I've tested your soulution, but it also says the same error. I've tested all combinations of: - tls_ca_cert_file = <cert> - tls = yes - tls_require_cert = demand Every time it says "Connection error". Only when tls is uncommented it says "TLS required". Additional information from my contact with the openldap-technical mailing list: The ldapsearch under the user dovecot with -ZZ works fine. And they mention that the ldap.conf and dovecot-ldap.conf should have no differences, that is correct no differences. Here is a link to the ldap.conf https://gwarband.de/openldap/ldap.conf And the output of ldapsearch under dovecot: https://gwarband.de/openldap/ldapsearch-dovecot.log Tobias Am 2017-03-20 11:00, schrieb Tomas Habarta:> I've finally managed that running on Debian 8 test machine by > commenting > tls_ca_cert_file > option from dovecot-ldap.conf, so only > tls = yes > tls_require_cert = demand > > Not sure why is that as on my CentOS6 Dovecot works even with that > commented option. May be that CentOS and Debian uses different ldap > library or different versions or there's another peculiarity ... > > Anyway, when tls_require_cert = demand is set, cite: > -- > With a setting of demand the certificate is requested and a valid > certificate must be provided, otherwise the session is immediately > terminated. > -- > > As that option doesn't provide any source, it is taken from > /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot > client > times out on validating provided certificate with > > imap-login: Error: Timeout waiting for handshake from auth server. > imap-login: Disconnected: Auth process broken (disconnected before > auth > was ready, waited 30 secs) > > > > Tomas > > > On 03/18/2017 02:22 PM, info at gwarband.de wrote: >> The serverlog of openldap with loglevel "any": >> https://gwarband.de/openldap/openldap-connect.log >> Note: openldap waits 1 Minute before he says "TLS negotiation >> failure" >> after the connect. >> and dovecot says direct "Connect error" >> >> I've also delete the TLSCipherSuite from openldap. >> >> Tobias >> >> Am 2017-03-18 14:01, schrieb Tomas Habarta: >>> Increase log level on server side as well to see what the server >>> says... >>> You may remove anything in TLSCipherSuite for the purpose of testing >>> too. >>> >>> Hopefully anyone knowing OpenLDAP internals could help you analyse >>> it >>> more deeply. >>> >>> Tomas >>> >>> On 03/18/2017 01:31 PM, info at gwarband.de wrote: >>>> I've replicate the settings from ldapsearch to dovecot but no >>>> success. >>>> To the certificate: >>>> Yes it's a *.crt file but I have linked the *.pem file to it and >>>> dovecot >>>> has read access to that file. >>>> >>>> I have enabled the debugging in dovecot and have uploaded the >>>> output: >>>> https://gwarband.de/openldap/dovecot-connect.log >>>> >>>> And the other site with ldapsearch: >>>> https://gwarband.de/openldap/ldapsearch-connect.log >>>> >>>> I'm pretty sure that there is a problem with the sslhandshaking >>>> between >>>> openldap and dovecot, but I can't find the source of the problem. >>>> >>>> One of the steps in the sslhandshaking is not success but in the >>>> debugging output I can't find any line with a hit to it. >>>> >>>> Tobias >>>> >>>> Am 2017-03-18 12:30, schrieb Tomas Habarta: >>>>> Well, if ldapsearch works, try to replicate its settings for >>>>> dovecot >>>>> client. >>>>> It's not obvious what settings ldapsearch uses, have a look at >>>>> default >>>>> client settings in /etc/openldap/ldap.conf, there may be something >>>>> set a >>>>> slightly different way. >>>>> Also double check permissions for files used by dovecot, I mean >>>>> mainly >>>>> the file listed for tls_ca_cert_file as dovecot may not have an >>>>> access >>>>> for reading... >>>>> >>>>> I cannot see anything downright bad, just posted CA cert (which is >>>>> ok, >>>>> tested) is *.crt and your config mentions *.pem but I consider >>>>> it's the >>>>> same file. >>>>> >>>>> Finally, I would recommend to enable debug option for dovecot's >>>>> client >>>>> debug_level = -1 (which logs all available) in your >>>>> dovecot-ldap.conf >>>>> to see what the library reports and work further