[Dovecot] SSL issues on separate IPs

Tim Traver tt-list at simplenet.com
Fri Dec 3 07:46:32 EET 2010


ok, I have more info from your suggestion to use the openssl test client

I do have about a dozen more configs on different IP's, and they seem to
work. I just didn't include them.

I get the following error when trying to connect to that IP :

[root at mta2]# openssl s_client -connect 209.132.xx.4:993
28579:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake

which basically says its an SSL handshake error. I did have the
verbose_ssl log directive on, and didn't see anything in the dovecot log
about the handshake failing. The strange thing is that this cert is used
for apache https as well, and there are no issues with the handshake in

I guess I will go and make sure the chain and CA certs are the proper
ones from godaddy. I hate chain certs...

So, I guess I'm not sure if it is dovecot or not yet, although it is
kind of strange that nothing is written in the logs about the handshake


On 12/2/2010 8:47 PM, Timo Sirainen wrote:
> On 3.12.2010, at 2.15, Tim Traver wrote:
>> local 209.132.xx.4 {
>> ssl_cert = </shared/templates/res/1040/certs/*.xxxxx.com.crt-pem-298
>> ssl_key = </shared/templates/res/1040/certs/*.xxxxx.com.key-298
>> }
>> I have several of these, and there appears to be a problem with one in
>> particular that is dropping connections, and I'm not sure why.
> Your doveconf output has two and here you say several. So are there multiple ones that work or only one?
>> This particular one drops the connection when I try to connect to IMAP
>> using TLS on port 143, or using the IMAP SSL port of 993. When I try it
>> using Thunderbird, I am using the default settings for both tests.
> Test with openssl s_client -connect localhost:993
>> The Thunderbird error I get is "The server has disconnected. The server
>> may have gone down or there may be a network problem." I don't see any
>> errors in the dovecot error log or the system error log, and when using
>> doveadm who to view the current connections, it does not show a
>> connection. I tried enabling the logs for SSL errors, but nothing
>> appears for my IP when attempting to connect.
> Set verbose_ssl=yes to log more stuff about SSL.
>> But, I don't know how that would make a difference since one of the
>> separated IP's works with its cert, and the other one disconnects.
> Would be easiest if you could test with a simple setup where there is only a single SSL cert. Then it would be clear if the problem has to do with SSL cert itself or about the per-IP settings.
> If it has to do with SSL cert, you could also try if you can connect with s_client to openssl s_server running with that cert.

More information about the dovecot mailing list