Denis Iskandarov
2011-Jun-13 13:42 UTC
[Dovecot] SSL comunication problems with client side.
I can get messages without SSL with no problems. but i need to setup
server accept only SSL secured connections.
I think my configuration is very proper, but cant find "obvious"
problem.
Postfix 2.3.3 + dovecot 2.0.13-1_129.el5 + PostfixAdmin 2.3.3
I made own CA. configured postfix and dovecot with same cert key ca.
Same public cert i gave for client just converted it to PKCS#12.
I cant undestand valid and invalid certs strings in long, they look same.
You can check logs and config bellow.
Also some other questions regarding SSL:
1. How to make client MUA (thunderbird) automatically retrieve
certificate ? My thunderbird cant do it by itself so i'm importing
mail cert by myself.
2. If i want to setup Roundcube/Squirrelmail webmail clients with TLS
support (https) i have to provide them with same certificates as
dovecot and postfix have. Or in this case i can use whatever
certificate dedicated for with "virtualhost"?
dovecot-deliver.log:
Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get
certificate CRL: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail
Server/CN=mx.office.dev/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get
certificate CRL: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital
Network/OU=Caucasus Digital Network/CN=Caucasus Digital
Network/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 imap-login: Info: Valid certificate:
/C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus
Digital Network/CN=Caucasus Digital
Network/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 imap-login: Info: Valid certificate:
/C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail
Server/CN=mx.office.dev/emailAddress=hostmaster at office.dev
Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't
present valid SSL certificate
Jun 13 13:26:42 auth: Info: LOGIN(?,192.168.0.11): Client didn't
present valid SSL certificate
Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't
present valid SSL certificate
Jun 13 13:26:42 imap-login: Info: Disconnected (client sent an invalid
cert): method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, TLS
maillog.
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x10, ret=1: before/accept initialization [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: before/accept initialization [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write certificate request A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 flush data [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 flush data [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x20, ret=1: SSL negotiation finished successfully
[192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL:
where=0x2002, ret=1: SSL negotiation finished successfully
[192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert:
where=0x4004, ret=256: warning close notify [192.168.0.11]
Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=256: warning close notify [192.168.0.11]
# doveconf -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-238.9.1.el5 i686 CentOS release 5.6 (Final) ext3
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_ssl_require_client_cert = yes
auth_verbose = yes
base_dir = /var/run/dovecot/
debug_log_path = /var/log/dovecot-deliver.log
dict {
expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_gid = 12
first_valid_uid = 1001
hostname = mx.office.dev
info_log_path = /var/log/dovecot-deliver.log
last_valid_gid = 12
last_valid_uid = 1001
listen = *
mail_debug = yes
mail_gid = 12
mail_location = maildir:/home/vmail/%d/%u
mail_plugins = quota
mail_privileged_group = mail
mail_uid = 1001
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/conf.d/sql/sql.conf
driver = sql
}
plugin {
autocreate = Trash
autocreate2 = Spam
autosubscribe = Trash
autosubscribe2 = Spam
}
postmaster_address = postmaster at office.dev
service auth {
unix_listener /var/spool/postfix/private/auth {
group = mail
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = mail
mode = 0660
user = vmail
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl_ca = </etc/pki/CA/cacert.pem
ssl_cert = </etc/pki/CA/mail/mx.office.dev.crt
ssl_key = </etc/pki/CA/mail/mx.office.dev.key
ssl_verify_client_cert = yes
userdb {
args = /etc/dovecot/conf.d/sql/sql.conf
driver = sql
}
verbose_ssl = yes
protocol lda {
mail_plugins = quota autocreate
}
protocol imap {
imap_client_workarounds = delay-newmail
mail_plugins = quota imap_quota autocreate
}
protocol pop3 {
mail_plugins = quota
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
Denis Iskandarov
2011-Jun-13 14:44 UTC
[Dovecot] SSL comunication problems with client side.
