thr3ads.net - dovecot - Unexpected config results with local

If this information is useful, please help other people find it:
Share via:

David Favor

2018-Feb-25 16:31 UTC

Unexpected config results with local_name + multiple SSL certs

Working with SSL on fresh install of latest Ubuntu Artful + Dovecot
seems broken somehow.

Application is Dovecot listening for many SSL sites...

Likely I've missed adding something simple to the config, related
to local_name usage.

Be great if someone can point out what I've missed, to setup
multiple SSL certs for different host.domain entries in config.

Thanks.
_______

This works as expected... where the SNI server name is returned...

#local_name imap.cydec.com {
    ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
    ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
#}

service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
subject=/CN=imap.cydec.com
_______

This fails...

local_name imap.cydec.com {
    ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
    ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
}

service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
# Empty, so no servername match
_______

Full openssl output shows no cert being returned...

service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com
CONNECTED(00000004)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 199 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1519576210
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
---

_______

Config seems correct, with local_name uncommented...

dovecot -n
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
debug_log_path = /var/log/dovecot.log
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   args = dovecot
   driver = pam
}
protocols = " imap pop3"
service imap-login {
   inet_listener imap {
     port = 0
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service pop3-login {
   inet_listener pop3 {
     port = 0
   }
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
}
userdb {
   driver = passwd
}
local_name imap.cydec.com {
   ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
   ssl_key =  # hidden, use -P to show it
}

David Favor

2018-Mar-09 21:47 UTC

head link

Unexpected config results with local_name + multiple SSL certs

David Favor wrote:> Working with SSL on fresh install of latest Ubuntu Artful + Dovecot
> seems broken somehow.
> 
> Application is Dovecot listening for many SSL sites...
> 
> Likely I've missed adding something simple to the config, related
> to local_name usage.
> 
> Be great if someone can point out what I've missed, to setup
> multiple SSL certs for different host.domain entries in config.
> 
> Thanks.
> _______
> 
> This works as expected... where the SNI server name is returned...
> 
> #local_name imap.cydec.com {
>    ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
>    ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
> #}
> 
> service dovecot restart && echo QUIT | openssl s_client -connect 
> imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
> subject=/CN=imap.cydec.com
> _______
> 
> This fails...
> 
> local_name imap.cydec.com {
>    ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
>    ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
> }
> 
> service dovecot restart && echo QUIT | openssl s_client -connect 
> imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
> # Empty, so no servername match
> _______
> 
> Full openssl output shows no cert being returned...
> 
> service dovecot restart && echo QUIT | openssl s_client -connect 
> imap.cydec.com:993 -servername imap.cydec.com
> CONNECTED(00000004)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 199 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1519576210
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---
> 
> _______
> 
> Config seems correct, with local_name uncommented...
> 
> dovecot -n
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10
> auth_debug = yes
> auth_debug_passwords = yes
> auth_verbose = yes
> debug_log_path = /var/log/dovecot.log
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot.log
> log_path = /var/log/dovecot.log
> mail_debug = yes
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> namespace inbox {
>   inbox = yes
>   location >   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix > }
> passdb {
>   args = dovecot
>   driver = pam
> }
> protocols = " imap pop3"
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
>   inet_listener imaps {
>     port = 993
>     ssl = yes
>   }
> }
> service pop3-login {
>   inet_listener pop3 {
>     port = 0
>   }
>   inet_listener pop3s {
>     port = 995
>     ssl = yes
>   }
> }
> userdb {
>   driver = passwd
> }
> local_name imap.cydec.com {
>   ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
Be great if someone has suggestions of how to fix this.

Thanks.

@lbutlr

2018-Mar-10 03:58 UTC

head link

Unexpected config results with local_name + multiple SSL certs

On 2018-02-25 (09:31 MST), David Favor <david at davidfavor.com>
wrote:> 
> }
> local_name imap.cydec.com {
>  ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
>  ssl_key =  # hidden, use -P to show it
> }
Doesn't this still require a default t(top level) cert besides the one
specified for local_name?

Also, is there any reason to use local_name if your local name matches your
server? the point is to be able to provide a cert for example.org when your
domain is example.com, right?

-- 
Don't congratulate yourself too much, or berate yourself either. You
choices are half chance; so are everybody else's.

Aki Tuomi

2018-Mar-10 05:37 UTC

head link

Unexpected config results with local_name + multiple SSL certs

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 10 March 2018 at 05:58 "@lbutlr" <
    <a
href="mailto:kremels@kreme.com">kremels@kreme.com</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On 2018-02-25 (09:31 MST), David Favor <
    <a
href="mailto:david@davidfavor.com">david@davidfavor.com</a>>
wrote:
   </div>
   <blockquote type="cite">
    <div>
     }
    </div>
    <div>
     local_name imap.cydec.com {
    </div>
    <div>
     ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
    </div>
    <div>
     ssl_key = # hidden, use -P to show it
    </div>
    <div>
     }
    </div>
   </blockquote>
   <div>
    Doesn't this still require a default t(top level) cert besides the one
specified for local_name?
   </div>
   <div>
    <br>
   </div>
   <div>
    Also, is there any reason to use local_name if your local name matches your
server? the point is to be able to provide a cert for example.org when your
domain is example.com, right?
   </div>
   <div>
    <br>
   </div>
   <div>
    --
   </div>
   <div>
    Don't congratulate yourself too much, or berate yourself either. You
   </div>
   <div>
    choices are half chance; so are everybody else's.
   </div>
   <div>
    <br>
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   A default cert is always needed. If you have only one certificate don't
use local_name.
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

Maybe Matching Threads

Search for more apparently analagous threads

dovecot - Feb 2018 - Unexpected config results with local_name + multiple SSL certs

Unexpected config results with local_name + multiple SSL certs

Unexpected config results with local_name + multiple SSL certs

Unexpected config results with local_name + multiple SSL certs

Unexpected config results with local_name + multiple SSL certs

Maybe Matching Threads