On Sep 14, 2013, at 3:28 PM, Daniel Reinhardt wrote: > Are you getting asked to add an exception to the email applications > certificate dialogue box? > > This is an example with Thunderbird. > > http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg
No, it never gets to that point. Mail.app crashes right after I start it. I am able to access this IMAP server with Thunderbird. > > Dan > > > On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille <d...@langille.org> wrote: > >> >> On Sep 13, 2013, at 9:55 PM, Noel Butler wrote: >> >>> On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote: >>> >>> >>>> Perhaps I am doing the chain incorrectly. I just tried again. The >>>> server is now set up with the following: >>>> >>>> I have three certs in this chain file: >>>> >>>> cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem > >>>> testing.chain.pem >>>> >>>> 1 - the certificate issued by startssl for my server >>>> 2 & 3 - the PEM files for StartSSL as found at >>>> http://www.startssl.com/certs/ >>>> >>> >>> >>> That is the correct chain method, and order >>> >>> >>>> $ openssl s_client -connect imaps.unixathome.org:993 -quiet >>>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate >>>> Signing/CN=StartCom Certification Authority >>>> verify error:num=19:self signed certificate in certificate chain >>> >>> >>> >>> Never panic about the above, it is just indicating (rightly so) you >>> have a local certificate (the first) in your chain. >>> >>> >>>> ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt >>>> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key >>> >>> correct method, so long as the cert and key files are named correctly >>> and in the right location. >>> >>> >>>> ssl = required >>> >>> Bit dangerous... and may be the cause of your problems, change to : >>> ssl = yes >>> >>> >>> We use startssl and have many android, blackberry, and iphone users >>> (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop >>> types and never had any problems with them using startssl >> >> Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect. >> >> I also try the cert bundle mentioned by Johan. >> >> The server says: >> >> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed: >> where=0x2002: SSLv3 read client certificate A [173.49.195.214] >> Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts >> in 0 secs): user=<>, rip=173.49.195.214, lip=199.233.228.197, TLS >> handshaking: Disconnected, session=<8+862VzmPwCtMcPW> >> >> What is this… read client certificate? There is no client certification >> in this config. >> >> : doveconf -n >> # 2.2.5: /usr/local/etc/dovecot/dovecot.conf >> # OS: FreeBSD 9.1-RELEASE-p6 amd64 >> auth_debug = yes >> auth_verbose = yes >> first_valid_gid = 1001 >> first_valid_uid = 1001 >> mail_debug = yes >> mail_location = maildir:~/Maildir >> mail_privileged_group = mail >> passdb { >> args = scheme=BLF-CRYPT /var/db/dovecot.users >> driver = passwd-file >> } >> protocols = imap >> service imap-login { >> inet_listener imap { >> port = 0 >> } >> inet_listener imaps { >> address = 199.233.228.197 >> } >> } >> ssl_cert = </usr/local/etc/ssl/testing.chain.pem >> ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key >> userdb { >> args = /var/db/dovecot.users >> driver = passwd-file >> } >> verbose_proctitle = yes >> verbose_ssl = yes >> protocol imap { >> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep >> } >> >> >> -- >> Dan Langille - http://langille.org >> >> > > > -- > Daniel Reinhardt > crypto...@cryptodan.net > http://www.cryptodan.net > 301-875-7018(c) > 410-455-0488(h) -- Dan Langille - http://langille.org