I've tried next thing: ssl = required ssl_verify_client_cert = no auth_ssl_require_client_cert = no And began getting emails. Successful logs attached. But i cant understand if data was passed with TLS. How can i enable those 2 options "ssl_verify_client_cert", "auth_ssl_require_client_cert" and get em working ? dovecot-deliver.log Jun 13 14:40:17 lda: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:17 lda: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:17 lda: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:17 lda: Debug: auth input: test at office.dev home=/home/vmail/office.dev/test/ mail=maildir:/home/vmail/office.dev/test/ uid=1001 gid=12 quota=maildir:storage=10240000 Jun 13 14:40:17 lda: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:17 lda: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:17 lda(test at office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:17 lda(test at office.dev): Debug: Quota root: name=storage=10240000 backend=maildir argsJun 13 14:40:17 lda(test at office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:17 lda(test at office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 Jun 13 14:40:17 lda(test at office.dev): Debug: quota: No quota setting - plugin disabled Jun 13 14:40:17 lda(test at office.dev): Debug: none: root=, index=, control=, inboxJun 13 14:40:17 lda(test at office.dev): Debug: Destination address: test at office.dev (source: user at hostname) Jun 13 14:40:17 auth: Info: mysql(localhost): Connected to database postfix Jun 13 14:40:17 lda(test at office.dev): Info: msgid=<20110613104017.30B331B09AB at mx.office.dev>: saved mail to INBOX Jun 13 14:40:27 imap-login: Info: Login: user=<test at office.dev>, method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, mpid=7927, TLS Jun 13 14:40:27 imap: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:27 imap: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:27 imap: Debug: Module loaded: /usr/lib/dovecot/lib11_imap_quota_plugin.so Jun 13 14:40:27 imap: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:27 imap: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:27 imap: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:27 imap(test at office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:27 imap(test at office.dev): Debug: Quota root: name=storage=10240000 backend=maildir argsJun 13 14:40:27 imap(test at office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:27 imap(test at office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 Jun 13 14:40:37 imap-login: Info: Login: user=<test at office.dev>, method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, mpid=7929, TLS Jun 13 14:40:37 imap: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:37 imap: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:37 imap: Debug: Module loaded: /usr/lib/dovecot/lib11_imap_quota_plugin.so Jun 13 14:40:37 imap: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:37 imap: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:37 imap: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:37 imap(test at office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:37 imap(test at office.dev): Debug: Quota root: name=storage=10240000 backend=maildir argsJun 13 14:40:37 imap(test at office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:37 imap(test at office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 Jun 13 14:40:38 imap-login: Info: Login: user=<test at office.dev>, method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, mpid=7931, TLS Jun 13 14:40:38 imap: Debug: Loading modules from directory: /usr/lib/dovecot Jun 13 14:40:38 imap: Debug: Module loaded: /usr/lib/dovecot/lib10_quota_plugin.so Jun 13 14:40:38 imap: Debug: Module loaded: /usr/lib/dovecot/lib11_imap_quota_plugin.so Jun 13 14:40:38 imap: Debug: Module loaded: /usr/lib/dovecot/lib20_autocreate_plugin.so Jun 13 14:40:38 imap: Debug: Added userdb setting: mail=maildir:/home/vmail/office.dev/test/ Jun 13 14:40:38 imap: Debug: Added userdb setting: plugin/quota=maildir:storage=10240000 Jun 13 14:40:38 imap(test at office.dev): Debug: Effective uid=1001, gid=12, home=/home/vmail/office.dev/test/ Jun 13 14:40:38 imap(test at office.dev): Debug: Quota root: name=storage=10240000 backend=maildir argsJun 13 14:40:38 imap(test at office.dev): Debug: maildir++: root=/home/vmail/office.dev/test, index=, control=, inbox=/home/vmail/office.dev/test Jun 13 14:40:38 imap(test at office.dev): Debug: Namespace : Using permissions from /home/vmail/office.dev/test: mode=0700 gid=-1 maillog Jun 13 14:40:17 cent56dev postfix/smtpd[7912]: connect from mx.office.dev[127.0.0.1] Jun 13 14:40:17 cent56dev postfix/smtpd[7912]: 30B331B09AB: client=mx.office.dev[127.0.0.1] Jun 13 14:40:17 cent56dev postfix/cleanup[7920]: 30B331B09AB: message-id=<20110613104017.30B331B09AB at mx.office.dev> Jun 13 14:40:17 cent56dev postfix/qmgr[5910]: 30B331B09AB: from=<postfix at office.dev>, size=461, nrcpt=1 (queue active) Jun 13 14:40:17 cent56dev postfix/smtpd[7912]: disconnect from mx.office.dev[127.0.0.1] Jun 13 14:40:17 cent56dev postfix/pipe[7921]: 30B331B09AB: to=<test at office.dev>, relay=dovecot, delay=0.27, delays=0.04/0.03/0/0.2, dsn=2.0.0, status=sent (delivered via dovecot service) Jun 13 14:40:17 cent56dev postfix/qmgr[5910]: 30B331B09AB: removed Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:27 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:37 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.11] Jun 13 14:40:38 cent56dev dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.11] On Mon, Jun 13, 2011 at 5:42 PM, Denis Iskandarov <d.iskandarov at gmail.com> wrote:> I