[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Thu Oct 10 21:16:44 EEST 2013 

On Oct 9, 2013, at 11:36 PM, Noel Butler wrote:

> I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either?

Yes, neither TLS nor IMAPS will connect.

> tried pop3 TLS ? pop3s?

I have not.

My next step will be setting up a non-dovecot IMAP server and test the same certificates there.

> and when you test, use -CAfile /path/to/(startssl's)CA.pem

When I do that, I get:

$ openssl s_client -t -CAfile /usr/local/share/certs/ca-root-nss.crt -connect imaps.unixathome.org:993 
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
verify return:1
depth=0 /description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
verify return:1
---

…. lots snipped

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4098 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C9D4AF8FA11CF6EF00E367BC1B45BA465668AEAE595BF3925FC679C7816CE023
    Session-ID-ctx: 
    Master-Key: AA0B04AB1C93688C089349A0137D99B5E65303F58A322397509284AE224B37149F76C8C1CD2A7BAC12BEA8E190468598
    Key-Arg   : None
    Start Time: 1381428914
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

All looks good?

> I see no auth mech statement, so using hte default is limited, IIRC, login is re
> 
> 
> auth_mechanisms = plain login


But that's OK, right?




> 
> 
> 
> On 10/10/2013 10:51, Dan Langille wrote:
>> On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:
>>> On 10/10/2013 06:09, Eliezer Croitoru wrote:
>>>> I would imaging that 4k bits certificate handshake and validation can
>>>> take more then 1 sec..
>>>> Am I right about it?
>>> hardly
>>> and the size is not his problem.
>>> he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine.
>> I would like to investigate that more if you like.  Others have
>> experienced problem connected to my test server.  I can't believe I've
>> created a non-functional Dovecot configuration.
>> One avenue I will purse: if I swap from 4096 to 2048, why does it work?
>> Here is a connection with a 4096 cert:
>> $ openssl s_ s_client -connect imaps.unixathome.org:993
>> CONNECTED(00000003)
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> ---
>> Certificate chain
>> 0
>> s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel
>> Langille/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
>>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>> 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> ---
>> Here is it with a 2048 cert:
>> $ openssl s_client -connect imaps.unixathome.org:993
>> CONNECTED(00000003)
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> ---
>> Certificate chain
>> 0
>> s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel
>> Langille/CN=test1.langille.org/emailAddress=postmaster at langille.org
>>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>> 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> The only thing I change in the configuration is:
>> # MY KEYS
>> #ssl_cert = </usr/local/etc/ssl/dovecot.pem
>> #ssl_key  = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
>> # My 2048 key
>> ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
>> ssl_key  = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
>> Current configuration is:
>> # doveconf -n
>> # 2.2.6: /usr/local/etc/dovecot/dovecot.conf
>> # OS: FreeBSD 9.1-RELEASE-p6 amd64
>> auth_debug = yes
>> auth_verbose = yes
>> first_valid_gid = 1001
>> first_valid_uid = 1001
>> mail_debug = yes
>> mail_location = maildir:~/Maildir
>> mail_privileged_group = mail
>> passdb {
>>  args = scheme=SHA512-CRYPT /var/db/dovecot.users
>>  driver = passwd-file
>> }
>> protocols = imap
>> service imap-login {
>>  inet_listener imap {
>>    address = 199.233.228.197
>>  }
>>  inet_listener imaps {
>>    address = 199.233.228.197
>>  }
>> }
>> ssl_ca = </usr/local/etc/ssl/sub.class2.server.ca.pem
>> ssl_cert = </usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
>> ssl_key = </usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
>> userdb {
>>  args = /var/db/dovecot.users
>>  driver = passwd-file
>> }
>> verbose_proctitle = yes
> 

-- 
Dan Langille - http://langille.org

More information about the dovecot mailing list