Am 07.07.2017 um 08:15 schrieb Andreas Oster:
Hi all,
I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks
ago I had to replace our dovecot certificate due to expiration. In the
past I did use a self-signed certificate, but because we now have a
little openssl based CA I have decided to create signed certificate for
imaps. Dovecot is happily accepting the new certificate which has
integrated the whole cert-chain. Unfortunately Pigeonhole does not seem
to like the certificate:
<--snip
gnutls-cli --starttls -p4190 mail.novanetwork.local
Processed 173 CA certificate(s).
Resolving 'mail.novanetwork.loc'...
Connecting to '10.2.1.23:4190'...
- Simple Client Mode:
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."
STARTTLS
OK "Begin TLS negotiation now."
-->
At this point the TLS process does not proceed. When I press CTRL-D I
get the following output:
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA
Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer
`C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA
Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed
using RSA-SHA256, activated `2017-06-23 06:58:40 UTC', expires
`2020-06-22 06:58:40 UTC', SHA-1 fingerprint
`51a9b62eaebb6b4a2b8cc9a22740dc689445da0c'
Public Key ID:
165eaaa4b36c091ec8f32103da003a1f43b1c57d
Public key's random art:
+--[ RSA 2048]----+
| .o.. |
|. .o. . E |
|o.. .. . |
|= o . + |
|+* o . S |
|o==. o o |
| .=o+.. |
| .ooo |
| .o |
+-----------------+
- Certificate[1] info:
- subject `C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen
GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer
`C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using
RSA-SHA256, activated `2016-12-05 11:40:29 UTC', expires `2026-12-03
11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'
- Certificate[2] info:
- subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA
Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer
`C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using
RSA-SHA256, activated `2016-12-05 11:36:47 UTC', expires `2036-11-30
11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
- Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
I have checked the certificate with:
openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
and also with:
openssl verify -verbose -CAfile
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem
/etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
Does anyone have an idea what could be the cause of the problem and how
to fix it ?
Thank you for your kind help.
best regards
Andreas
Hi all,
in another posting Stephan Bosch pointed out that there is already a fix:
https://github.com/dovecot/pigeonhole/commit/c80aa7c25b0b4e61bb8e3a91864a355f7f2fa89f
This small change also resolved my sieve login issue.
best regards
Andreas
