[Dovecot] SSL with startssl.com certificates

Noel Butler noel.butler at ausics.net
Thu Oct 10 06:36:55 EEST 2013 

I can't recall if we previously discussed it, but, why the fascination 
with imaps, why not use TLS on 143, or wont that connect either? tried 
pop3 TLS ? pop3s?

and when you test, use -CAfile /path/to/(startssl's)CA.pem

I see no auth mech statement, so using hte default is limited, IIRC, 
login is re


auth_mechanisms = plain login



On 10/10/2013 10:51, Dan Langille wrote:
> On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:
> 
>> On 10/10/2013 06:09, Eliezer Croitoru wrote:
>> 
>>> I would imaging that 4k bits certificate handshake and validation can
>>> take more then 1 sec..
>>> Am I right about it?
>> 
>> hardly
>> 
>> and the size is not his problem.
>> 
>> he was given a test account on my network when I last saw this thread 
>> (few weeks back?), that uses startssl, and 4096 certs, his mail.app 
>> connected fine.
> 
> I would like to investigate that more if you like.  Others have
> experienced problem connected to my test server.  I can't believe I've
> created a non-functional Dovecot configuration.
> 
> One avenue I will purse: if I swap from 4096 to 2048, why does it work?
> 
> Here is a connection with a 4096 cert:
> 
> $ openssl s_ s_client -connect imaps.unixathome.org:993
> CONNECTED(00000003)
> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0
> s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel
> Langille/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> ---
> 
> 
> Here is it with a 2048 cert:
> 
> $ openssl s_client -connect imaps.unixathome.org:993
> CONNECTED(00000003)
> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0
> s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel
> Langille/CN=test1.langille.org/emailAddress=postmaster at langille.org
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> 
> The only thing I change in the configuration is:
> 
> # MY KEYS
> #ssl_cert = </usr/local/etc/ssl/dovecot.pem
> #ssl_key  = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
> 
> # My 2048 key
> ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
> ssl_key  = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
> 
> Current configuration is:
> 
> # doveconf -n
> # 2.2.6: /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 9.1-RELEASE-p6 amd64
> auth_debug = yes
> auth_verbose = yes
> first_valid_gid = 1001
> first_valid_uid = 1001
> mail_debug = yes
> mail_location = maildir:~/Maildir
> mail_privileged_group = mail
> passdb {
>   args = scheme=SHA512-CRYPT /var/db/dovecot.users
>   driver = passwd-file
> }
> protocols = imap
> service imap-login {
>   inet_listener imap {
>     address = 199.233.228.197
>   }
>   inet_listener imaps {
>     address = 199.233.228.197
>   }
> }
> ssl_ca = </usr/local/etc/ssl/sub.class2.server.ca.pem
> ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
> ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
> userdb {
>   args = /var/db/dovecot.users
>   driver = passwd-file
> }
> verbose_proctitle = yes

More information about the dovecot mailing list