dovecot - Nov 2019 - Doveadm replicator ssl issues

Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard
certificates.

Email clients connect fine, https://www.immuniweb.com/ssl/ tests show
certificates are ok. 

However I can't make replication work when I add ssl = yes.

Without ssl it works ok.

 

I added verbose_ssl  in config and error log shows:

dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 
>From the other server 149.x.x.x I tested with openssl:
 

openssl s_client -connect 188.x.x.x:12333 -crlf -CAfile
/etc/pki/tls/cert.pem

 

CONNECTED(00000003)

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Organization Validation Secure Server CA

verify return:1

depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier, street
= 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN = *.domain.com

verify return:1

.

.

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-SHA384

    Session-ID:
95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC

    Session-ID-ctx:

    Master-Key:
ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F2
41BD4B3C4B9E1AB6A929

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1574108251

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

 

The configuration of the 2 servers below.

 

188.x.x.x

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.5.8 (b7b03ba2)

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: login.domain.com

default_vsz_limit = 512 M

doveadm_password = # hidden, use -P to show it

mail_plugins = " notify replication"

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location 
  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix 
}

passdb {

  driver = pam

}

plugin {

  mail_replica = tcp:149.x.x.x:12333

  sieve = file:~/sieve;active=~/.dovecot.sieve

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

verbose_ssl = yes

local 91.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 91.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

149.x.x.x

 

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: prime.domain.com

auth_mechanisms = plain login

default_vsz_limit = 1 G

disable_plaintext_auth = no

doveadm_password = # hidden, use -P to show it

mail_location = maildir:~/Maildir

mail_plugins = " notify replication"

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location 
  mailbox Archive {

    auto = subscribe

    special_use = \Archive

  }

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

   special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Spam {

    auto = subscribe

    special_use = \Junk

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix 
}

passdb {

  args = session=yes setcred=yes failure_show_msg=yes dovecot

  driver = pam

}

plugin {

  mail_replica = tcp:188.x.x.x:12333

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

replication_max_conns = 11

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 50

}

protocol pop3 {

  pop3_uidl_format = %08Xu%08Xv

}

local 178.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 178.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

 

Your help will be great appreciated. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20191118/90c5fb2e/attachment.html>

