[Dovecot] SSL issues on separate IPs

Tom Talpey tom at talpey.com
Fri Dec 3 07:53:20 EET 2010

On 12/3/2010 12:46 AM, Tim Traver wrote:
> Timo,
> ok, I have more info from your suggestion to use the openssl test client
> connect.
> I do have about a dozen more configs on different IP's, and they seem to
> work. I just didn't include them.
> I get the following error when trying to connect to that IP :
> [root at mta2]# openssl s_client -connect 209.132.xx.4:993
> CONNECTED(00000003)
> 28579:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:188:
> which basically says its an SSL handshake error. I did have the
> verbose_ssl log directive on, and didn't see anything in the dovecot log
> about the handshake failing. The strange thing is that this cert is used
> for apache https as well, and there are no issues with the handshake in
> apache...
> I guess I will go and make sure the chain and CA certs are the proper
> ones from godaddy. I hate chain certs...

Good plan. I had a similar problem getting fetchmail to connect to
godaddy-cert'ed servers when the certificate chain verification failed
because the CA root cert was not present on my client.

To find it, I had to export from the Windows default certstore to get
a copy. It did not identify itself very well, the OU was "ValiCert
Class 2 Policy Validation Authority" but it appeared in the certmgr
gui only as "http://www.valicert.com" (under 3rd party root certs).
I believe the same one is in the Firefox certstore though, you can
probably find it there.

> So, I guess I'm not sure if it is dovecot or not yet, although it is
> kind of strange that nothing is written in the logs about the handshake
> failing.
> Tim.
> On 12/2/2010 8:47 PM, Timo Sirainen wrote:
>> On 3.12.2010, at 2.15, Tim Traver wrote:
>>> local 209.132.xx.4 {
>>> ssl_cert =</shared/templates/res/1040/certs/*.xxxxx.com.crt-pem-298
>>> ssl_key =</shared/templates/res/1040/certs/*.xxxxx.com.key-298
>>> }
>>> I have several of these, and there appears to be a problem with one in
>>> particular that is dropping connections, and I'm not sure why.
>> Your doveconf output has two and here you say several. So are there multiple ones that work or only one?
>>> This particular one drops the connection when I try to connect to IMAP
>>> using TLS on port 143, or using the IMAP SSL port of 993. When I try it
>>> using Thunderbird, I am using the default settings for both tests.
>> Test with openssl s_client -connect localhost:993
>>> The Thunderbird error I get is "The server has disconnected. The server
>>> may have gone down or there may be a network problem." I don't see any
>>> errors in the dovecot error log or the system error log, and when using
>>> doveadm who to view the current connections, it does not show a
>>> connection. I tried enabling the logs for SSL errors, but nothing
>>> appears for my IP when attempting to connect.
>> Set verbose_ssl=yes to log more stuff about SSL.
>>> But, I don't know how that would make a difference since one of the
>>> separated IP's works with its cert, and the other one disconnects.
>> Would be easiest if you could test with a simple setup where there is only a single SSL cert. Then it would be clear if the problem has to do with SSL cert itself or about the per-IP settings.
>> If it has to do with SSL cert, you could also try if you can connect with s_client to openssl s_server running with that cert.

More information about the dovecot mailing list