Hi,
i am trying to setup dovecot over ssl in the last couple days unsuccessfully
My notes are from here: http://wiki.dovecot.org/SSL
My OpenSSL commands are:
mkdir -pv /opt/certificates/dovecot/
cd !$
(just to prevent questions about Common Name)
[ebal at myhome:~]? hostname
myhome
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days
1825
# Country Name (2 letter code) [AU]:GR
# State or Province Name (full name) [Some-State]:Athens
# Locality Name (eg, city) []:Aigaleo
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr
# Organizational Unit Name (eg, section) []:Mail Apps
# Common Name (eg, YOUR name) []:myhome
# Email Address []:ebalaskas at ebalaskas.gr
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \
-name "dovecot Certificate Client" -out dovecot.p12
openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out
dovecot.crl -selfsign
I've imported the dovecot.p12 to thunderbird certificates and
dovecot.crt to thunderbird authorities
(i've tried claws mail too - same errors)
My dovecot.conf is this:
[root at myhome dovecot]# dovecot -n
# 1.2.2: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.30-ARCH i686 ext4
info_log_path: /var/log/dovecot.log
protocols: imaps
ssl: required
ssl_ca_file: /opt/certificates/dovecot/dovecot.crl
ssl_cert_file: /opt/certificates/dovecot/dovecot.crt
ssl_key_file: /opt/certificates/dovecot/dovecot.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /usr/local/var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
first_valid_uid: 300
mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/%u/.INBOX
mail_debug: yes
lda:
postmaster_address: ebalaskas at ebalaskas.gr
auth default:
verbose: yes
debug: yes
debug_passwords: yes
ssl_require_client_cert: yes
passdb:
driver: pam
userdb:
driver: passwd
My /var/log/dovecot.log:
Jul 30 20:14:52 Info: Dovecot v1.2.2 starting up (core dumps disabled)
Jul 30 20:14:52 Info: Generating Diffie-Hellman parameters for the first
time. This may take a while..
Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5872
Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5873
Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5874
Jul 30 20:15:16 ssl-build-param: Info: SSL parameters regeneration completed
Jul 30 20:15:17 auth(default): Info: new auth connection: pid=5898
Jul 30 20:15:18 imap-login: Info: Disconnected (client didn't send a
cert): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept()
failed: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access
denied
Any ideas?
Evaggelos Balaskas
Unix System Engineer - http://ebalaskas.gr/wiki
Informatics Engineer Technological Education
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090730/5f62dbc6/attachment-0002.bin>
On Thu, 2009-07-30 at 20:37 +0300, Evaggelos Balaskas wrote:> openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days > 1825I guess this is ok, but to prevent confusion let's say these were client.crt and client.key instead.> # Country Name (2 letter code) [AU]:GR > # State or Province Name (full name) [Some-State]:Athens > # Locality Name (eg, city) []:Aigaleo > # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr > # Organizational Unit Name (eg, section) []:Mail Apps > # Common Name (eg, YOUR name) []:myhome > # Email Address []:ebalaskas at ebalaskas.gr > > openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \ > -name "dovecot Certificate Client" -out dovecot.p12Again client.crt, client.key here.> openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out > dovecot.crl -selfsignWhat do you do with the dovecot.crl here? It's a client CRL and unless you add it to the Dovecot's CRL list it's not necessary. Also the -selfsign is ignored..> I've imported the dovecot.p12 to thunderbird certificates and > dovecot.crt to thunderbird authorities > (i've tried claws mail too - same errors)OK.> ssl_ca_file: /opt/certificates/dovecot/dovecot.crlThis is probably where the problem is. This file must contain the CA certificate and the CRL, not just the CRL. And initially the CRL should be empty.> ssl_cert_file: /opt/certificates/dovecot/dovecot.crt > ssl_key_file: /opt/certificates/dovecot/dovecot.keyAnd I hope these dovecot.* files aren't the same you just generated for the client? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090802/390cb77d/attachment-0002.bin>