How to make IMAPS SSL Cert for Dovecot that works with Thunderbird

hanasaki at gmail.com hanasaki at gmail.com
Wed May 27 05:22:42 EEST 2020


Inline below

On 5/25/20 11:55 AM, Aki Tuomi wrote:
> Sorry...
> 
> openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pem
subject=CN = fullHostnameWith.com on the end
MUST-STAPLE <= not present nor 1.3.6....
> 
> and
> 
> openssl s_client -connect host:993
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready.
...

subject=CN = fullHostnameWith.com on the end
MUST-STAPLE <= not present nor 1.3.6....

> 
> Aki
> 
>> On 25/05/2020 18:52 hanasaki at gmail.com <hanasaki at gmail.com> wrote:
>>
>>   
>> s_client: Option unknown option -trace
>> ***
>> x509: Unknown parameter text
>>
>>
>> On 5/25/20 11:49 AM, Aki Tuomi wrote:
>>> Hi!
>>>
>>> Can you do
>>>
>>> openssl x509 text -noout </etc/letsencrypt/live/...../fullchain.pem
>>>
>>> and check these things:
>>>
>>> your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24
>>>
>>> Also, can you provide output of
>>>
>>> openssl s_client -connect host:993 -trace
>>>
>>> Aki
>>>
>>>> On 25/05/2020 18:46 hanasaki at gmail.com <hanasaki at gmail.com> wrote:
>>>>
>>>>    
>>>> Hello Aki and all,
>>>>
>>>> The below lines are in the dovecot config file.   This seems to be the
>>>> same as Aki's suggestion. correct?  I have also double checked file
>>>> perms, tried with several new key gens, several versions of thunderbird
>>>> and created completely new thunderbird profiles.
>>>>
>>>> Thank you,
>>>>
>>>> ssl_cert = </etc/letsencrypt/live/...../fullchain.pem
>>>> ssl_key = </etc/letsencrypt/live/...../privkey.pem
>>>>
>>>>
>>>> On 5/25/20 11:11 AM, Aki Tuomi wrote:
>>>>> The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
>>>>>
>>>>> If you are using LE cert you should configure
>>>>>
>>>>> ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem
>>>>> ssl_key=</etc/letsencrypt/live/domain/privkey.pem
>>>>>
>>>>> Aki
>>>>>
>>>>>> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote:
>>>>>>
>>>>>>     
>>>>>>    From the config : auth_ssl_require_client_cert = no
>>>>>> GMail empty vcard ... I have no ideas . so sorry.
>>>>>>
>>>>>> Coding snippets.   What can I provide for you that will help?
>>>>>> NOTE: it is pretty much the default  config from Debian.
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote:
>>>>>>>
>>>>>>> On 2020-05-25 02:54, hanasaki at gmail.com wrote:
>>>>>>>> Config has
>>>>>>>>          ssl_verify_client_cert = no
>>>>>>>> What options might have the client auth turned on?
>>>>>>>
>>>>>>> why does gmail attacht empty vcard info ?
>>>>>>>
>>>>>>> without any config snippes its hard to say what config error is local
>>>>>>>
>>>>>>> https://wiki.dovecot.org/SSL/DovecotConfiguration
>>>>>>>
>>>>>>> is it auth_ssl_require_client_cert = yes
>>>>>>>
>>>>>>> i dont use this auth features to make thunderbird work
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200526/6f53c6c8/attachment.vcf>


More information about the dovecot mailing list