dovecot - Jul 2018 - dovecot 2.3.x, ECC and wildcard certificates, any issues

Hi,

Thanks, good news is that worked. Bad news is it all looks good which
means I do not know hwhy my remote clients can't get their email,
looked like from the logs it was that.

Would 143 be better or 993 for the external clients?

Thanks.
Dave.


On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi>
wrote:
>
>> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com>
wrote:
>>
>>
>> Hello,
>>
>> Does dovecot 2.3.x have any issues recognizing or using certificates
>> that are ECC and wildcard? I'm trying to switch my letsencrypt
>> implementation from acme-client which does not support either of those
>> capabilities to acme.sh which does. Since then external clients
>> checking their email has not worked. A manual telnet to
>> mail.example.com 993 gives a connected message but then nothing no
>> greeting or capabilities.
>>
>> The certificate is for example.com with an alt name of *.example.com
>> if that's not right let me know, i'm not sure about that one,
>> connecting to the web sites of these pages seems noticeably slower,
>> I'm wondering if both of these issues aren't key related?
>>
>> Thanks.
>> Dave.
>
> These both should be fine.
>
> Port 993 is TLS encrypted, you should use openssl s_client -connect
> server:993
>
> Aki
>

You should, in practice, enable both. This gives best client compability. It is
possible you have clients that cannot understand ECC certificates? You can use
ssl_alt_cert to provide RSA cert too.

Aki
> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com>
wrote:
> 
> 
> Hi,
> 
> Thanks, good news is that worked. Bad news is it all looks good which
> means I do not know hwhy my remote clients can't get their email,
> looked like from the logs it was that.
> 
> Would 143 be better or 993 for the external clients?
> 
> Thanks.
> Dave.
> 
> 
> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >
> >> On 30 July 2018 at 19:16 David Mehler <dave.mehler at
gmail.com> wrote:
> >>
> >>
> >> Hello,
> >>
> >> Does dovecot 2.3.x have any issues recognizing or using
certificates
> >> that are ECC and wildcard? I'm trying to switch my letsencrypt
> >> implementation from acme-client which does not support either of
those
> >> capabilities to acme.sh which does. Since then external clients
> >> checking their email has not worked. A manual telnet to
> >> mail.example.com 993 gives a connected message but then nothing no
> >> greeting or capabilities.
> >>
> >> The certificate is for example.com with an alt name of
*.example.com
> >> if that's not right let me know, i'm not sure about that
one,
> >> connecting to the web sites of these pages seems noticeably
slower,
> >> I'm wondering if both of these issues aren't key related?
> >>
> >> Thanks.
> >> Dave.
> >
> > These both should be fine.
> >
> > Port 993 is TLS encrypted, you should use openssl s_client -connect
> > server:993
> >
> > Aki
> >

Hello,

The client in question is the latest version of AquaMail running on android.

Thanks.
Dave.


On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi>
wrote:
> You should, in practice, enable both. This gives best client compability.
It
> is possible you have clients that cannot understand ECC certificates? You
> can use ssl_alt_cert to provide RSA cert too.
>
> Aki
>
>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com>
wrote:
>>
>>
>> Hi,
>>
>> Thanks, good news is that worked. Bad news is it all looks good which
>> means I do not know hwhy my remote clients can't get their email,
>> looked like from the logs it was that.
>>
>> Would 143 be better or 993 for the external clients?
>>
>> Thanks.
>> Dave.
>>
>>
>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> >
>> >> On 30 July 2018 at 19:16 David Mehler <dave.mehler at
gmail.com> wrote:
>> >>
>> >>
>> >> Hello,
>> >>
>> >> Does dovecot 2.3.x have any issues recognizing or using
certificates
>> >> that are ECC and wildcard? I'm trying to switch my
letsencrypt
>> >> implementation from acme-client which does not support either
of those
>> >> capabilities to acme.sh which does. Since then external
clients
>> >> checking their email has not worked. A manual telnet to
>> >> mail.example.com 993 gives a connected message but then
nothing no
>> >> greeting or capabilities.
>> >>
>> >> The certificate is for example.com with an alt name of
*.example.com
>> >> if that's not right let me know, i'm not sure about
that one,
>> >> connecting to the web sites of these pages seems noticeably
slower,
>> >> I'm wondering if both of these issues aren't key
related?
>> >>
>> >> Thanks.
>> >> Dave.
>> >
>> > These both should be fine.
>> >
>> > Port 993 is TLS encrypted, you should use openssl s_client
-connect
>> > server:993
>> >
>> > Aki
>> >
>