[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Wed Oct 9 01:16:19 EEST 2013 

On Oct 8, 2013, at 8:59 AM, Dan Langille wrote:

> On 2013-10-07 13:57, Bruno Tréguier wrote:
>> Le 06/10/2013 à 22:42, Dan Langille a écrit :
>> After a long delay, I'm ready to tackle this again.
>> [...]
>> Testing via the command line gives:
>> $ openssl s_client -connect imaps.unixathome.org:993
>> CONNECTED(00000003)
>> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> Ok, this is fine, and different from the result you were getting a few
>> weeks ago. Your cert chain is ok, it seems. The "errornum=19:self signed
>> certificate in certificate chain" is a "normal" errot, due to the fact
>> that you didn't tell openssl where to find a list of valid root certs.
>> All looks good.
>> /var/log/maillog shows:
>> Oct  6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=<fYUwEhjoVgBib5Pc>
>> Oct  6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691
>> I have Thunderbird working just fine on my Macbook.
>> But my goal is mail.app on my iPhone and my Macbook.  When they try to connect, the mail server logs are:
>> Oct  6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220]
>> Oct  6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=<Ux8HRBjo7QBib5Pc>
>> Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation.  That's my current IMAP server.  I'm moving to another server and failing so far.
>> Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1.
>> Well, sorry but no further suggestions as far as I'm concerned then,
>> except that some people tend to think that mail.app is pretty crappy and
>> behaves quite strangely in certain situations...
> 
> I have given up. As much as I'd like to solve this problem, I must move on.  I will resort to self-signed certificates.[1]  I had hoped to resolve the issue so that others can use the solution.
> 
> My thanks to those that have offered suggestions and help.
> 
> [1] - FYI, I am the only user of this IMAP server.


The problem *may* be with 4096 bit certificates. I've been able to connect with a 2048-bit, but not with a 4096-bit.

More testing to be done.

-- 
Dan Langille - http://langille.org

More information about the dovecot mailing list