dovecot - May 2020 - Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

I would expect the public cert to be imported as a "server" not an
"auth"

The attached image shows that TBird wants an httpS url for a webserver, 
for the source.

Ages ago, I think it prompted for "do you want to trust this new cert"
and YES added it (assuming that is the public key) to the server list.? 
A bit confused by this.

<see attached thunderbird image>

On 4/30/20 2:41 PM, Aki Tuomi wrote:
> I see. You need to import the cert into thundebird's trusted ca certs.
>
> Aki
>> On 30/04/2020 21:36 hanasaki at gmail.com <mailto:hanasaki at
gmail.com>
>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>>
wrote:
>>
>>
>> Hello,
>>
>> This is a selfsigned cert. Both of the below methods were used.
>>
>> May I ask for 1. pointer to info setting up "intermediate
certs" and
>> where the certfile goes?
>>
>> The objective is to generate a self-signed cert and use it for just
>> internal use with IMAPS dovecot.
>>
>> Separately, what are your thoughts as to why evolution works and
>> thunderbird does not?
>>
>> Thank you,
>>
>> ==1
>>
>> openssl genrsa -out key.pem 2048
>>
>> openssl req -new -sha512 -key key.pem -out csr.csr
>>
>> openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out
>> certificate.pem
>> openssl req -in csr.csr -text -noout | grep -i
"Signature.*SHA" && echo
>>
>> ==2
>> openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout
>> mykey.key -out mycert.pem
>>
>>
>> On 4/30/20 8:11 AM, Aki Tuomi wrote:
>>>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki
at gmail.com>
>>>> <mailto:hanasaki at gmail.com <mailto:hanasaki at
gmail.com>>
>>>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com> 
>>>> <mailto:hanasaki at gmail.com <mailto:hanasaki at
gmail.com>>> wrote:
>> >>
>> >> Recently thunderbird and Dovecot IMAPS cannot agree on SSL
however
>> >> Evolution, on the exact same system, is working fine with the
same
>> >> accounts. Tried recreating the Dovecot cert and also the
thunderbird
>> >> accounts from scratch. The OpenSSL raw client works fine as
well.
>> >>
>> >> Would someone also confirm the openssl commands to create a
selfsigned
>> >> cert for dovecot imaps. They cert created does work with
evolution;
>> >> just not thunderbird.
>> >>
>> >> Thoughts?
>> >>
>> >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad
>> >> certificate: SSL alert number 42
>> >> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth 
>> attempts in
>> >> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking:
SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad
>> >> certificate: SSL alert number 42, session=<-->
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10,
ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS read client hello
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write server hello
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write change cipher spec
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> TLSv1.3 write encrypted extensions
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write certificate
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> TLSv1.3 write server certificate verify
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write finished
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert:
where=0x4004,
>> >> ret=554: fatal bad certificate
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> error
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad
>> >> certificate: SSL alert number 42
>> >> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no
auth
>> >> attempts in 0 secs): user=<>, rip=000, lip=00, TLS
handshaking:
>> >> SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3
>> >> alert bad certificate: SSL alert number 42,
session=<--->
>> >>
>> >> reference
>> >> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
>> >> <http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>>
>>> You are missing intermediate certs from your certfile. Put them
after
>>> cert in order towards root.
>>>
>>> ---
>>> Aki Tuomi
>
> ---
> Aki Tuomi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pepknmbpelacdlkn.png
Type: image/png
Size: 45253 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.vcf>

Hi everyone,

I have two servers running dovecot, both at version 2.2.33.2. One is a 
an mx-backup and they replicate to each other.

I am moving the main server to a new VPS instance, and I'm planning the 
move carefully, including running dovecot on a container (Docker).

I am basing my container on Ubuntu 20.04, and the dovecot that installs 
is the 2.3.7.2.

My question is: will replication work ok once configured? Reading the 
documentation for version upgrade there was nothing on this. I will 
eventually upgrade the "slave" server, but it might take a few weeks.

Any tips on this would be greatly appreciated.

Best,

Francis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pepknmbpelacdlkn.png
Type: image/png
Size: 45253 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/e99c142a/attachment-0001.png>

Hi everyone,

I have two servers running dovecot, both at version 2.2.33.2. One is a 
an mx-backup and they replicate to each other.

I am moving the main server to a new VPS instance, and I'm planning the 
move carefully, including running dovecot on a container (Docker).

I am basing my container on Ubuntu 20.04, and the dovecot that installs 
is the 2.3.7.2.

My question is: will replication work ok once configured? Reading the 
documentation for version upgrade there was nothing on this. I will 
eventually upgrade the "slave" server, but it might take a few weeks.

Any tips on this would be greatly appreciated.

Best,

Francis

An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200504/3b4acfd9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pepknmbpelacdlkn.png
Type: image/png
Size: 45253 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200504/3b4acfd9/attachment-0001.png>

https://stackoverflow.com/questions/61077885/add-thunderbird-security-exception-for-self-signed-ssl-certificate

Perhaps this will help you?