On 18.11.2019 22.30, Miro Igov via dovecot wrote:
>
> Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard
> certificates.
>
> Email clients connect fine, https://www.immuniweb.com/ssl/ tests show
> certificates are ok.
>
> However I can?t make replication work when I add ssl = yes.
>
> Without ssl it works ok.
>
> ?
>
> I added verbose_ssl? in config and error log shows:
>
> dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()
> failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol
>
> ?
>
> From the other server 149.x.x.x I tested with openssl:
>
> ?
>
> openssl s_client -connect 188.x.x.x:12333 ?crlf -CAfile
> /etc/pki/tls/cert.pem
>
> ?
>
> CONNECTED(00000003)
>
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
>
> verify return:1
>
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
> Limited, CN = Sectigo RSA Organization Validation Secure Server CA
>
> verify return:1
>
> depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier,
> street = 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN >
*.domain.com
>
> verify return:1
>
> ?
>
> ?
>
> SSL-Session:
>
> ??? Protocol? : TLSv1.2
>
> ??? Cipher??? : ECDHE-RSA-AES256-SHA384
>
> ??? Session-ID:
> 95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC
>
> ??? Session-ID-ctx:
>
> ??? Master-Key:
>
ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F241BD4B3C4B9E1AB6A929
>
> ??? Key-Arg?? : None
>
> ??? Krb5 Principal: None
>
> ??? PSK identity: None
>
> ??? PSK identity hint: None
>
> ??? Start Time: 1574108251
>
> ??? Timeout?? : 300 (sec)
>
> ??? Verify return code: 0 (ok)
>
> ?
>
> The configuration of the 2 servers below.
>
> ?
>
> 188.x.x.x
>
> ?
>
> # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
>
> # Pigeonhole version 0.5.8 (b7b03ba2)
>
> # OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)
>
> # Hostname: login.domain.com
>
> default_vsz_limit = 512 M
>
> doveadm_password = # hidden, use -P to show it
>
> mail_plugins = " notify replication"
>
> managesieve_notify_capability = mailto
>
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
>
> mbox_write_locks = fcntl
>
> namespace inbox {
>
> ? inbox = yes
>
> ? location >
> ? mailbox Drafts {
>
> ??? special_use = \Drafts
>
> ? }
>
> ? mailbox Junk {
>
> ??? special_use = \Junk
>
> ? }
>
> ? mailbox Sent {
>
> ??? special_use = \Sent
>
> ? }
>
> ? mailbox "Sent Messages" {
>
> ??? special_use = \Sent
>
> ? }
>
> ? mailbox Trash {
>
> ??? special_use = \Trash
>
> ? }
>
> ? prefix >
> }
>
> passdb {
>
> ? driver = pam
>
> }
>
> plugin {
>
> ? mail_replica = tcp:149.x.x.x:12333
>
> ? sieve = file:~/sieve;active=~/.dovecot.sieve
>
> }
>
> protocols = imap pop3
>
> replication_full_sync_interval = 10 mins
>
> service aggregator {
>
> ? fifo_listener replication-notify-fifo {
>
> ??? mode = 0666
>
> ? }
>
> ? unix_listener replication-notify {
>
> ??? mode = 0666
>
> ? }
>
> }
>
> service doveadm {
>
> ? inet_listener {
>
> ??? port = 12333
>
> ??? ssl = yes
>
> ? }
>
> }
>
> service replicator {
>
> ? process_min_avail = 1
>
> ? unix_listener replicator-doveadm {
>
> ??? mode = 0666
>
> ? }
>
> }
>
> ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ssl_cipher_list >
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED
>
> ssl_client_ca_file = /etc/pki/tls/cert.pem
>
> ssl_dh = # hidden, use -P to show it
>
> ssl_key = # hidden, use -P to show it
>
> userdb {
>
> ? driver = passwd
>
> }
>
> verbose_ssl = yes
>
> local 91.x.x.x {
>
> ? protocol imap {
>
> ??? ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ??? ssl_key = # hidden, use -P to show it
>
> ? }
>
> }
>
> local 91.x.x.x {
>
> ? protocol pop3 {
>
> ??? ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ??? ssl_key = # hidden, use -P to show it
>
> ? }
>
> }
>
> ?
>
> ?
>
> 149.x.x.x
>
> ?
>
> ?
>
> # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
>
> # OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)
>
> # Hostname: prime.domain.com
>
> auth_mechanisms = plain login
>
> default_vsz_limit = 1 G
>
> disable_plaintext_auth = no
>
> doveadm_password = # hidden, use -P to show it
>
> mail_location = maildir:~/Maildir
>
> mail_plugins = " notify replication"
>
> mbox_write_locks = fcntl
>
> namespace inbox {
>
> ? inbox = yes
>
> ? location >
> ? mailbox Archive {
>
> ??? auto = subscribe
>
> ??? special_use = \Archive
>
> ? }
>
> ? mailbox Drafts {
>
> ??? special_use = \Drafts
>
> ? }
>
> ? mailbox Junk {
>
> ???special_use = \Junk
>
> ? }
>
> ? mailbox Sent {
>
> ??? special_use = \Sent
>
> ? }
>
> ? mailbox "Sent Messages" {
>
> ??? special_use = \Sent
>
> ? }
>
> ? mailbox Spam {
>
> ??? auto = subscribe
>
> ??? special_use = \Junk
>
> ? }
>
> ? mailbox Trash {
>
> ??? special_use = \Trash
>
> ? }
>
> ? prefix >
> }
>
> passdb {
>
> ? args = session=yes setcred=yes failure_show_msg=yes dovecot
>
> ? driver = pam
>
> }
>
> plugin {
>
> ? mail_replica = tcp:188.x.x.x:12333
>
> }
>
> protocols = imap pop3
>
> replication_full_sync_interval = 10 mins
>
> replication_max_conns = 11
>
> service aggregator {
>
> ? fifo_listener replication-notify-fifo {
>
> ??? mode = 0666
>
> ? }
>
> ? unix_listener replication-notify {
>
> ??? mode = 0666
>
> ? }
>
> }
>
> service auth {
>
> ? unix_listener /var/spool/postfix/private/auth {
>
> ??? group = postfix
>
> ??? mode = 0666
>
> ??? user = postfix
>
> ? }
>
> }
>
> service doveadm {
>
> ? inet_listener {
>
> ??? port = 12333
>
> ??? ssl = yes
>
> ? }
>
> }
>
> service replicator {
>
> ? process_min_avail = 1
>
> ? unix_listener replicator-doveadm {
>
> ??? mode = 0666
>
> ? }
>
> }
>
> ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ssl_cipher_list >
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED
>
> ssl_client_ca_file = /etc/pki/tls/cert.pem
>
> ssl_dh = # hidden, use -P to show it
>
> ssl_key = # hidden, use -P to show it
>
> userdb {
>
> ? driver = passwd
>
> }
>
> protocol imap {
>
> ? mail_max_userip_connections = 50
>
> }
>
> protocol pop3 {
>
> ? pop3_uidl_format = %08Xu%08Xv
>
> }
>
> local 178.x.x.x {
>
> ? protocol imap {
>
> ??? ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ??? ssl_key = # hidden, use -P to show it
>
> ? }
>
> }
>
> local 178.x.x.x {
>
> ? protocol pop3 {
>
> ??? ssl_cert = </etc/dovecot/ssl_chain.pem
>
> ??? ssl_key = # hidden, use -P to show it
>
> ? }
>
> }
>
> ?
>
> ?
>
> ?
>
>
Hi!

