Dovecot 2.0.9
So I am trying to get my Outlook 2010 client to use TLS with Dovecot.
The Outlook error that I get is:
Log onto incoming mail server (IMAP): A secure connection to the server cannot be established.
I have set the port to 143,993,995 none of them work, and the security to TLS.
I have all of the certificates in the full chain installed on my machine and when viewing them they all show This certificate is OK.
I have turned on Outlook logging and am seeing this:
C:\PROGRA~2\MICROS~2\Office14\OUTLMIME.DLLIMAP: 14:48:40 [db]
Intializing connection [131383B0]
IMAP: 14:48:40 [db] Setting internal codepage to 1200
IMAP: 14:48:40 [db] Connecting to 'mail.mydomain.com' on port 143.
IMAP: 14:48:40 [db] OnNotify: asOld = 0, asNew = 2, ae = 0
IMAP: 14:48:40 [db] srv_name = "mail.mydomain.com" srv_addr = 174.46.198.101:143
IMAP: 14:48:40 [db] OnNotify: asOld = 2, asNew = 3, ae = 1
IMAP: 14:48:40 [db] OnNotify: asOld = 3, asNew = 4, ae = 0
IMAP: 14:48:40 [db] OnNotify: asOld = 4, asNew = 5, ae = 2
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 4
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 14:48:40 [rx] * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ß----- not seeing the STARTTLS capability here.
IMAP: 14:48:40 [tx] sx59 CAPABILITY
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 14:48:40 [rx] * CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN
IMAP: 14:48:40 [rx] sx59 OK Capability completed.
IMAP: 14:48:40 [db] ERROR: "A secure connection to the server cannot be established.", hr=0x800CCCE1
IMAP: 14:48:40 [db] Connection to 'mail.mydomain.com' closed.
IMAP: 14:48:40 [db] OnNotify: asOld = 5, asNew = 0, ae = 5
From a windows 7 client if I do a telnet mail.mydomain.com 143 I get:
- OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ß--- do not see STARTTLS in the capability list.
Same windows client:
C:\OpenSSL-Win64\bin>openssl.exe s_client -connect mail.mydomain.com:993
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(0000018C)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate ß--- Yes I see this and it may be an issue, but this certificate exist and is valid.
verify return:0
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
No client certificate CA names sent
SSL handshake has read 5169 bytes and written 497 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID:281D21C81FA6E7656B9CA2BD13590DDE0094CC8FA43FFD31DFEEDEC74F2511BF
Session-ID-ctx:
Master-Key:AF36CFDBBAA955270A48E2E9740F671299511DA1B3EEAFFAEC582E100DE519EC7CBC612ED686 DBBBFE06B9D6E535B837
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 1d 2a e7 fd 94 9d a2 84-90 52 32 2f e7 89 28 59.*.......R2/..(Y
0010 - 12 d5 b3 56 0e a7 71 c4-84 53 01 ec 95 97 59 4e...V..q..S....YN
0020 - ac 17 3f 3f dc b6 b0 db-0f 47 0c 88 5a c2 7b a7..??.....G..Z.{.
0030 - d0 73 ff 19 ec 6f cd 67-d5 58 3e cd 91 eb 79 90.s...o.g.X>...y.
0040 - 76 a9 d9 f2 17 dc da c4-bd ba 69 b4 11 c7 65 f9v.........i...e.
0050 - 71 42 01 3b bd 6f a5 3a-9f 34 48 36 9e 31 4e 1cqB.;.o.:.4H6.1N.
0060 - 93 24 75 7f 8a c6 7f 7a-4c cd 93 bd 92 4c 9d 7f.$u....zL....L..
0070 - df 47 11 3e 93 11 73 8e-09 5c ef 85 e2 aa bc 77.G.>..s..\.....w
0080 - eb 29 fa c6 30 5b 27 de-50 98 47 7b 55 f0 84 91.)..0['.P.G{U...
0090 - 97 da 66 29 1c c9 7e 63-56 8b a7 80 57 4b 2f 2c..f)..~cV...WK/,
Start Time: 1418336961
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
e logout
closed
From a linux client I get :
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
I do see STARTTLS here.
