Am 07.07.2017 um 08:15 schrieb Andreas Oster:
Hi all,

I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks ago I had to replace our dovecot certificate due to expiration. In the past I did use a self-signed certificate, but because we now have a little openssl based CA I have decided to create signed certificate for imaps. Dovecot is happily accepting the new certificate which has integrated the whole cert-chain. Unfortunately Pigeonhole does not seem to like the certificate:

<--snip

gnutls-cli --starttls -p4190 mail.novanetwork.local

Processed 173 CA certificate(s).
Resolving 'mail.novanetwork.loc'...
Connecting to '10.2.1.23:4190'...

- Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."

STARTTLS
OK "Begin TLS negotiation now."

-->

At this point the TLS process does not proceed. When I press CTRL-D I get the following output:

*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-06-23 06:58:40 UTC', expires `2020-06-22 06:58:40 UTC', SHA-1 fingerprint `51a9b62eaebb6b4a2b8cc9a22740dc689445da0c'
         Public Key ID:
                 165eaaa4b36c091ec8f32103da003a1f43b1c57d
         Public key's random art:
                 +--[ RSA 2048]----+
                 |  .o..           |
                 |. .o. . E        |
                 |o..    .. .      |
                 |= o    . +       |
                 |+* o  . S        |
                 |o==. o o         |
                 | .=o+..          |
                 |  .ooo           |
                 |   .o            |
                 +-----------------+

- Certificate[1] info:
- subject `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using RSA-SHA256, activated `2016-12-05 11:40:29 UTC', expires `2026-12-03 11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'
- Certificate[2] info:
- subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using RSA-SHA256, activated `2016-12-05 11:36:47 UTC', expires `2036-11-30 11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37' - Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed


I have checked the certificate with:

openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK

and also with:

openssl verify -verbose -CAfile /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK



Does anyone have an idea what could be the cause of the problem and how to fix it ?

Thank you for your kind help.

best regards
Andreas

Hi all,

in another posting Stephan Bosch pointed out that there is already a fix:

https://github.com/dovecot/pigeonhole/commit/c80aa7c25b0b4e61bb8e3a91864a355f7f2fa89f

This small change also resolved my sieve login issue.

best regards
Andreas

Reply via email to