> Le 18 juil. 2019 ? 11:21, Alexandre Urban via dovecot <dovecot at
dovecot.org> a ?crit :
>
> Hello,
>
> I don?t know who will read this message, but I found this thread:
https://www.mail-archive.com/search?l=dovecot at
dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest
> And I?m expected the same issue, I will try to explain to you (english is
not my native language, sorry)
>
> Since Buster update, so Dovecot update too, I?m not able to connect to my
mail server from my iOS mail client (12.2)
> Thunderbird just work fine.
>
> Here is my configuration:
>
> Debian Buster (amd64)
> Dovecot: 2.3.4.1
> Postfix : 3.4.5
> OpenSSL: 1.1.1c
>
> Dovecot configuration file:
>
> ssl_min_protocol = TLSv1.2 (I tried different version)
>
> When I tried to connect with command line: openssl s_client -showcerts
-connect server:993
>
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2322 bytes and written 392 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
>
> When I tried to connect with command line: openssl s_client -showcerts
-no_tls1_3 -connect server:993
>
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2423 bytes and written 310 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>
> I think the ?Secure Renegotiation IS NOT supported? with tls 1.3 could be
an issue, but I don?t what to do to fix the issue ?
>
> Could you help me ?
> Let me know if you need more informations.
>
I would rather look at the "Verify return code: 21 (unable to verify the
first certificate)" error.
Is your TLS certificat valid and trusted on your iOS device ?
IIRC, "Secure Renegotiation" is explicitly not supported by TLS1.3
(TLS1.3 forbids any renegotiation).