Are you getting asked to add an exception to the email applications certificate dialogue box?
This is an example with Thunderbird. http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg Dan On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille <d...@langille.org> wrote: > > On Sep 13, 2013, at 9:55 PM, Noel Butler wrote: > > > On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote: > > > > > >> Perhaps I am doing the chain incorrectly. I just tried again. The > >> server is now set up with the following: > >> > >> I have three certs in this chain file: > >> > >> cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem > > >> testing.chain.pem > >> > >> 1 - the certificate issued by startssl for my server > >> 2 & 3 - the PEM files for StartSSL as found at > >> http://www.startssl.com/certs/ > >> > > > > > > That is the correct chain method, and order > > > > > >> $ openssl s_client -connect imaps.unixathome.org:993 -quiet > >> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate > >> Signing/CN=StartCom Certification Authority > >> verify error:num=19:self signed certificate in certificate chain > > > > > > > > Never panic about the above, it is just indicating (rightly so) you > > have a local certificate (the first) in your chain. > > > > > >> ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt > >> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key > > > > correct method, so long as the cert and key files are named correctly > > and in the right location. > > > > > >> ssl = required > > > > Bit dangerous... and may be the cause of your problems, change to : > > ssl = yes > > > > > > We use startssl and have many android, blackberry, and iphone users > > (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop > > types and never had any problems with them using startssl > > Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. > > I also try the cert bundle mentioned by Johan. > > The server says: > > Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: > where=0x2002: SSLv3 read client certificate A [173.49.195.214] > Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts > in 0 secs): user=<>, rip=173.49.195.214, lip=199.233.228.197, TLS > handshaking: Disconnected, session=<8+862VzmPwCtMcPW> > > What is this… read client certificate? There is no client certification > in this config. > > : doveconf -n > # 2.2.5: /usr/local/etc/dovecot/dovecot.conf > # OS: FreeBSD 9.1-RELEASE-p6 amd64 > auth_debug = yes > auth_verbose = yes > first_valid_gid = 1001 > first_valid_uid = 1001 > mail_debug = yes > mail_location = maildir:~/Maildir > mail_privileged_group = mail > passdb { > args = scheme=BLF-CRYPT /var/db/dovecot.users > driver = passwd-file > } > protocols = imap > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > address = 199.233.228.197 > } > } > ssl_cert = </usr/local/etc/ssl/testing.chain.pem > ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key > userdb { > args = /var/db/dovecot.users > driver = passwd-file > } > verbose_proctitle = yes > verbose_ssl = yes > protocol imap { > imap_client_workarounds = delay-newmail tb-extra-mailbox-sep > } > > > -- > Dan Langille - http://langille.org > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
