> On 16/11/2020 09:54 li...@lazygranch.com <li...@lazygranch.com> wrote: > > > On Sun, 15 Nov 2020 17:31:07 -0500 > Mike Schroeder <mikesch...@gmail.com> wrote: > > > CentOS 7 > > Dovecot 2.2.36 > > > > Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth > > attempts in 0 secs): > > user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: > > SSL_accept() failed: > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, > > session=<> > > > > Was working fine for over a year, until the cert expired and I > > replaced it. I've tried the good cert I have for https and I used the > > Dovecot.org script to generate a self-signed certificate. > > > > 10-ssl.conf > > ## SSL settings > > #ssl = required > > ssl = yes > > #ssl = no > > ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt > > ssl_key = </etc/pki/dovecot/private/mydomain.com.key > > #ssl_ca = > > #ssl_require_crl = yes > > #ssl_client_ca_dir = > > #ssl_client_ca_file = > > #ssl_verify_client_cert = no > > #ssl_cert_username_field = commonName > > #ssl_dh_parameters_length = 1024 > > #ssl_protocols = !SSLv3 > > > > # SSL ciphers to use > > # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > ssl_cipher_list = > > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: > > !RC4:!ADH:!LOW@STRENGTH > > > > # Prefer the server's order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > > > # Prefer the server's order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > # SSL crypto device to use, for valid values run "openssl engine" > > #ssl_crypto_device = > > > > # SSL extra options. Currently supported options are: > > # no_compression - Disable compression. > > # no_ticket - Disable SSL session tickets. > > #ssl_options = > > > > =========================== > > # openssl x509 -dates -in mydomain.com.crt > > notBefore=Nov 11 16:31:35 2020 GMT > > notAfter=Nov 11 16:31:35 2022 GMT > > -----BEGIN CERTIFICATE----- > > : > > =========================== > > # openssl pkey -in mydomain.com.key > > -----BEGIN PRIVATE KEY----- > > : > > > > Thanks for taking a look. Any ideas on what I should do next to > > debug? > > > > Mike > > I remembered this problem was posted and still had the reply post from > Viktor. This may or may not be relevant. A search on this text will > probably drag up the whole thread. > --------------- > Specifically, an ECDSA P-256 certificate, but some systems don't (yet?) > support ECDSA. You'd need an additional RSA certificate to interoperate > with their sending MTA's limited STARTTLS cipher/protocol repertoire. > -------------- > > When this thread went around I looked at my logs and found some no > auth complaints on my dovecot log. I believe they were trying to use > the sslv3 to hack my server. Or at least see if it is hackable. Since > my email server is a personal one and the attack was from a hosting > company, I blocked server IP space. > > The weird thing I get your error now myself but not consistently. Here > is an example. > ------------------------------- > Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): > user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: > SSL alert number 46, session=<rXchrDG06qvGx2p9> > Nov 16 04:18:37 imap-login: Info: Login: user=<m...@mydomain.com>, > method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, > session=<DSIjrDG05KvGx2p9> > > However the problem isn't present at the moment.
Dovecot supports alternative certificate if you have problems with ECDSA and need to use RSA for them. See https://doc.dovecot.org/settings/core/#ssl-alt-cert Aki