can get messages without SSL with no problems. but i need to setup > server accept only SSL secured connections. > I think my configuration is very proper, but cant find "obvious" problem. > Postfix 2.3.3 + dovecot 2.0.13-1_129.el5 + PostfixAdmin 2.3.3 > I made own CA. configured postfix and dovecot with same cert key ca. > Same public cert i gave for client just converted it to PKCS#12. > I cant undestand valid and invalid certs strings in long, they look same. > You can check logs and config bellow. > > Also some other questions regarding SSL: > 1. How to make client MUA (thunderbird) automatically retrieve > certificate ? My thunderbird cant do it by itself so i'm importing > mail cert by myself. > 2. If i want to setup Roundcube/Squirrelmail webmail clients with TLS > support (https) i have to provide them with same certificates as > dovecot and postfix have. Or in this case i can use whatever > certificate dedicated for with "virtualhost"? > > > > dovecot-deliver.log: > Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get > certificate CRL: /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail > Server/CN=mx.office.dev/emailAddress=hostmaster at office.dev > Jun 13 13:26:42 imap-login: Info: Invalid certificate: unable to get > certificate CRL: /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital > Network/OU=Caucasus Digital Network/CN=Caucasus Digital > Network/emailAddress=hostmaster at office.dev > Jun 13 13:26:42 imap-login: Info: Valid certificate: > /C=GE/ST=Tbilisi/L=Tbilisi/O=Caucasus Digital Network/OU=Caucasus > Digital Network/CN=Caucasus Digital > Network/emailAddress=hostmaster at office.dev > Jun 13 13:26:42 imap-login: Info: Valid certificate: > /C=GE/ST=Tbilisi/O=Caucasus Digital Network/OU=Mail > Server/CN=mx.office.dev/emailAddress=hostmaster at office.dev > Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't > present valid SSL certificate > Jun 13 13:26:42 auth: Info: LOGIN(?,192.168.0.11): Client didn't > present valid SSL certificate > Jun 13 13:26:42 auth: Info: PLAIN(?,192.168.0.11): Client didn't > present valid SSL certificate > Jun 13 13:26:42 imap-login: Info: Disconnected (client sent an invalid > cert): method=PLAIN, rip=192.168.0.11, lip=192.168.0.31, TLS > > > maillog. > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x10, ret=1: before/accept initialization [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: before/accept initialization [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 write certificate request A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 read finished A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 write finished A [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2001, ret=1: SSLv3 flush data [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x20, ret=1: SSL negotiation finished successfully > [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL: > where=0x2002, ret=1: SSL negotiation finished successfully > [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert: > where=0x4004, ret=256: warning close notify [192.168.0.11] > Jun 13 13:26:42 cent56dev dovecot: imap-login: Warning: SSL alert: > where=0x4008, ret=256: warning close notify [192.168.0.11] > > > # doveconf -n > # 2.0.13: /etc/dovecot/dovecot.conf > # OS: Linux 2.6.18-238.9.1.el5 i686 CentOS release 5.6 (Final) ext3 > auth_mechanisms = plain login > auth_socket_path = /var/run/dovecot/auth-userdb > auth_ssl_require_client_cert = yes > auth_verbose = yes > base_dir = /var/run/dovecot/ > debug_log_path = /var/log/dovecot-deliver.log > dict { > ?expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext > ?quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext > } > first_valid_gid = 12 > first_valid_uid = 1001 > hostname = mx.office.dev > info_log_path = /var/log/dovecot-deliver.log > last_valid_gid = 12 > last_valid_uid = 1001 > listen = * > mail_debug = yes > mail_gid = 12 > mail_location = maildir:/home/vmail/%d/%u > mail_plugins = quota > mail_privileged_group = mail > mail_uid = 1001 > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date > mbox_write_locks = fcntl > passdb { > ?args = /etc/dovecot/conf.d/sql/sql.conf > ?driver = sql > } > plugin { > ?autocreate = Trash > ?autocreate2 = Spam > ?autosubscribe = Trash > ?autosubscribe2 = Spam > } > postmaster_address = postmaster at office.dev > service auth { > ?unix_listener /var/spool/postfix/private/auth { > ? ?group = mail > ? ?mode = 0660 > ? ?user = postfix > ?} > ?unix_listener auth-userdb { > ? ?group = mail > ? ?mode = 0660 > ? ?user = vmail > ?} > } > service imap-login { > ?inet_listener imap { > ? ?port = 143 > ?} > ?inet_listener imaps { > ? ?port = 993 > ? ?ssl = yes > ?} > } > service pop3-login { > ?inet_listener pop3 { > ? ?port = 110 > ?} > ?inet_listener pop3s { > ? ?port = 995 > ? ?ssl = yes > ?} > } > ssl_ca = </etc/pki/CA/cacert.pem > ssl_cert = </etc/pki/CA/mail/mx.office.dev.crt > ssl_key = </etc/pki/CA/mail/mx.office.dev.key > ssl_verify_client_cert = yes > userdb { > ?args = /etc/dovecot/conf.d/sql/sql.conf > ?driver = sql > } > verbose_ssl = yes > protocol lda { > ?mail_plugins = quota autocreate > } > protocol imap { > ?imap_client_workarounds = delay-newmail > ?mail_plugins = quota imap_quota autocreate > } > protocol pop3 { > ?mail_plugins = quota > ?pop3_client_workarounds = outlook-no-nuls oe-ns-eoh > } >
Possibly Parallel Threads
- TLS not working with iOS beta?
- SSL certificate problem (SSL alert number 42)
- Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
- Dovecot 2.2.27 & windows 10 outlook (no auth attempts in 0 secs) error.
- My dovecot works fine against Active Directory 2003, but not against AD2008