on that. >>>>> You can compare with output from ldapsearch by adding -d-1 switch >>>>> to >>>>> it. >>>>> >>>>> Hard to tell more at the moment. >>>>> >>>>> >>>>> Tomas >>>>> >>>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote: >>>>>> Hello, >>>>>> >>>>>> I have also installed LE certs. >>>>>> But nothing helps, I have double-checking all certs. >>>>>> >>>>>> ldapsearch with -ZZ works see: >>>>>> https://gwarband.de/openldap/ldapsearch.log >>>>>> >>>>>> I have also uploaded the TLSCACertificateFile, maybe I have a >>>>>> failure in >>>>>> the merge of the two fiels: >>>>>> https://gwarband.de/openldap/LetsEncrypt.crt >>>>>> >>>>>> And also I have uploaded my complete openldap configuration: >>>>>> https://gwarband.de/openldap/openldap.conf >>>>>> >>>>>> All other components can work and communicate with my openldap >>>>>> server. >>>>>> The components are postfix, openxchange, apache (phpldapadmin). >>>>>> >>>>>> My installated software is: >>>>>> Debian 8 >>>>>> OpenLDAP 2.4.40 >>>>>> Dovecot 2.2.13 >>>>>> >>>>>> I hope you can find the issue. >>>>>> >>>>>> Thanks, >>>>>> Tobias >>>>>> >>>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta: >>>>>>> Hi, >>>>>>> >>>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally >>>>>>> over the >>>>>>> unix socket on the same machine, but tried over inet with >>>>>>> STARTTLS >>>>>>> and >>>>>>> it's working ok... >>>>>>> >>>>>>> I would suggest double-checking key/certs setup on OpenLDAP >>>>>>> side; for >>>>>>> the test I have used LE certs, utilizing following cn=config >>>>>>> attributes: >>>>>>> >>>>>>> olcTLSCertificateKeyFile contains private key >>>>>>> olcTLSCertificateFile contains certificate >>>>>>> olcTLSCACertificateFile contains both certs (DST Root CA >>>>>>> X3 >>>>>>> and Let's Encrypt Authority X3) >>>>>>> >>>>>>> and used the same CA file in Dovecot's tls_ca_cert_file >>>>>>> >>>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or >>>>>>> ... ? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hope that helps, good luck ;) >>>>>>> Tomas >>>>>>> >>>>>>> >>>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote: >>>>>>>> Hello guys, >>>>>>>> >>>>>>>> actually I'm trying to configure dovecot to access openldap for >>>>>>>> passwordcheck. >>>>>>>> My openldap is only allow access over "secure ldap". >>>>>>>> The dovecot can communicate with the openldap server but there >>>>>>>> is >>>>>>>> maybe >>>>>>>> a failure in the sslhandshake. >>>>>>>> Additional information you can find in the logs or in the dump >>>>>>>> below. >>>>>>>> Also I have my ldap config from dovecot in the links below. >>>>>>>> >>>>>>>> I have already created an bug reporting in the system of >>>>>>>> openldap >>>>>>>> but >>>>>>>> the answer was to get support from her. >>>>>>>> >>>>>>>> All datalinks: >>>>>>>> https://gwarband.de/openldap/dovecot.log >>>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf >>>>>>>> https://gwarband.de/openldap/openldap.log >>>>>>>> https://gwarband.de/openldap/trace.dump >>>>>>>> >>>>>>>> The bugreportinglink from openldap: >>>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >>>>>>>> >>>>>>>> I hope you can help me. >>>>>>>> >>>>>>>> Regards. >>>>>>>> Tobias Warband
Actually, I likely managed to replicate the problem itself. I've observed described behavior (timeout with connection error) only if Dovecot's tls_ca_cert_file provided either non-existent file or there was no read access to the existing file -- found during review after sending my last post as I run CentOS, not Debian and didn't adjust the path correctly (/etc/ldap vs. /etc/openldap) in dovecot-ldap.conf when setting that up. Anyway, ldapsearch uses the same library as Dovecot so if ldapsearch works, Dovecot _simply_ must work as well ;) As mentioned, I normally run CentOS, where /etc/ssl/certs has SELinux security context; don't you by any chance run something similar which may prevent Dovecot from accessing the file? I tested on Debian 8 with the standard repo software (same versions you reported), even tried also 2.2.27 from backports and all worked ok, so there seems to be nothing wrong with both software at all, just some little thing in the configuration... Tomas