Re: [Dovecot] SSL with startssl.com certificates

Tue, 08 Oct 2013 06:01:29 -0700 

On 2013-10-07 13:57, Bruno Tréguier wrote:

Le 06/10/2013 à 22:42, Dan Langille a écrit :
After a long delay, I'm ready to tackle this again.

[...]
Testing via the command line gives:

$ openssl s_client -connect imaps.unixathome.org:993
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority 
verify error:num=19:self signed certificate in certificate chain
verify return:0

Ok, this is fine, and different from the result you were getting a few
weeks ago. Your cert chain is ok, it seems. The "errornum=19:self signed 
certificate in certificate chain" is a "normal" errot, due to the fact
that you didn't tell openssl where to find a list of valid root certs.


All looks good.

/var/log/maillog shows:
Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>, method=PLAIN, rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, session=<fYUwEhjoVgBib5Pc> Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 out=691 


I have Thunderbird working just fine on my Macbook.
But my goal is mail.app on my iPhone and my Macbook. When they try to connect, the mail server logs are:
Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [98.111.147.220] Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: Disconnected, session=<Ux8HRBjo7QBib5Pc>
Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 installation. That's my current IMAP server. I'm moving to another server and failing so far.
Suggestions to use another client app or platform will not be entertained, because, clearly, this works with dovecot 1. 

Well, sorry but no further suggestions as far as I'm concerned then,
except that some people tend to think that mail.app is pretty crappy and 
behaves quite strangely in certain situations...
I have given up. As much as I'd like to solve this problem, I must move on. I will resort to self-signed certificates.[1] I had hoped to resolve the issue so that others can use the solution. 

My thanks to those that have offered suggestions and help.

[1] - FYI, I am the only user of this IMAP server.

--
Dan Langille - http://langille.org/

Reply via email to