Greetings,
I have had to reinstall my email server on another Linux (centos 7.6)
VPS, with a newer version of dovecot, other software and a brand new
letsencrypt certificate just for email withpostfix and dovecot (that
certificate works fine with postfix). Output of dovecot --version and
dovecot -n on the new server is below.
Now, messages ARE delivered in the right IMAP mailboxes, but when I
try to connect with Mutt from my home computer, mutt says, before
prompting for a password:
gnutls_handshake: A TLS fatal alert has been received.(Handshake failed)
the corresponding output of dovecot in /var/log/maillog is below. The
gist of it **seems** to me to be the "no shared cipher" part, but I
may be wrong. In any case, I have already tried to search online for
that string, and other relevant parts of the log, without success. All
I have found is suggestions to change the values of ssl_protocols
and/or ssl_cipher_list to some non-default value, but I have tried all
those tips without success. Current values of those variables are
these:
grep -v ^# /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/letsencrypt/live/MYSERVERNAME/fullchain.pem
ssl_key = </etc/letsencrypt/live/MYSERVERNAME/privkey.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU
any pointer to what to check or change next is VERY welcome.
Thanks in advance,
Marco
#################################################
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before/accept initialization [47.53.159.60]
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [47.53.159.60]
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=552: fatal handshake failure [47.53.159.60]
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [47.53.159.60]
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [47.53.159.60]
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept()
failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher, session=<knICtX98UK4vNZ88>
Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules
from directory: /usr/lib64/dovecot/auth
Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token
secret from /var/run/dovecot/auth-token-secret.dat
Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file
/etc/imap.v_users: Read 1 users in 0 secs
#################################################
dovecot --version
2.2.36 (1f10bfa63)
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core) ext4
# Hostname: MYSERVERNAME
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
mail_location = maildir:/var/mail//base/
passdb {
args = /etc/imap.v_users
driver = passwd-file
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
ssl = required
userdb {
args = /etc/imap.v_users
driver = passwd-file
}
verbose_ssl = yes
> On 08 December 2018 at 12:03 Marco Fioretti <marco.fioretti at gmail.com> wrote: > > > Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below. > > Now, messages ARE delivered in the right IMAP mailboxes, but when I > try to connect with Mutt from my home computer, mutt says, before > prompting for a password: > > gnutls_handshake: A TLS fatal alert has been received.(Handshake failed) > > the corresponding output of dovecot in /var/log/maillog is below. The > gist of it **seems** to me to be the "no shared cipher" part, but I > may be wrong. In any case, I have already tried to search online for > that string, and other relevant parts of the log, without success. All > I have found is suggestions to change the values of ssl_protocols > and/or ssl_cipher_list to some non-default value, but I have tried all > those tips without success. Current values of those variables are > these: > > grep -v ^# /etc/dovecot/conf.d/10-ssl.conf > > ssl_cert = </etc/letsencrypt/live/MYSERVERNAME/fullchain.pem > ssl_key = </etc/letsencrypt/live/MYSERVERNAME/privkey.pem > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU > > any pointer to what to check or change next is VERY welcome. > > Thanks in advance, > Marco > > ################################################# > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert: > where=0x4008, ret=552: fatal handshake failure [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error: > SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept() > failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher, session=<knICtX98UK4vNZ88> > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token > secret from /var/run/dovecot/auth-token-secret.dat > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file > /etc/imap.v_users: Read 1 users in 0 secs > > ################################################# > dovecot --version > 2.2.36 (1f10bfa63) > > > # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release > 7.6.1810 (Core) ext4 > # Hostname: MYSERVERNAME > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > mail_location = maildir:/var/mail//base/ > passdb { > args = /etc/imap.v_users > driver = passwd-file > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > ssl = required > userdb { > args = /etc/imap.v_users > driver = passwd-file > } > verbose_ssl = yesCan you comment out ssl_cipher_list and ssl_protocols? Is your certificate ECC certificate? Aki
Marco Fioretti skrev den 2018-12-08 11:03:> I have had to reinstall my email server on another Linux (centos 7.6)reinstalls often helps make the same problems with precompiled distros :=) is openssl installed or what ssl api is in use ? did you create a bug report to centos mantainers ? its not a postfix/dovecot problem that ssl is not working lets encrypt is irrelevant
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181208/4e12a00c/attachment.html>
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
On Sat, 2018-12-08 at 11:03 +0100, Marco Fioretti wrote:> Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below.Here is my 10-ssl.conf on my CentOS box. I am using the TLS config from https://weakdh.org/sysadmin.html ------------------------------------------------------------------- ssl = yes ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes #regenerates every week ssl_dh_parameters_length = 2048 ssl_cert = </etc/pki/tls/certs/XXXXXXX+chain-crt.pem ssl_key = </etc/pki/tls/private/XXXXXXX-key.pem ------------------------------------------------------------------- My hook script for letsencrypt copies the cert and key into /etc/pki/tls/. Check to make sure selinux is not denying access to /etc/letsencrypt for dovecot. You can also test with gnutls-cli or openssl. E.g. openssl s_client -host imap.XXXXX -port 993 or gnutls-cli --port 993 imap.XXXXX -- Greg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://dovecot.org/pipermail/dovecot/attachments/20181209/2e18cc8b/attachment.sig>
hello, and some update
short version: the error is still there, but I have some more data to
share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
not an obsolete version.
second... at the moment I can send email through postfix on the same
server, with the
same certificates (almost: I still have to fix some stuff, but is NOT
related to SSL/TLS, e.g
reverse DNS).
However, running openssl as requested returns "no peer certificate
available", and when
I connect with mutt to dovecot I still get the "no shared cipher"
error. These are the permissions
on the certificate files:
ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
/etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
-r--------. 1 root root 3546 Dec 7 11:59
/etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
-r--------. 1 root root 1704 Dec 7 11:59
/etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of
the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
CONNECTED(00000003)
140141825717912:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544521696
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
ssl_key = </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core) ext4
# Hostname: SERVER NAME
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
mail_location = maildir:/var/mail/mymail_storage/base/
passdb {
args = /etc/imap.v_users
driver = passwd-file
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
ssl = required
userdb {
args = /etc/imap.v_users
driver = passwd-file
}
verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
starting up for imap, pop3, lmtp (core dumps disabled)
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
ret=1: before/accept initialization [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv2/v3 read client hello A
[my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
haking: SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher,
session=<H8roHLp86psvNZ88>
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
from /var/run/dovecot/auth-token-secret.dat
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
/etc/imap.v_users: Read 1 users in 0 secs