dovecot-2.0.9 on CentOS 6.7
The system in question is not connected to the Internet, so I can't
copy-and-paste. I have to type anything required :-(
Brand-new out-of-the-box install with a really minimal dovecot.conf
including:
service imap-login {
inet_listener imaps {
address = 192.168.1.10
port = 143
ssl = yes
}
}
ssl_cert=</etc/pki/tls/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_key =</etc/pki/tls/private/dovecot.pem
That's very, very similar to an existing dovecot server on an old VM I
need to replace. Certs are self-signed, I know that's a horrible thing
to do, but right now we don't have any choice. I'm connecting with
Apple Mail 8.2 running on OS X 10.10.5, another thing we have no choice
about :-/ The Apple Mail just sits there stupidly. It's "Connection
Doctor" just helpfully reports that it can't establish a connection. I
can use 'openssl s_client -showcerts -connect mail:143' and see what I
expect to see. The dovecot log with lots of verbosity enabled tells me:
imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200,
lip=192.168.1.10, TLS handshaking: Disconnected
auth: Debug: auth client connected (pid=21006)
imap-login: Warning: SSL: where=0x10, ret=1: before/accept
initialization [192.168.1.200]
imap-login: Warning: SSL: where=0x2001, ret=1: before/accept
initialization [192.168.1.200]
imap-login: Warning: SSL: where=0x2002, ret=1: SSLv2/v3 read client
hello A [192.168.1.200]
And that's it... those lines get repeated every minute that Mail is
running. I'm not seeing anything in any logs that even hints at what
it's unhappy about, or any way to increase verbosity any more.
Any hints appreciated!
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
On Thu, Mar 17, 2016 at 8:18 PM, John Oliver <joliver at john-oliver.net> wrote:> dovecot-2.0.9 on CentOS 6.7 > > The system in question is not connected to the Internet, so I can't > copy-and-paste. I have to type anything required :-( > > Brand-new out-of-the-box install with a really minimal dovecot.conf > including: > > service imap-login { > inet_listener imaps { > address = 192.168.1.10 > port = 143 > ssl = yes > } > } > > ssl_cert=</etc/pki/tls/certs/dovecot.pem > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > ssl_key =</etc/pki/tls/private/dovecot.pem > > > That's very, very similar to an existing dovecot server on an old VM I > need to replace. Certs are self-signed, I know that's a horrible thing > to do, but right now we don't have any choice. I'm connecting with > Apple Mail 8.2 running on OS X 10.10.5, another thing we have no choice > about :-/ The Apple Mail just sits there stupidly. It's "Connection > Doctor" just helpfully reports that it can't establish a connection. I > can use 'openssl s_client -showcerts -connect mail:143' and see what I > expect to see. The dovecot log with lots of verbosity enabled tells me: > > imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, > lip=192.168.1.10, TLS handshaking: Disconnected > auth: Debug: auth client connected (pid=21006) > imap-login: Warning: SSL: where=0x10, ret=1: before/accept > initialization [192.168.1.200] > imap-login: Warning: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.1.200] > imap-login: Warning: SSL: where=0x2002, ret=1: SSLv2/v3 read client > hello A [192.168.1.200] > > > And that's it... those lines get repeated every minute that Mail is > running. I'm not seeing anything in any logs that even hints at what > it's unhappy about, or any way to increase verbosity any more. > > Any hints appreciated! > > -- > *********************************************************************** > * John Oliver http://www.john-oliver.net/ * > * * > ***********************************************************************May be use -starttls imap or 993 port and more logs verbose_ssl=yes
On Thu, Mar 17, 2016 at 08:30:32PM +0300, Andrey Fesenko wrote:> May be use -starttls imap or 993 port and more logs verbose_ssl=yesI am using verbose_ssl = yes Dovecot is currently working with SSL on 143, and I'm trying to not change current client config. As for '-starttls', in what context? -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************
On 17/03/2016 17:18, John Oliver wrote:> The dovecot log with lots of verbosity enabled tells me: > > imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, > lip=192.168.1.10, TLS handshaking: Disconnected'no auth attempts' has been reported on the list a few times before and, in some cases, it means what it says - the MUA made no attempt to authenticate with username and password. I think authentication is a different activity from setting up an encrypted comms channel. Two ideas: Is the MUA set up to use a login? And, as part of the secure connection, is the MUA setup to use 'starttls'? hth Ron
On Thu, Mar 17, 2016 at 08:04:26PM +0000, Ron Leach wrote:> On 17/03/2016 17:18, John Oliver wrote: > >The dovecot log with lots of verbosity enabled tells me: > > > >imap-login: Info: Disconnected (no auth attempts): rip=192.168.1.200, > >lip=192.168.1.10, TLS handshaking: Disconnected > > > 'no auth attempts' has been reported on the list a few times before > and, in some cases, it means what it says - the MUA made no attempt > to authenticate with username and password. I think authentication is > a different activity from setting up an encrypted comms channel. > > Two ideas: > > Is the MUA set up to use a login? > > And, as part of the secure connection, is the MUA setup to use 'starttls'?Unfortunately, as the MUA is Apple Mail, that answer is hard to determine. Have I configured a login? Sure. have I checked "Use SSL"? Yup. Do those settings mean anything? Who knows? With our old mail server, it "just works"... after going through the mail setup, we don't need to do anything fancy. I can't help but imagine that there's some other difference in the default configs. I'll have to dump the configs of both and do a diff and hope there aren't so many differences I can't pick out what may be relevant here... -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************