On Oct 8, 2013, at 8:59 AM, Dan Langille wrote: > On 2013-10-07 13:57, Bruno Tréguier wrote: >> Le 06/10/2013 à 22:42, Dan Langille a écrit : >> After a long delay, I'm ready to tackle this again. >> [...] >> Testing via the command line gives: >> $ openssl s_client -connect imaps.unixathome.org:993 >> CONNECTED(00000003) >> depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, >> CN = StartCom Certification Authority >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> Ok, this is fine, and different from the result you were getting a few >> weeks ago. Your cert chain is ok, it seems. The "errornum=19:self signed >> certificate in certificate chain" is a "normal" errot, due to the fact >> that you didn't tell openssl where to find a list of valid root certs. >> All looks good. >> /var/log/maillog shows: >> Oct 6 20:06:28 imaps dovecot: imap-login: Login: user=<dan>, method=PLAIN, >> rip=98.111.147.220, lip=199.233.228.197, mpid=81052, TLS, >> session=<fYUwEhjoVgBib5Pc> >> Oct 6 20:08:21 imaps dovecot: imap(dan): Disconnected: Logged out in=26 >> out=691 >> I have Thunderbird working just fine on my Macbook. >> But my goal is mail.app on my iPhone and my Macbook. When they try to >> connect, the mail server logs are: >> Oct 6 20:20:25 imaps dovecot: imap-login: Warning: SSL failed: >> where=0x2002: SSLv3 read client certificate A [98.111.147.220] >> Oct 6 20:20:25 imaps dovecot: imap-login: Disconnected (no auth attempts in >> 1 secs): user=<>, rip=98.111.147.220, lip=199.233.228.197, TLS handshaking: >> Disconnected, session=<Ux8HRBjo7QBib5Pc> >> Yet, the same iPhone and Macbook connect fine to a dovecot 1.2.17 >> installation. That's my current IMAP server. I'm moving to another server >> and failing so far. >> Suggestions to use another client app or platform will not be entertained, >> because, clearly, this works with dovecot 1. >> Well, sorry but no further suggestions as far as I'm concerned then, >> except that some people tend to think that mail.app is pretty crappy and >> behaves quite strangely in certain situations... > > I have given up. As much as I'd like to solve this problem, I must move on. > I will resort to self-signed certificates.[1] I had hoped to resolve the > issue so that others can use the solution. > > My thanks to those that have offered suggestions and help. > > [1] - FYI, I am the only user of this IMAP server.
The problem *may* be with 4096 bit certificates. I've been able to connect with a 2048-bit, but not with a 4096-bit. More testing to be done. -- Dan Langille - http://langille.org
