> On 08 December 2018 at 12:03 Marco Fioretti <marco.fiore...@gmail.com> wrote:
>
>
> Greetings,
> I have had to reinstall my email server on another Linux (centos 7.6)
> VPS, with a newer version of dovecot, other software and a brand new
> letsencrypt certificate just for email withpostfix and dovecot (that
> certificate works fine with postfix). Output of dovecot --version and
> dovecot -n on the new server is below.
>
> Now, messages ARE delivered in the right IMAP mailboxes, but when I
> try to connect with Mutt from my home computer, mutt says, before
> prompting for a password:
>
> gnutls_handshake: A TLS fatal alert has been received.(Handshake failed)
>
> the corresponding output of dovecot in /var/log/maillog is below. The
> gist of it **seems** to me to be the "no shared cipher" part, but I
> may be wrong. In any case, I have already tried to search online for
> that string, and other relevant parts of the log, without success. All
> I have found is suggestions to change the values of ssl_protocols
> and/or ssl_cipher_list to some non-default value, but I have tried all
> those tips without success. Current values of those variables are
> these:
>
> grep -v ^# /etc/dovecot/conf.d/10-ssl.conf
>
> ssl_cert = </etc/letsencrypt/live/MYSERVERNAME/fullchain.pem
> ssl_key = </etc/letsencrypt/live/MYSERVERNAME/privkey.pem
> ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU
>
> any pointer to what to check or change next is VERY welcome.
>
> Thanks in advance,
> Marco
>
> #################################################
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x10, ret=1: before/accept initialization [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert:
> where=0x4008, ret=552: fatal handshake failure [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error:
> SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected
> (disconnected before auth was ready, waited 0 secs): user=<>,
> rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept()
> failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher, session=<knICtX98UK4vNZ88>
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token
> secret from /var/run/dovecot/auth-token-secret.dat
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file
> /etc/imap.v_users: Read 1 users in 0 secs
>
> #################################################
> dovecot --version
> 2.2.36 (1f10bfa63)
>
>
> # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core) ext4
> # Hostname: MYSERVERNAME
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> mail_location = maildir:/var/mail//base/
> passdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 0
> }
> inet_listener imaps {
> port = 993
> }
> }
> ssl = required
> userdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> verbose_ssl = yes
Can you comment out ssl_cipher_list and ssl_protocols?
Is your certificate ECC certificate?
Aki
