Dear Thierry,
- Have you checked that port 12345 as specified below is open/forwarded
and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
- Did you retrace your steps and have you verified that synchronisation
works with ssl disabled?
- Did you verify your certificate files (e.g., "openssl verify -verbose
-CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?
Personally, I prefer to use a single, specialised tool to manage
certificates/encryption (which in my case is stunnel); all other
programs are set up using (link-)local ip addresses only. If everything
but encryption works with your setup, this might be a possible
"workaround". (Apart from that, stunnel debug mode is very detailed and
can help you to rule out problems with the certificates/connections
between two nodes.)
And once the latter works but the dovecot setup below still does not, it
would also point to a problem with certificate handling by dovecot
(could be library related).
KR, Markus
Am 06.02.2017 um 07:36 schrieb Thierry:
> Hi Aki,
>
> I do not have any error message but (on both server):
>
> doveadm replicator status '*'
> doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm)
> failed: Connection refused
>
> Thx
>
>
> Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
>
>> Please keep responses in list. rm -f
>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
>
>> On 2017-02-03 17:00, Thierry wrote:
>>> Hi,
>>>
>>> I have removed the '<' :
>>>
>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>>>
>>> But now:
>>>
>>> doveadm: Error: Corrupted SSL parameters file in state_dir:
>>> ssl-parameters.dat - disabling SSL 360
>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>> doveadm: Error: Corrupted SSL parameters file in state_dir:
>>> ssl-parameters.dat - disabling SSL 360
>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>
>>> Any idea ?
>>>
>>> Thx
>>>
>>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name.
>>>> Aki
>>>> On 2017-02-03 15:13, Thierry wrote:
>>>>> Hi,
>>>>>
>>>>> I have made change:
>>>>>
>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>> ssl = required
>>>>> verbose_ssl = no
>>>>> ssl_key = </etc/ssl/private/private.key
>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>>>
>>>>>
>>>>> # Create a listener for doveadm-server
>>>>> service doveadm {
>>>>> user = vmail
>>>>> inet_listener {
>>>>> port = 12345
>>>>> ssl= yes
>>>>> }
>>>>> }
>>>>>
>>>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd #
>>>>> use doveadm_port
>>>>>
>>>>> And now:
>>>>>
>>>>> Feb 03 14:11:16 doveadm(us...@domain.ltd): Error: sync: Couldn't
>>>>> initialize SSL context: Can't load CA certs from directory :
>>>>> error:02001024:system library:fopen:File name too long
>>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in
>>>>> state_dir: ssl-parameters.dat - disabling SSL 360
>>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters,
>>>>> disabling SSL
>>>>>
>>>>> Thx for your support
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
>>>>>
>>>>>> Hello,
>>>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Still working with my dsync pb.
>>>>>>> I have done a clone (vmware) of my email server.
>>>>>>> Today I have two strictly identical emails servers (server1
>>>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica).
>>>>>>>
>>>>>>> The ssl config on my both server:
>>>>>>>
>>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>>> ssl = required
>>>>>>> verbose_ssl = no
>>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>>>> I think it should be ssl_client_ca_file =
>>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>>>> This config is working for my email client and my email web
>>>>>>> interface ...
>>>>>>>
>>>>>>> Are they on the right order ?
>>>>>>>
>>>>>>> mail_replica = tcps:serv...@domain.ltd and tcps:serv...@domain.ltd
>>>>>>>
>>>>>>> There is trafic on my iptables rules on my both servers:
>>>>>>>
>>>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0
>>>>>>> 0.0.0.0/0 tcp dpt:4711
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> My error message from server1 (main server):
>>>>>>>
>>>>>>> Feb 03 08:38:08 doveadm(us...@domain.ltd): Error: sync: Couldn't
>>>>>>> initialize SSL context: Can't verify remote server certs without
>>>>>>> trusted CAs (ssl_client_ca_* settings)
>>>>>>> Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't
>>>>>>> initialize SSL context: Can't verify remote server certs without
>>>>>>> trusted CAs (ssl_client_ca_* settings)
>>>>>>> Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't
>>>>>>> initialize SSL context: Can't verify remote server certs without
>>>>>>> trusted CAs (ssl_client_ca_* settings)
>>>>>>> Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't
>>>>>>> initialize SSL context: Can't verify remote server certs without
>>>>>>> trusted CAs (ssl_client_ca_* settings)
>>>>>>>
>>>>>>> No logs from server2
>>>>>>>
>>>>>>> Any ideas ?
>>>>>>>
>>>>>>> Thx for your support
>>>>>>>
>>>>>>>
>
>
