[Dovecot] Dovecot with SSL Client Certification

Evaggelos Balaskas ebalaskas at ebalaskas.gr
Thu Jul 30 20:37:52 EEST 2009 

Hi,

i am trying to setup dovecot over ssl in the last couple days unsuccessfully

My notes are from here: http://wiki.dovecot.org/SSL

My OpenSSL commands are:

mkdir -pv /opt/certificates/dovecot/
cd !$

(just to prevent questions about Common Name)
[ebal at myhome:~]€ hostname
myhome

openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days
1825

# Country Name (2 letter code) [AU]:GR
# State or Province Name (full name) [Some-State]:Athens
# Locality Name (eg, city) []:Aigaleo
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr
# Organizational Unit Name (eg, section) []:Mail Apps
# Common Name (eg, YOUR name) []:myhome
# Email Address []:ebalaskas at ebalaskas.gr

openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \
 -name "dovecot Certificate Client" -out dovecot.p12

openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out
dovecot.crl -selfsign

I've imported the dovecot.p12 to thunderbird certificates and
dovecot.crt to thunderbird authorities
(i've tried claws mail too - same errors)

My dovecot.conf is this:

[root at myhome dovecot]# dovecot -n
# 1.2.2: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.30-ARCH i686  ext4
info_log_path: /var/log/dovecot.log
protocols: imaps
ssl: required
ssl_ca_file: /opt/certificates/dovecot/dovecot.crl
ssl_cert_file: /opt/certificates/dovecot/dovecot.crt
ssl_key_file: /opt/certificates/dovecot/dovecot.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /usr/local/var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
first_valid_uid: 300
mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/%u/.INBOX
mail_debug: yes
lda:
  postmaster_address: ebalaskas at ebalaskas.gr
auth default:
  verbose: yes
  debug: yes
  debug_passwords: yes
  ssl_require_client_cert: yes
  passdb:
    driver: pam
  userdb:
    driver: passwd

My /var/log/dovecot.log:

Jul 30 20:14:52 Info: Dovecot v1.2.2 starting up (core dumps disabled)
Jul 30 20:14:52 Info: Generating Diffie-Hellman parameters for the first
time. This may take a while..
Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5872
Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5873
Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5874
Jul 30 20:15:16 ssl-build-param: Info: SSL parameters regeneration completed
Jul 30 20:15:17 auth(default): Info: new auth connection: pid=5898
Jul 30 20:15:18 imap-login: Info: Disconnected (client didn't send a
cert): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept()
failed: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access
denied

Any ideas?

Evaggelos Balaskas
Unix System Engineer - http://ebalaskas.gr/wiki
Informatics Engineer Technological Education

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090730/5f62dbc6/attachment-0001.bin

More information about the dovecot mailing list