On Sun, 15 Nov 2020 17:31:07 -0500
Mike Schroeder <mikeschroe at gmail.com> wrote:
> CentOS 7
> Dovecot 2.2.36
>
> Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth
> attempts in 0 secs):
> user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking:
> SSL_accept() failed:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher,
> session=<>
>
> Was working fine for over a year, until the cert expired and I
> replaced it. I've tried the good cert I have for https and I used the
> Dovecot.org script to generate a self-signed certificate.
>
> 10-ssl.conf
> ## SSL settings
> #ssl = required
> ssl = yes
> #ssl = no
> ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt
> ssl_key = </etc/pki/dovecot/private/mydomain.com.key
> #ssl_ca > #ssl_require_crl = yes
> #ssl_client_ca_dir > #ssl_client_ca_file > #ssl_verify_client_cert =
no
> #ssl_cert_username_field = commonName
> #ssl_dh_parameters_length = 1024
> #ssl_protocols = !SSLv3
>
> # SSL ciphers to use
> # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_cipher_list >
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:
> !RC4:!ADH:!LOW at STRENGTH
>
> # Prefer the server's order of ciphers over client's.
> #ssl_prefer_server_ciphers = no
>
> # Prefer the server's order of ciphers over client's.
> #ssl_prefer_server_ciphers = no
> # SSL crypto device to use, for valid values run "openssl engine"
> #ssl_crypto_device >
> # SSL extra options. Currently supported options are:
> # no_compression - Disable compression.
> # no_ticket - Disable SSL session tickets.
> #ssl_options >
> ==========================> # openssl x509 -dates -in mydomain.com.crt
> notBefore=Nov 11 16:31:35 2020 GMT
> notAfter=Nov 11 16:31:35 2022 GMT
> -----BEGIN CERTIFICATE-----
> :
> ==========================> # openssl pkey -in mydomain.com.key
> -----BEGIN PRIVATE KEY-----
> :
>
> Thanks for taking a look. Any ideas on what I should do next to
> debug?
>
> Mike
I remembered this problem was posted and still had the reply post from
Viktor. This may or may not be relevant. A search on this text will
probably drag up the whole thread.
---------------
Specifically, an ECDSA P-256 certificate, but some systems don't (yet?)
support ECDSA. You'd need an additional RSA certificate to interoperate
with their sending MTA's limited STARTTLS cipher/protocol repertoire.
--------------
When this thread went around I looked at my logs and found some no
auth complaints on my dovecot log. I believe they were trying to use
the sslv3 to hack my server. Or at least see if it is hackable. Since
my email server is a personal one and the attack was from a hosting
company, I blocked server IP space.
The weird thing I get your error now myself but not consistently. Here
is an example.
-------------------------------
Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs):
user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL
alert number 46, session=<rXchrDG06qvGx2p9>
Nov 16 04:18:37 imap-login: Info: Login: user=<me at mydomain.com>,
method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS,
session=<DSIjrDG05KvGx2p9>
However the problem isn't present at the moment.