Aki
> On 04/05/2020 19:03 hanasaki at gmail.com <hanasaki at gmail.com>
wrote:
> 
> 
> == resend to list = requested by list owner
> On 4/30/20 2:47 PM, hanasaki at gmail.com wrote:
> 
> > I would expect the public cert to be imported as a "server"
not an "auth"
> > The attached image shows that TBird wants an httpS url for a
webserver, for the source.
> > Ages ago, I think it prompted for "do you want to trust this new
cert" and YES added it (assuming that is the public key) to the server
list. A bit confused by this.
> > 
> > <see attached thunderbird image>
> > 
> > On 4/30/20 2:41 PM, Aki Tuomi wrote:
> > 
> > > I see. You need to import the cert into thundebird's trusted
ca certs.
> > > 
> > > 
> > > Aki
> > > > On 30/04/2020 21:36 hanasaki at gmail.com <hanasaki at
gmail.com> wrote:
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Hello,
> > > > 
> > > > 
> > > > This is a selfsigned cert. Both of the below methods were
used.
> > > > 
> > > > 
> > > > May I ask for 1. pointer to info setting up
"intermediate certs" and
> > > > where the certfile goes?
> > > > 
> > > > 
> > > > The objective is to generate a self-signed cert and use it
for just
> > > > internal use with IMAPS dovecot.
> > > > 
> > > > 
> > > > Separately, what are your thoughts as to why evolution works
and
> > > > thunderbird does not?
> > > > 
> > > > 
> > > > Thank you,
> > > > 
> > > > 
> > > > ==1
> > > > 
> > > > 
> > > > openssl genrsa -out key.pem 2048
> > > > 
> > > > 
> > > > openssl req -new -sha512 -key key.pem -out csr.csr
> > > > 
> > > > 
> > > > openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr
-out
> > > > certificate.pem
> > > > openssl req -in csr.csr -text -noout | grep -i
"Signature.*SHA" && echo
> > > > 
> > > > 
> > > > ==2
> > > > openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes
-keyout
> > > > mykey.key -out mycert.pem
> > > > 
> > > > 
> > > > 
> > > > 
> > > > On 4/30/20 8:11 AM, Aki Tuomi wrote:
> > > > > > On 30/04/2020 14:49 hanasaki at gmail.com
<mailto:hanasaki at gmail.com>
> > > > > > <hanasaki at gmail.com <mailto:hanasaki at
gmail.com>> wrote:
> > > > >>
> > > > >> Recently thunderbird and Dovecot IMAPS cannot agree
on SSL however
> > > > >> Evolution, on the exact same system, is working
fine with the same
> > > > >> accounts. Tried recreating the Dovecot cert and
also the thunderbird
> > > > >> accounts from scratch. The OpenSSL raw client works
fine as well.
> > > > >>
> > > > >> Would someone also confirm the openssl commands to
create a selfsigned
> > > > >> cert for dovecot imaps. They cert created does work
with evolution;
> > > > >> just not thunderbird.
> > > > >>
> > > > >> Thoughts?
> > > > >>
> > > > >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL
error: SSL_accept()
> > > > >> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad
> > > > >> certificate: SSL alert number 42
> > > > >> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected
(no auth attempts in
> > > > >> 0 secs): user=<>, rip=000, lip=0000 TLS
handshaking: SSL_accept()
> > > > >> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad
> > > > >> certificate: SSL alert number 42,
session=<-->
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x10, ret=1:
> > > > >> before SSL initialization
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> before SSL initialization
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:
> > > > >> before SSL initialization
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> before SSL initialization
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> SSLv3/TLS read client hello
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> SSLv3/TLS write server hello
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> SSLv3/TLS write change cipher spec
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> TLSv1.3 write encrypted extensions
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> SSLv3/TLS write certificate
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> TLSv1.3 write server certificate verify
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> SSLv3/TLS write finished
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:
> > > > >> TLSv1.3 early data
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:
> > > > >> TLSv1.3 early data
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:
> > > > >> TLSv1.3 early data
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:
> > > > >> TLSv1.3 early data
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:
> > > > >> TLSv1.3 early data
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL
alert: where=0x4004,
> > > > >> ret=554: fatal bad certificate
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:
> > > > >> error
> > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL
error: SSL_accept()
> > > > >> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad
> > > > >> certificate: SSL alert number 42
> > > > >> Apr 8 18:10:19 firewall dovecot: imap-login:
Disconnected (no auth
> > > > >> attempts in 0 secs): user=<>, rip=000,
lip=00, TLS handshaking:
> > > > >> SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3
> > > > >> alert bad certificate: SSL alert number 42,
session=<--->
> > > > >>
> > > > >> reference
> > > > >>
http://forums.debian.net/viewtopic.php?f=5&t=145849
> > > > >>
<http://forums.debian.net/viewtopic.php?f=5&t=145849>
> > > > > You are missing intermediate certs from your certfile.
Put them after
> > > > > cert in order towards root.
> > > > > 
> > > > > 
> > > > > ---
> > > > > Aki Tuomi
> > > 
> > > 
> > > ---
> > > Aki Tuomi
> > >