[Dovecot] Dovecot ok for port 110, but not for SSL (beginner asking)
Hello,
I just installed Dovecot. It works for plaintext autorization, port 110. It has connected with Telnet, Thunderbird and an on-line pop3 client.
Telnet: +OK Dovecot ready. user nnnnn -ERR Unknown command. user nnnnn +OK pass xxxxxxxxxx +OK Logged in. stat +OK 1 1553 retr 1 +OK 1553 octets Return-path: <sssssss@hotmail.com> Envelope-to: nnnnnn@mydomain.com Delivery-date: Tue, 06 Nov 2012 12:02:28 +0100 Received: from bay0-xcvxcv-xvxcv.bay333.hotmail.com ([123.123.123.123]) by deb7.pc with esmtp (Exim 4.80)
But when I try ssl (port 995) with an on-line pop3 client, it will not work: /var/log/mail.log Nov 7 02:46:55 deb7 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=12.12.12.7, lip=123.123.123.123, TLS: Disconnected, session=<Iza75N3NlABBNykH> Nov 7 02:46:56 deb7 dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=12.12.12.7, lip=123.123.123.123, TLS: Disconnected, session=<nWTF5N3NlQBBNykH>
root@deb7:~# doveconf -n
2.1.7: /etc/dovecot/dovecot.conf
OS: Linux 3.2.0-3-686-pae i686
disable_plaintext_auth = no mail_gid = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = prefix = } passdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap pop3" ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = username_format=%u /etc/dovecot/users driver = passwd-file }
I know very little about mail and ssl. I have assumed that ssl will be set up "automatically" when Dovecot is installed. But maybe I have missed something here. Please give me pointers. The following two files contain ssl keys: ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem
I have tried changing the ssl parameter ("yes", "required") in 10-ssl.conf but with no change except that port 110 login becomes disabled.
As you can see I am a beginner with Dovecot, I hope it is still OK to ask on this mailing list. Thanks.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Dovecot-ok-for-port-110-but-not-for-SSL... Sent from the Dovecot mailing list archive at Nabble.com.
Am 07.11.2012 10:13, schrieb ycc_Swe:
have a look
http://wiki2.dovecot.org/SSL/DovecotConfiguration
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Thank you for your reply.
I read the page you link to. As I understand I should set the ssl-parameter in 10-ssl.conf to "yes" or "required".
I should also have permissions like this: root@deb7:/etc/dovecot/conf.d# ls -l /etc/ssl/*/dovecot.pem -r--r--r-- 1 root root 1326 Nov 3 14:24 /etc/ssl/certs/dovecot.pem -r-------- 1 root root 1704 Nov 3 14:24 /etc/ssl/private/dovecot.pem root@deb7:/etc/dovecot/conf.d#
Other information on the page, as I understand, has to do with more "advanced" setups than mine.
I still have the same problem. When I set ssl parameter to yes/required I can still not connect to port 995. This time I set ssl=verbose. This is what the log shows when I try to connect with ssl.
Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [12.12.12.7] Nov 8 08:42:25 deb7 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=12.12.12.7, lip=13.13.13.239, TLS: Disconnected,
session=<zrnz+fbNpwBBNykH> Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [12.12.12.7] Nov 8 08:42:26 deb7 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=12.12.12.7, lip=13.13.13.239, TLS: Disconnected,
session=<N9L9+fbNqABBNykH> root@deb7:/etc/dovecot/conf.d#
root@deb7:/etc/dovecot/conf.d# doveconf -n
2.1.7: /etc/dovecot/dovecot.conf
OS: Linux 3.2.0-3-686-pae i686 Debian wheezy/sid
disable_plaintext_auth = no mail_gid = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = prefix = } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap pop3" ssl = required ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } root@deb7:/etc/dovecot/conf.d#
Thanks for repying. I still have the same problem. Dovecot works for me on port 110, but not on 995/ssl.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Dovecot-ok-for-port-110-but-not-for-SSL... Sent from the Dovecot mailing list archive at Nabble.com.
Am 08.11.2012 08:54, schrieb ycc_Swe:
Thanks for repying. I still have the same problem. Dovecot works for me on port 110, but not on 995/ssl.
look here
http://wiki2.dovecot.org/TestPop3Installation
look for your auth fit what you want
disable_plaintext_auth....
verify your pem/crt is not broken
look
http://wiki2.dovecot.org/AuthDatabase/PasswdFile
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
At 11PM -0800 on 7/11/12 you (ycc_Swe) wrote:
<snip>
Nov 8 08:42:25 deb7 dovecot: pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.12.12.7]
Are you trying to authenticate with a client certificate, or with user/password under SSL? Using a client certificate requires more configuration than you have used.
Does your dovecot machine have a proper publically-signed SSL certificate, or are you using a self-signed cert? If you're using a self-signed cert you'll probably find third-pary systems (like the website you're using for testing) won't accept it, and will disconnect immediately.
Can you connect with 'openssl s_client' and log in manually, as you did with telnet before? Can you connect to port 110 and upgrade to SSL with 'STLS' (s_client will try this for you if you pass -starttls pop3)?
Ben
Thank you for your replies.
I am trying to authenticate with user/password under SSL (port 995).
Ben wrote: Does your dovecot machine have a proper publically-signed SSL certificate, or are you using a self-signed cert? If you're using a self-signed cert you'll probably find third-pary systems (like the website you're using for testing) won't accept it, and will disconnect immediately. *Thank you very much for your comment Ben, I think you spotted my problem. I just use the certificate and key that are generated during the installation. To be able to make web-sites connect I must have a proper "publically-signed SSL". Thanks, this question is solved, at least for the time being.*
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Dovecot-ok-for-port-110-but-not-for-SSL... Sent from the Dovecot mailing list archive at Nabble.com.
participants (3)
-
Ben Morrow
-
Robert Schetterer
-
ycc_Swe