Hi,
I have an fc18 system with postfix and dovecot-2.1.13 and have
configured them to use sasl for SMTP Auth and Maildir with imaps.
The system is running now, so I'm trying to set up thunderbird to
autodetect all settings during the initial account setup. However, it
seems to want to use port 143 and STARTTLS, and not port 993, which is
what I would expect. When I force it to use 993, I receive a
certificate failure message:
Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: initializing
the server-side TLS engine
Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: open smtpd TLS cache
btree:/var/lib/postfix/smtpd_tls_session_cache
Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: tlsmgr_cache_run_event:
start TLS smtpd session cache cleanup
Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: connect from
unknown[192.168.1.43]
Mar 12 23:20:45 propnew dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=192.168.1.43, lip=66.111.222.101,
TLS: SSL_read() failed: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number
42, session=<BGBS5MXXhQDAqAEr>
Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: lost
connection after CONNECT from unknown[192.168.1.43]
These are self-signed certs created using dovecot's mkcert.sh script.
Is this a problem with the cert or with the dovecot configuration?
Is it conventional to use port 143 for encrypted IMAP connections
these days, and not just 993?
I'm finding that port 25 works with TLS and postfix now too, not just
port 587, so I'm really confused.
I've included my doveconf output below. I'd appreciate it if someone
could review it for me to be sure.
# 2.1.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.8.1-201.fc18.x86_64 x86_64 Fedora release 18 (Spherical Cow) ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
default_client_limit = 2000
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_debug = yes
mail_location = maildir:/home/%u/Maildir
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
driver = pam
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
process_min_avail = 20
service_count = 0
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
userdb {
driver = passwd
}
protocol lda {
info_log_path = /var/log/dovecot-lda.log
log_path = /var/log/dovecot-lda-errors.log
}
protocol imap {
mail_max_userip_connections = 100
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
Thanks,
Alex
Hi,> I have an fc18 system with postfix and dovecot-2.1.13 and have > configured them to use sasl for SMTP Auth and Maildir with imaps. > > The system is running now, so I'm trying to set up thunderbird to > autodetect all settings during the initial account setup. However, it > seems to want to use port 143 and STARTTLS, and not port 993, which is > what I would expect. When I force it to use 993, I receive a > certificate failure message: > > Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: initializing > the server-side TLS engine > Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: open smtpd TLS cache > btree:/var/lib/postfix/smtpd_tls_session_cache > Mar 12 23:20:45 propnew postfix/tlsmgr[14425]: tlsmgr_cache_run_event: > start TLS smtpd session cache cleanup > Mar 12 23:20:45 propnew postfix/submission/smtpd[14423]: connect from > unknown[192.168.1.43] > Mar 12 23:20:45 propnew dovecot: imap-login: Disconnected (no auth > attempts in 0 secs): user=<>, rip=192.168.1.43, lip=66.111.222.101, > TLS: SSL_read() failed: error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number > 42, session=<BGBS5MXXhQDAqAEr>After doing a bit more research, it looks like it's failing because Thunderbird doesn't prompt to accept the self-signed certificate during the "auto config" part of the setup, so just falls back to using port 143. Although I think it's still using TLS on 143. I'm really hoping someone can help me to clarify more specifically what's going on here. Thanks, Alex
Charles Marcus
2013-Mar-13 10:26 UTC
[Dovecot] Dovecot with sasl/imaps/postfix and thunderbird
On 2013-03-13 12:37 AM, Alex <mysqlstudent at gmail.com> wrote:> Is it conventional to use port 143 for encrypted IMAP connections > these days, and not just 993?Port 143 uses STARTTLS, port 993 uses SSL/TLS... been that way for a long time, and yes there is a (slight) difference. STARTTLS *begins* as an unencrypted session, but immediately negotiates the encrypted session. SSL is encrypted from the very beginning of the connection.> I'm finding that port 25 works with TLS and postfix now too, not just > port 587, so I'm really confused.Both ports 25 and 587 have always worked with STARTTLS... although unless you have a very, very specific need, you will never FORCE STARTTLS on port 25, unlike port 587 where you (should) always *require* it. -- Best regards, Charles