[Dovecot] SSL issues on separate IPs

Tim Traver tt-list at simplenet.com
Fri Dec 3 04:15:04 EET 2010

Hi Timo,

I have set up 2.07 to answer on several different IP's with different
SSL certs, like the following :

local 209.132.xx.4 {
ssl_cert = </shared/templates/res/1040/certs/*.xxxxx.com.crt-pem-298
ssl_key = </shared/templates/res/1040/certs/*.xxxxx.com.key-298

I have several of these, and there appears to be a problem with one in
particular that is dropping connections, and I'm not sure why.

In this case it is a wildcard cert issued from godaddy, and I have the
cert file in pem format with the chain on it. I have another completely
separate local IP setup with a different cert on it that works without
any problems.

This particular one drops the connection when I try to connect to IMAP
using TLS on port 143, or using the IMAP SSL port of 993. When I try it
using Thunderbird, I am using the default settings for both tests.

The Thunderbird error I get is "The server has disconnected. The server
may have gone down or there may be a network problem." I don't see any
errors in the dovecot error log or the system error log, and when using
doveadm who to view the current connections, it does not show a
connection. I tried enabling the logs for SSL errors, but nothing
appears for my IP when attempting to connect.

FreeBSD 8.1 with openssl 0.9.8n. The IP's are on the box and are on the
loopback interface if that makes any difference for a direct server
return load balancing system.

But, I don't know how that would make a difference since one of the
separated IP's works with its cert, and the other one disconnects.



Here is my dovecot -n output :

# 2.0.7: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.1-STABLE i386
auth_username_format = %Lu
auth_username_translation = %@
auth_verbose = yes
disable_plaintext_auth = no
dotlock_use_excl = yes
first_valid_uid = 100
listen = *
lock_method = dotlock
log_path = /local/logs/dovecot.errors
mail_fsync = always
mail_gid = 100
mail_location = maildir:%h/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " quota"
mail_uid = 100
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date imapflags notify
mmap_disable = yes
passdb {
  args = /bin/checkpassword_dovecot_auth
  driver = checkpassword
plugin {
  quota = maildir:User quota
  quota_rule = Trash:storage=+100M
  sieve = ~/.dovecot.sieve
  sieve_after = /home/mailboxes/sieve/to_spam_folder.sieve
  sieve_dir = ~/Maildir/sieve
  sieve_extensions = +notify +imapflags
protocols = imap pop3 sieve
service auth {
  unix_listener auth-userdb {
    group = sn
    mode = 0600
    user = sn
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = prefetch
userdb {
  args = /bin/checkpassword_dovecot_deliver
  driver = checkpassword
verbose_proctitle = yes
verbose_ssl = yes
protocol pop3 {
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocol lda {
  info_log_path = /local/logs/dovecot-deliver.log
  log_path = /local/logs/dovecot-deliver-errors.log
  mail_plugins = " quota sieve"
protocol imap {
  mail_plugins = " quota imap_quota"
protocol sieve {
  managesieve_sieve_capability = comparator-i;ascii-numeric fileinto
reject vacation imap4flags notify include envelope body relational regex
subaddress copy
local {
  ssl_cert = </shared/templates/res/1040/certs/*.xxxxx.com.crt-pem-298
  ssl_key = </shared/templates/res/1040/certs/*.xxxxx.com.key-298
local {
  ssl_cert = </shared/templates/res/1000/certs/*.ssl.xxxxx.com.crt-278
  ssl_key = </shared/templates/res/1000/certs/*.ssl.xxxxx.com.key-278

More information about the dovecot mailing list