On 03/20/2017 02:04 PM, info at gwarband.de wrote:> I've tested your soulution, but it also says the same error. > I've tested all combinations of: > - tls_ca_cert_file = <cert> > - tls = yes > - tls_require_cert = demand > > Every time it says "Connection error". > Only when tls is uncommented it says "TLS required". > > Additional information from my contact with the openldap-technical > mailing list: > The ldapsearch under the user dovecot with -ZZ works fine. > And they mention that the ldap.conf and dovecot-ldap.conf should have no > differences, that is correct no differences. > Here is a link to the ldap.conf > https://gwarband.de/openldap/ldap.conf > And the output of ldapsearch under dovecot: > https://gwarband.de/openldap/ldapsearch-dovecot.log > > Tobias > > Am 2017-03-20 11:00, schrieb Tomas Habarta: >> I've finally managed that running on Debian 8 test machine by commenting >> tls_ca_cert_file >> option from dovecot-ldap.conf, so only >> tls = yes >> tls_require_cert = demand >> >> Not sure why is that as on my CentOS6 Dovecot works even with that >> commented option. May be that CentOS and Debian uses different ldap >> library or different versions or there's another peculiarity ... >> >> Anyway, when tls_require_cert = demand is set, cite: >> -- >> With a setting of demand the certificate is requested and a valid >> certificate must be provided, otherwise the session is immediately >> terminated. >> -- >> >> As that option doesn't provide any source, it is taken from >> /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot client >> times out on validating provided certificate with >> >> imap-login: Error: Timeout waiting for handshake from auth server. >> imap-login: Disconnected: Auth process broken (disconnected before auth >> was ready, waited 30 secs) >> >> >> >> Tomas >> >> >> On 03/18/2017 02:22 PM, info at gwarband.de wrote: >>> The serverlog of openldap with loglevel "any": >>> https://gwarband.de/openldap/openldap-connect.log >>> Note: openldap waits 1 Minute before he says "TLS negotiation failure" >>> after the connect. >>> and dovecot says direct "Connect error" >>> >>> I've also delete the TLSCipherSuite from openldap. >>> >>> Tobias >>> >>> Am 2017-03-18 14:01, schrieb Tomas Habarta: >>>> Increase log level on server side as well to see what the server >>>> says... >>>> You may remove anything in TLSCipherSuite for the purpose of testing >>>> too. >>>> >>>> Hopefully anyone knowing OpenLDAP internals could help you analyse it >>>> more deeply. >>>> >>>> Tomas >>>> >>>> On 03/18/2017 01:31 PM, info at gwarband.de wrote: >>>>> I've replicate the settings from ldapsearch to dovecot but no success. >>>>> To the certificate: >>>>> Yes it's a *.crt file but I have linked the *.pem file to it and >>>>> dovecot >>>>> has read access to that file. >>>>> >>>>> I have enabled the debugging in dovecot and have uploaded the output: >>>>> https://gwarband.de/openldap/dovecot-connect.log >>>>> >>>>> And the other site with ldapsearch: >>>>> https://gwarband.de/openldap/ldapsearch-connect.log >>>>> >>>>> I'm pretty sure that there is a problem with the sslhandshaking >>>>> between >>>>> openldap and dovecot, but I can't find the source of the problem. >>>>> >>>>> One of the steps in the sslhandshaking is not success but in the >>>>> debugging output I can't find any line with a hit to it. >>>>> >>>>> Tobias >>>>> >>>>> Am 2017-03-18 12:30, schrieb Tomas Habarta: >>>>>> Well, if ldapsearch works, try to replicate its settings for dovecot >>>>>> client. >>>>>> It's not obvious what settings ldapsearch uses, have a look at >>>>>> default >>>>>> client settings in /etc/openldap/ldap.conf, there may be something >>>>>> set a >>>>>> slightly different way. >>>>>> Also double check permissions for files used by dovecot, I mean >>>>>> mainly >>>>>> the file listed for tls_ca_cert_file as dovecot may not have an >>>>>> access >>>>>> for reading... >>>>>> >>>>>> I cannot see anything downright bad, just posted CA cert (which is >>>>>> ok, >>>>>> tested) is *.crt and your config mentions *.pem but I consider >>>>>> it's the >>>>>> same file. >>>>>> >>>>>> Finally, I would recommend to enable debug option