You need to use tcps in mail_replica.

Aki

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20191120/b5b6447e/attachment-0001.html>

Solved, thank you! TCPS was the issue.

 

From: Aki Tuomi <aki.tuomi at open-xchange.com> 
Sent: Wednesday, November 20, 2019 08:54
To: Miro Igov <miro.igov at gmail.com>; dovecot at dovecot.org
Subject: Re: Doveadm replicator ssl issues

 

 

On 18.11.2019 22.30, Miro Igov via dovecot wrote:

Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard
certificates.

Email clients connect fine, https://www.immuniweb.com/ssl/ tests show
certificates are ok. 

However I can't make replication work when I add ssl = yes.

Without ssl it works ok.

 

I added verbose_ssl  in config and error log shows:

dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 
>From the other server 149.x.x.x I tested with openssl:
 

openssl s_client -connect 188.x.x.x:12333 -crlf -CAfile
/etc/pki/tls/cert.pem

 

CONNECTED(00000003)

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Organization Validation Secure Server CA

verify return:1

depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier, street
= 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN = *.domain.com

verify return:1

.

.

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-SHA384

    Session-ID:
95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC

    Session-ID-ctx:

    Master-Key:
ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F2
41BD4B3C4B9E1AB6A929

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1574108251

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

 

The configuration of the 2 servers below.

 

188.x.x.x

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.5.8 (b7b03ba2)

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: login.domain.com

default_vsz_limit = 512 M

doveadm_password = # hidden, use -P to show it

mail_plugins = " notify replication"

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location 
  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix 
}

passdb {

  driver = pam

}

plugin {

  mail_replica = tcp:149.x.x.x:12333

  sieve = file:~/sieve;active=~/.dovecot.sieve
<file://~/sieve;active=~/.dovecot.sieve> 

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

verbose_ssl = yes

local 91.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 91.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

149.x.x.x

 

 

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf

# OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final)

# Hostname: prime.domain.com

auth_mechanisms = plain login

default_vsz_limit = 1 G

disable_plaintext_auth = no

doveadm_password = # hidden, use -P to show it

mail_location = maildir:~/Maildir

mail_plugins = " notify replication"

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location 
  mailbox Archive {

    auto = subscribe

    special_use = \Archive

  }

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

   special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Spam {

    auto = subscribe

    special_use = \Junk

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix 
}

passdb {

  args = session=yes setcred=yes failure_show_msg=yes dovecot

  driver = pam

}

plugin {

  mail_replica = tcp:188.x.x.x:12333

}

protocols = imap pop3

replication_full_sync_interval = 10 mins

replication_max_conns = 11

service aggregator {

  fifo_listener replication-notify-fifo {

    mode = 0666

  }

  unix_listener replication-notify {

    mode = 0666

  }

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service doveadm {

  inet_listener {

    port = 12333

    ssl = yes

  }

}

service replicator {

  process_min_avail = 1

  unix_listener replicator-doveadm {

    mode = 0666

  }

}

ssl_cert = </etc/dovecot/ssl_chain.pem

ssl_cipher_list
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv
1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!A
ESGCM:!CAMELLIA:!SEED

ssl_client_ca_file = /etc/pki/tls/cert.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 50

}

protocol pop3 {

  pop3_uidl_format = %08Xu%08Xv

}

local 178.x.x.x {

  protocol imap {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

local 178.x.x.x {

  protocol pop3 {

    ssl_cert = </etc/dovecot/ssl_chain.pem

    ssl_key = # hidden, use -P to show it

  }

}

 

 

 

 

 

Hi!

You need to use tcps in mail_replica.

Aki

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20191120/23149913/attachment.html>