =
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

verbose_ssl = yes

local 91.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 91.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

149.x.x.x

 

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: prime.domain.com

auth_mechanisms = plain login

default_vsz_limit = 1 G

disable_plaintext_auth = no

doveadm_password = # hidden, use -P to show it

mail_location = maildir:~/Maildir

mail_plugins = " notify replication"

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Archive {

    auto = subscribe

    special_use = \Archive

  }

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

   special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Spam {

    auto = subscribe

    special_use = \Junk

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  args = session=yes setcred=yes failure_show_msg=yes dovecot

  driver = pam

}

plugin {

  mail_replica = tcp:188.x.x.x:12333

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

replication_max_conns = 11

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list =
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 50

}

protocol pop3 {

  pop3_uidl_format = %08Xu%08Xv

}

local 178.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 178.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

 

 

 

Hi!

You need to use tcps in mail_replica.

Aki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191120/bca6ebdf/attachment-0001.html>


More information about the dovecot mailing list