Hello people,
After a lot of wading through the dovecot documentation (which btw, is
excellent !, everything lies under "dovecot/doc/wiki"), I managed to
authenticate a couple of accounts.
For starters, I want dovecot to work as an imap/imaps box and nothing
else.
So , I went ahead and created a "passwd" file with two users.
One user being my name (spyros) and plaintext password and the other
user "postmaster" with encrypted password
("/etc/dovecot/passwd" shown) :
---
spyros at webmail.domain.gr:{PLAIN}plainpassword
postmaster at webmail.domain.gr:{SSHA}SSHAPassword
---
Now, if I telnet to port 143 with both users, the system comes back with
the following :
---
[root at webmail dovecot]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS
AUTH=PLAIN] Dovecot ready
. login spyros at webmail.domain.gr password
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
SEARCHRES WITHIN CONTEXT=SEARCH] Logged in
---
As I said, it allows login on port 143 for both users. So, the same for
"postmaster".
Now for port 993 :
---
[root at webmail dovecot]# openssl s_client -connect webmail.domain.gr:993
[lots of SSL-related certificate information]
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN] Dovecot ready
. login spyros at webmail.domain.gr password
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
SEARCHRES WITHIN CONTEXT=SEARCH] Logged in
---
Again, the same for user "postmaster". I don't paste.
So, everything is fine. However, I have an issue with the (?!) issued
certificate. If I check the dovecot logs I find nothing.
If on the other hand, I do the same check on the Horde application, It comes
back with the following :
---
* Trying protocol imap/notls, Port 143:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
* Trying protocol imap/ssl, Port 993:
ERROR - The server returned the following error message:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN[SERVERBUG]
Internal error occurred. Refer to server log for more
information. [2010-01-05 13:30:12]Certificate failure for localhost:
self signed certificate:
/C=GR/ST=Kerkyra/L=Kerkyra/O=Tourist Enterprizes/OU=IMAP
server/CN=webmail.domain.gr/emailAddress=postmaster at
webmail.domain.gr
* Trying protocol imap/ssl/novalidate-cert, Port 993:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
* Trying protocol imap/tls/novalidate-cert, Port 143:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
---
Now, I know I am not supposed to ask you chaps about this, but direct
my questions to the horde mailing list.
However, I would like an opinion before I go ahead and bug them with
this.
Certificate was created with "dovecot/doc/mkcert.sh" and the relevant
certificate file (can't recall its name at the moment).
Any help would be appreciated. On the other hand, If I went too
far with this I apologize and I'll try to find another way to
resolve this.
Thank you people,
s.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 5 Jan 2010, Spyros Tsiolis wrote:> If on the other hand, I do the same check on the Horde application, It comes back with the following :> * Trying protocol imap/notls, Port 143: > > SUCCESS - INBOX has 0 messages (0 new 0 recent) > > * Trying protocol imap/ssl, Port 993: > > ERROR - The server returned the following error message: > > SECURITY PROBLEM: insecure server advertised AUTH=PLAIN[SERVERBUG] Internal error occurred. Refer to server log for more > information. [2010-01-05 13:30:12]Certificate failure for localhost: self signed certificate: > /C=GR/ST=Kerkyra/L=Kerkyra/O=Tourist Enterprizes/OU=IMAP > server/CN=webmail.domain.gr/emailAddress=postmaster at webmail.domain.grYou access the cert of webmail.domain.gr via a host named localhost. If Horde runs on the same host, just disable SSL :-)> > * Trying protocol imap/ssl/novalidate-cert, Port 993: > > SUCCESS - INBOX has 0 messages (0 new 0 recent) > > * Trying protocol imap/tls/novalidate-cert, Port 143: > > SUCCESS - INBOX has 0 messages (0 new 0 recent)There is missing: imap/tls, Port 143 but I suppose it will bark as well. Actually, it looks like a Dovecot message ("Refer to server log for more information"), but then the error message should be in the log for the openssl test as well, I guess. Do you have the SSL cert in the cert store of OpenSSL, usually /etc/ssl/certs ? That way you trust the cert. If Horde barks on the cert, this should help (first part of error message: "PROBLEM: insecure server advertised"). Regards, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBS0XgS7+Vh58GPL/cAQLfngf/dVhUMzUF0vjkVEDhaLVk/lUDwmpsz6Ni q8lBHicqhvMJMbGlU3B9/9uKq/PMSQhu2vQyijaDWyNlRDoVjFdBSzy2++nq/sPk qoPJlqkuVf9cpZo8iq6jf5fGU5EwnPlYNWa2W8SanZGHDGf0DkoLFUiwIYmiJVOq WZuqd1vrrzkOQzrdMdeUGeKWq3Kw9X3xShTPnczG97nfa2iznLCzX4pmDmCRDHHd NH2WH3Fu/SLTZBTaAJNm4kvkcjfE3roo5ZPTwCz8+7TkK2AuUb4RVs3CzRhjn+NH EzKxVBAZjj57JmdILYCC+iuo2xOsv0vYnO9Gtx69uNSxAe98cdlzjg==xl0l -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 7 Jan 2010, Spyros Tsiolis wrote:>> signed certificate: >>> ? ? ? ? ? >> /C=GR/ST=Kerkyra/L=Kerkyra/O=Tourist Enterprizes/OU=IMAP >>> ? ? ? ? ? >> server/CN=webmail.domain.gr/emailAddress=postmaster at webmail.domain.gr >> >> You access the cert of webmail.domain.gr via a host named >> localhost. >> If Horde runs on the same host, just disable SSL :-) > > . . .because SSL is for remote hosts (clients) on the network anyway > right ?Well, there might be scenarios, when a local user other than root may sniff the connection on localhost, but I think you have no such one. So to encrypt a connection from localhost to localhost is a waste of ressources. In case of Dovecot you'll need one extra file descriptior (and depending on your settings one extra process as well), plus the CPU time to actually do the encryption.> Yeah. The certificate is there. Under "/etc/ssl/certs". > I was thinking that maybe because the system (and the certificate > issuer, horde and dovecot are on the same box. You ask me somewhere > about that) is all-in-one, I need to import the certificate somewhere ?see above for the reason.> The dovecot wiki says that importing the certificate is only applicable > to the client-side (evolution, thunderbird and so on).The webmail-frontend _is_ your client in the view of Dovecot. But since the cert is in /etc/ssl/certs, it should work, but if you validate the cert, the webmail may bark, because you access the SSL-cert with the CN "webmail.domain.gr" by another name "localhost". This is a sign of a man-in-the-middle attack, actually. BTW: Do your SSL IMAP/POP clients also use the name "webmail.domain.gr"? Otherwise they will get a warning as well, maybe each time they connect. Regards, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBS0bzDb+Vh58GPL/cAQJx9Af/egq1HW/M92tmivrAcBFCvyO6pL6cZcwr PDVfWTsQsHAhWOYNTfAuAe0kouFTnjCpGcTXKPAA3VCWvRWR37/RGseeAmKfRmEW BYfKPrkf6ltq+hfREi81rHIme0xIry5UG1oB2/1WfPHmWTckVWNRL0aRIZGM+ZR5 v40MuesoaMyY0EngEnaIfDbswG+vNWF60XZ71knAfVtl12LOe+twzLDEJ3M13SaV zw7qOGj4iUtZgML4LC042dGuF22yKAXElwp26oZVhk522J1VtdMuhi9Bma7YnVfU CfhUWqa3q+jL60fAKhWCP8IoRxxYJ/vsrWFjZaEamjCMCLx3FgeebQ==IS0t -----END PGP SIGNATURE-----