From a linux client:
openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.mydomain.com
verify return:1
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgIQWCEHgEVoKToQkXoG3+g1cTANBgkqhkiG9w0BAQsFADCB
fs2e2XCjkEVu/YR7exKkmTf9wkhZ+tD0+S8=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
No client certificate CA names sent
SSL handshake has read 5169 bytes and written 453 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID:8357FF1D37476EEF1BE64DE443EFFBBED9CE375EA8CA5F1C5ED628B52E723D8F
Session-ID-ctx:
Master-Key:D6906D40FF47E7ED278AF4D0B143407A53955DA97365A09881EA0C68AAF3B879CB3136A7783B 18A46FD0A0634CBDC17D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - cb 06 13 9a c9 2a 67 b7-3d 5b 5b 33 3b fe 1e 2e.....*g.=[[3;...
0010 - 18 73 2d ae 9e 4d f3 69-aa 13 ca 9c 07 94 73 cb.s-..M.i......s.
0020 - 02 a2 74 c9 df 70 ed 1b-33 f8 fb cb 97 1d 12 f5..t..p..3.......
0030 - 88 21 4e fd 7e be 69 b8-88 30 c9 99 70 f4 ea f3.!N.~.i..0..p...
0040 - b0 90 c8 ab a6 f4 e5 37-c8 3e 4e 33 24 f9 cd 37.......7.>N3$..7
0050 - f8 b0 8a 9a f3 44 39 27-e3 3d 96 3b ba a2 4e 85.....D9'.=.;..N.
0060 - 77 5f a7 f7 6e 12 76 59-51 94 da 63 dd 99 cc 74w_..n.vYQ..c...t
0070 - 1b 1b 1f 33 02 5f 3d ed-9a 57 e8 63 87 d4 8f d5...3._=..W.c....
0080 - d5 fc 8c bf 89 4d 4d 91-bc 4f c7 67 79 c4 ec e9.....MM..O.gy...
0090 - 47 68 0f 21 47 58 8a c9-10 a0 3b 46 e9 3b 08 cbGh.!GX....;F.;..
Start Time: 1418337012
Timeout : 300 (sec)
Verify return code: 0 (ok)- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
e logout
closed
doveconf n | grep ssl
2.0.9: /etc/dovecot/dovecot.conf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
ssl_key = </etc/pki/dovecot/private/dovecot.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 11 Dec 2014, Wayne Andersen wrote:
993 is IMAP-over-SSL, which is probably not named "TLS", but "SSL" in Outlook. Usually "TLS" means to use STARTTLS. See: http://www.cs.umd.edu/faq/mailclient/outlook.html But there are a lot of different Outlook versions and different names for settings.
IMAP: 14:48:40 [db] srv_name = "mail.mydomain.com" srv_addr = 174.46.198.101:143
is this IP correct?
Do you have a local Firewall or a Cisco-Router between this client and the server? Some firewalls filter out STARTTLS in order to scan the transferred content.
openssl does not guess certificates, you need to specify them on command line.
does this client run in the same network as the windows client?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVI/fZHz1H7kL/d9rAQJivAgAiatTp5CXbTEwKMN5HTHvN9B4BB3sIN99 P8adumkEAZ5AZVIRSfmWvhGf77jsyC5/Rxc/R2OuqY+hLUkyU0svu6OqhNMEgXrR hA9PFUp3MXj4FBzxkFMOC/RKdzyClNuPEAAwUU/IvZugRhF95C9+5fa66rKIXgDl /s5eKhcml9M1Zx4qK0336XmV6W0VXXiOJM1YBSwUt/yq0NseUuyDE6+FS50z+5kL lIk7BRf3p/pJC8hUBJmtVu67S0ZSUD6i9kYbuKvpd7bAfWDOMtXDZTRl8VoEVJWg QXz7fF1FPy7KqEo67gthkMwwTeXeN6tHm0cpgu53FnXZEVSKR+nuuQ== =VHS1 -----END PGP SIGNATURE-----
Thank you, see my answers below.
My preference is STARTTLS, which I assumed I would get by selecting port 143 and TLS.
Yes, it is correct.
No, all of these machines are on a local subnet.
I am not sure I understand this. Dovecot has the certificate chain, which it should send to the client if I understand correctly. There may be an issue with the format of the certificate chain file, but if there is I dont know how to fix it.
Yes, same local subnet, in fact the Linux client is a virtual machine running on the same machine as the windows client.
participants (3)
-
Oscar del Rio
-
Steffen Kaiser
-
Wayne Andersen