for dovecot's >>>>>> client >>>>>> debug_level = -1 (which logs all available) in your >>>>>> dovecot-ldap.conf >>>>>> to see what the library reports and work further on that. >>>>>> You can compare with output from ldapsearch by adding -d-1 switch to >>>>>> it. >>>>>> >>>>>> Hard to tell more at the moment. >>>>>> >>>>>> >>>>>> Tomas >>>>>> >>>>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have also installed LE certs. >>>>>>> But nothing helps, I have double-checking all certs. >>>>>>> >>>>>>> ldapsearch with -ZZ works see: >>>>>>> https://gwarband.de/openldap/ldapsearch.log >>>>>>> >>>>>>> I have also uploaded the TLSCACertificateFile, maybe I have a >>>>>>> failure in >>>>>>> the merge of the two fiels: >>>>>>> https://gwarband.de/openldap/LetsEncrypt.crt >>>>>>> >>>>>>> And also I have uploaded my complete openldap configuration: >>>>>>> https://gwarband.de/openldap/openldap.conf >>>>>>> >>>>>>> All other components can work and communicate with my openldap >>>>>>> server. >>>>>>> The components are postfix, openxchange, apache (phpldapadmin). >>>>>>> >>>>>>> My installated software is: >>>>>>> Debian 8 >>>>>>> OpenLDAP 2.4.40 >>>>>>> Dovecot 2.2.13 >>>>>>> >>>>>>> I hope you can find the issue. >>>>>>> >>>>>>> Thanks, >>>>>>> Tobias >>>>>>> >>>>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta: >>>>>>>> Hi, >>>>>>>> >>>>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally >>>>>>>> over the >>>>>>>> unix socket on the same machine, but tried over inet with STARTTLS >>>>>>>> and >>>>>>>> it's working ok... >>>>>>>> >>>>>>>> I would suggest double-checking key/certs setup on OpenLDAP >>>>>>>> side; for >>>>>>>> the test I have used LE certs, utilizing following cn=config >>>>>>>> attributes: >>>>>>>> >>>>>>>> olcTLSCertificateKeyFile contains private key >>>>>>>> olcTLSCertificateFile contains certificate >>>>>>>> olcTLSCACertificateFile contains both certs (DST Root CA X3 >>>>>>>> and Let's Encrypt Authority X3) >>>>>>>> >>>>>>>> and used the same CA file in Dovecot's tls_ca_cert_file >>>>>>>> >>>>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or >>>>>>>> ... ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hope that helps, good luck ;) >>>>>>>> Tomas >>>>>>>> >>>>>>>> >>>>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote: >>>>>>>>> Hello guys, >>>>>>>>> >>>>>>>>> actually I'm trying to configure dovecot to access openldap for >>>>>>>>> passwordcheck. >>>>>>>>> My openldap is only allow access over "secure ldap". >>>>>>>>> The dovecot can communicate with the openldap server but there is >>>>>>>>> maybe >>>>>>>>> a failure in the sslhandshake. >>>>>>>>> Additional information you can find in the logs or in the dump >>>>>>>>> below. >>>>>>>>> Also I have my ldap config from dovecot in the links below. >>>>>>>>> >>>>>>>>> I have already created an bug reporting in the system of openldap >>>>>>>>> but >>>>>>>>> the answer was to get support from her. >>>>>>>>> >>>>>>>>> All datalinks: >>>>>>>>> https://gwarband.de/openldap/dovecot.log >>>>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf >>>>>>>>> https://gwarband.de/openldap/openldap.log >>>>>>>>> https://gwarband.de/openldap/trace.dump >>>>>>>>> >>>>>>>>> The bugreportinglink from openldap: >>>>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >>>>>>>>> >>>>>>>>> I hope you can help me. >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> Tobias Warband-- toCc.cz
The user "dovecot" can access and read the cert. Here is an output of the console: https://gwarband.de/openldap/dovecot-certs.log So I think there is nothing what prevent Dovecot to access the file. Tobias Am 2017-03-20 20:14, schrieb Tomas Habarta:> Actually, I likely managed to replicate the problem itself. > I've observed described behavior (timeout with connection error) only > if > Dovecot's tls_ca_cert_file provided either non-existent file or there > was no read access to the existing file -- found during review after > sending my last post as I run CentOS, not Debian and didn't adjust the > path correctly (/etc/ldap vs. /etc/openldap) in dovecot-ldap.conf when > setting that up. > > Anyway, ldapsearch uses the same library as Dovecot so if ldapsearch > works, Dovecot _simply_ must work as well ;) > > As mentioned, I normally run CentOS, where /etc/ssl/certs has SELinux > security context; don't you by any chance run something similar which > may prevent Dovecot from accessing the file? > > I tested on Debian 8 with the standard repo software (same versions > you > reported), even tried also 2.2.27 from backports and all worked ok, so > there seems to be nothing wrong with both software at all, just some > little thing in the configuration... > > > Tomas > > > On 03/20/2017 02:04 PM, info at gwarband.de wrote: >> I've tested your soulution, but it also says the same error. >> I've tested all combinations of: >> - tls_ca_cert_file = <cert> >> - tls = yes >> - tls_require_cert = demand >> >> Every time it says "Connection error". >> Only when tls is uncommented it says "TLS required". >> >> Additional information from my contact with the openldap-technical >> mailing list: >> The ldapsearch under the user dovecot with -ZZ works fine. >> And they mention that the ldap.conf and dovecot-ldap.conf should have >> no >> differences, that is correct no differences. >> Here is a link to the ldap.conf >> https://gwarband.de/openldap/ldap.conf >> And the output of ldapsearch under dovecot: >> https://gwarband.de/openldap/ldapsearch-dovecot.log >> >> Tobias >> >> Am 2017-03-20 11:00, schrieb Tomas Habarta: >>> I've finally managed that running on Debian 8 test machine by >>> commenting >>> tls_ca_cert_file >>> option from dovecot-ldap.conf, so only >>> tls = yes >>> tls_require_cert = demand >>> >>> Not sure why is that as on my CentOS6 Dovecot works even with that >>> commented option. May be that CentOS and Debian uses different ldap >>> library or different versions or there's another peculiarity ... >>> >>> Anyway, when tls_require_cert = demand is set, cite: >>> -- >>> With a setting of demand the certificate is requested and a valid >>> certificate must be provided, otherwise the session is immediately >>> terminated. >>> -- >>> >>> As that option doesn't provide any source, it is taken from >>> /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot >>> client >>> times out on validating provided certificate with >>> >>> imap-login: Error: Timeout waiting for handshake from auth server. >>> imap-login: Disconnected: Auth process broken (disconnected before >>> auth >>> was ready, waited 30 secs) >>> >>> >>> >>> Tomas >>> >>> >>> On 03/18/2017 02:22 PM, info at gwarband.de wrote: >>>> The serverlog of openldap with loglevel "any": >>>> https://gwarband.de/openldap/openldap-connect.log >>>> Note: openldap waits 1 Minute before he says "TLS negotiation >>>> failure" >>>> after the connect. >>>> and dovecot says direct "Connect error" >>>> >>>> I've also delete the TLSCipherSuite from openldap. >>>> >>>> Tobias >>>> >>>> Am 2017-03-18 14:01, schrieb Tomas Habarta: >>>>> Increase log level on server side as well to see what the server >>>>> says... >>>>> You may remove anything in TLSCipherSuite for the purpose of >>>>> testing >>>>> too. >>>>> >>>>> Hopefully anyone knowing OpenLDAP internals could help you analyse >>>>> it >>>>> more deeply. >>>>> >>>>> Tomas >>>>> >>>>> On 03/18/2017 01:31 PM, info at gwarband.de wrote: >>>>>> I've replicate the settings from ldapsearch to dovecot but no >>>>>> success. >>>>>> To the certificate: >>>>>> Yes it's a *.crt file but I have linked the *.pem file to it and >>>>>> dovecot >>>>>> has read access to that file. >>>>>> >>>>>> I have enabled the debugging in dovecot and have uploaded the >>>>>> output: >>>>>> https://gwarband.de/openldap/dovecot-connect.log >>>>>> >>>>>> And the other site with ldapsearch: >>>>>> https://gwarband.de/openldap/ldapsearch-connect.log >>>>>> >>>>>> I'm pretty sure that there is a problem with the sslhandshaking >>>>>> between >>>>>> openldap and dovecot, but I can't find the source of the problem. >>>>>> >>>>>> One of the steps in the sslhandshaking is not success but in the >>>>>> debugging output I can't find any line with a hit to it. >>>>>> >>>>>> Tobias >>>>>> >>>>>> Am 2017-03-18 12:30, schrieb Tomas Habarta: >>>>>>> Well, if ldapsearch works, try to replicate its settings for >>>>>>> dovecot >>>>>>> client. >>>>>>> It's not obvious what settings ldapsearch uses, have a look at >>>>>>> default >>>>>>> client settings in /etc/openldap/ldap.conf, there may be >>>>>>> something >>>>>>> set a >>>>>>> slightly different way. >>>>>>> Also double check permissions for files used by dovecot, I mean >>>>>>> mainly >>>>>>> the file listed for tls_ca_cert_file as dovecot may not have an >>>>>>> access >>>>>>> for reading... >>>>>>> >>>>>>> I cannot see anything downright bad, just posted CA cert (which >>>>>>> is >>>>>>> ok, >>>>>>> tested) is *.crt and your config mentions *.pem but I consider >>>>>>> it's the >>>>>>> same file. >>>>>>> >>>>>>> Finally, I would recommend to enable debug option for dovecot's >>>>>>> client >>>>>>> debug_level = -1 (which logs all available) in your >>>>>>> dovecot-ldap.conf >>>>>>> to see what the library reports and work further on that. >>>>>>> You can compare with output from ldapsearch by adding -d-1 >>>>>>> switch to >>>>>>> it. >>>>>>> >>>>>>> Hard to tell more at the moment. >>>>>>> >>>>>>> >>>>>>> Tomas >>>>>>> >>>>>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have also installed LE certs. >>>>>>>> But nothing helps, I have double-checking all certs. >>>>>>>> >>>>>>>> ldapsearch with -ZZ works see: >>>>>>>> https://gwarband.de/openldap/ldapsearch.log >>>>>>>> >>>>>>>> I have also uploaded the TLSCACertificateFile, maybe I have a >>>>>>>> failure in >>>>>>>> the merge of the two fiels: >>>>>>>> https://gwarband.de/openldap/LetsEncrypt.crt >>>>>>>> >>>>>>>> And also I have uploaded my complete openldap configuration: >>>>>>>> https://gwarband.de/openldap/openldap.conf >>>>>>>> >>>>>>>> All other components can work and communicate with my openldap >>>>>>>> server. >>>>>>>> The components are postfix, openxchange, apache (phpldapadmin). >>>>>>>> >>>>>>>> My installated software is: >>>>>>>> Debian 8 >>>>>>>> OpenLDAP 2.4.40 >>>>>>>> Dovecot 2.2.13 >>>>>>>> >>>>>>>> I hope you can find the issue. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Tobias >>>>>>>> >>>>>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally >>>>>>>>> over the >>>>>>>>> unix socket on the same machine, but tried over inet with >>>>>>>>> STARTTLS >>>>>>>>> and >>>>>>>>> it's working ok... >>>>>>>>> >>>>>>>>> I would suggest double-checking key/certs setup on OpenLDAP >>>>>>>>> side; for >>>>>>>>> the test I have used LE certs, utilizing following cn=config >>>>>>>>> attributes: >>>>>>>>> >>>>>>>>> olcTLSCertificateKeyFile contains private key >>>>>>>>> olcTLSCertificateFile contains certificate >>>>>>>>> olcTLSCACertificateFile contains both certs (DST Root >>>>>>>>> CA X3 >>>>>>>>> and Let's Encrypt Authority X3) >>>>>>>>> >>>>>>>>> and used the same CA file in Dovecot's tls_ca_cert_file >>>>>>>>> >>>>>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles >>>>>>>>> or >>>>>>>>> ... ? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hope that helps, good luck ;) >>>>>>>>> Tomas >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote: >>>>>>>>>> Hello guys, >>>>>>>>>> >>>>>>>>>> actually I'm trying to configure dovecot to access openldap >>>>>>>>>> for >>>>>>>>>> passwordcheck. >>>>>>>>>> My openldap is only allow access over "secure ldap". >>>>>>>>>> The dovecot can communicate with the openldap server but >>>>>>>>>> there is >>>>>>>>>> maybe >>>>>>>>>> a failure in the sslhandshake. >>>>>>>>>> Additional information you can find in the logs or in the >>>>>>>>>> dump >>>>>>>>>> below. >>>>>>>>>> Also I have my ldap config from dovecot in the links below. >>>>>>>>>> >>>>>>>>>> I have already created an bug reporting in the system of >>>>>>>>>> openldap >>>>>>>>>> but >>>>>>>>>> the answer was to get support from her. >>>>>>>>>> >>>>>>>>>> All datalinks: >>>>>>>>>> https://gwarband.de/openldap/dovecot.log >>>>>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf >>>>>>>>>> https://gwarband.de/openldap/openldap.log >>>>>>>>>> https://gwarband.de/openldap/trace.dump >>>>>>>>>> >>>>>>>>>> The bugreportinglink from openldap: >>>>>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >>>>>>>>>> >>>>>>>>>> I hope you can help me. >>>>>>>>>> >>>>>>>>>> Regards. >>>>>>>>>> Tobias Warband