I?ve configured Dovecot and Postfix on a new VPS running Ubuntu 16.04, using
Linode?s tutorial [1], to require authentication and SSL encryption for both
POP3 and SMTP. All looks OK to me except, when my email client app (macOS
Mail.app) tries to log in, it says that my cert is invalid.
The trouble appears when I attempt to configure a client account in Mail.app on
my Mac. For the POP server name, I enter my VPS? ?45.56.81.181", because
public DNS is still pointing to my existing host. I set the account to use the
Apple TLS certificate, and then click to save this new account info. Before
saving, Mail.app checks my entries by attempting to log in. The result is: ?The
identify of server 45.56.81.181 cannot be verified. The certificate for this
server is invalid.? At the same time, on my new server, some entries appear in
/var/log/mail.log [2].
The certificate in question is a new PositiveSSL/Comodo cert I bought the other
day. It works OK for serving web pages - I mean, on this same Mac, when I visit
my under-construction site at https://45.56.81.181 in Safari or Firefox, I get
the padlock icon and no warnings.
Comodo gave me two two files, a ?.crt? which contains my cert, and a
?.ca-bundle.crt? which contains their certs. Per Dovecot documentation, I
concatenated these into a ?chained? file containing all 3 certs, starting with
mine. In /etc/dovecot/conf.d/10-ssl.conf, I set ssl_cert = this ?chained? file.
I tried adding the two original cert files to macOS Keychain.app with ?Always
trust? but that did not help.
Being new at this, I would appreciate any suggestions. My `dovecot -n` output
is below [3].
Thank you very much!
Jerry Krinock
[1]
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql
**************************************************
[2] /var/log/mail.log entries when client attempts login
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x10, ret=1:
before/accept initialization [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1:
before/accept initialization [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1:
unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: message repeated 6 times: [ pop3-login: Debug:
SSL: where=0x2001, ret=1: unknown state [24.4.251.228]]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1:
unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1:
unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Warning: SSL failed: where=0x2002:
unknown state [24.4.251.228]
Jul 27 12:22:19 bird dovecot: pop3-login: Debug: SSL error: Disconnected
Jul 27 12:22:19 bird dovecot: pop3-login: Disconnected (no auth attempts in 0
secs): user=<>, rip=24.4.251.228, lip=45.56.81.181, TLS handshaking:
Disconnected, session=<8HuX76I4p8gYBPvk>
Yes, 24.4.251.228 is the IP address of my Mac.
**************************************************
[3] Output from `dovecot -n`
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.5.5-x86_64-linode69 x86_64 Ubuntu 16.04 LTS ext4
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocols = imap pop3 lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
}
}
ssl = required
ssl_cert = </etc/ssl/localcerts/sheepsystems_com_chained.crt
ssl_key = </etc/ssl/localcerts/linode.sheepsystems.com.key
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
verbose_ssl = yes