All sage advice. I've gone back to basics, and installed the root CA on the phone via safari rather than email (apple's mobile config package). I discovered just now to my horror after some frustration that one logging option wasn't working that my binary is picking up a different config file ;( so I need to go back and go through the differences now and see what I was actually running. Hopefully this will clean things up. I think your point#3 is the most useful ;) I'm mainly doing this b/c it was the dovecot default and I like security but for this much aggravation I probably don't need it. I was running without client certs for mail retrieval happily for a long time,
Darren > I think that is likely to be a red herring. The only thing you get in > this circumstance from a commercial cert is (hopefully) rigorous > technical correctness in the cert construction and signing. If you want > to use client certs, you will have to manage your own PKI to some degree > anyway, and that means getting all of the details right *with > understanding*, not just finding a cargo-cult fix. I think you are doing > the right thing in trying to get this working with your own certs, as > that painful process assures that you will gain useful clues. > > > >* make the public CA cert available via webserver ( I have installed root > >cert via email and that didn't help). > > > >I will try installing root cert via browser and see if that helps. If > >that fails, I'll try a proper CA, not > >self signed. I'm sceptical that's the problem. If all that fails, I'll > >just throw security overboard and stick > >with simple password auth, life is too short. I'd still love an error > >message that meant something ;) > > 1. You may find it easiest to debug the certs using a web server and > Safari on the iPhone rather than Dovecot and Mail, because you are > likely to be able to instrument it better, get better error descriptions > from the client, and be given more options on how to fix the problem. > > 2. Since you have CA, server, and client certs, it might help to not > think of these as "self-signed" since at most only the CA really is > that. The server cert and the client certs are signed by the CA cert, > and the only difference between this setup and one using commercial > certs is that you have to get your CA cert treated and trusted in the > same way as a commercial root CA cert *by both ends*. > > 3. Client certs do not really add a great deal of security over just > requiring auth to be done inside a TLS session. In some ways they are a > security trade-off, rather than a clear improvement. If your PKI and device > config processes are not very rigorous, you can end up in a risky > circumstance by trusting client certs that you are dropping onto devices > that can easily land in the wrong hands. I can say from first-hand > experience that the iPhone version of Mail will work with Dovecot using a > real self-signed cert and only allowing auth inside an encrypted session, > so you do not need to completely throw security overboard.
