Re: Self-Signed Certificate issue

[chaouche yacine]

From: Darryl Baker 


 To: dovecot@dovecot.org 
 Sent: Friday, September 23, 2016 6:07 PM
 Subject: Self-Signed Certificate issue
   
I keep getting what I am interpreting as
a missing CA cert. The message is:

dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

That's because your client doesn't know about the certificate *issuer* so it 
doesn't trust it (the certificate), it's not an *authority* (the A in CA). What 
you need to do is include the *issuer's* certificate in your server's. But even 
then, the issuer was yourself, and your are not trusted either on the client's 
side. So what you need to do is install the root certificate in the client's 
machine so that certificates signed with it are trusted. When root cert is 
trusted on the client side, it will trust the intermediate (issuer) certificate 
because it was signed by it, and trust the server's certificate because it was 
signed by the intermediate (this is why it's called a certificate *chain* which 
often has only one intermediate CA although many intermediates are possible).
So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT



   

dovecot-2.2.18 / net_listen_unix(...) failed: Value too large for defined data type

[Christophe Bricout]

Dear All,

SUMMARY: 
Dovecot shows an issue when "localstatedir" path is too long
The issue exists also with dovecot-2.2.25

CONFIGURATION:
The configure options are:

./configure --prefix=${TARGET_DIR} \
--sysconfdir=${TARGET_DIR}/cfg \
--localstatedir=${TARGET_DIR}/var \
--with-ssl=openssl \
--with-sqlite \
--disable-shared

RESULTS:
When executing dovecot (as root), the followin message appears:

Error: service(dict): 
net_listen_unix(//localbin/minnowboard-turbot-applications/1.0/linux/x86_64-linux/localbin/dovecot/2.2.18/linux/x86_64-linux/var/run/dovecot/dict)
 failed: Value too large for defined data type
Error: service(config): 
net_listen_unix(/localbin/minnowboard-turbot-applications/1.0/linux/x86_64-linux/localbin/dovecot/2.2.18/linux/x86_64-linux/var/run/dovecot/config)
 failed: Value too large for defined data type
---

WORKAROUND:
The problem is solved by defining shorten localstatedir or using base_dir = 
/var/run/dovecot.

It seems the path lengh causing a such issue. Path Lengh > 127

Available for additional experiments
Best Regards

Re: dovecot-2.2.18 / net_listen_unix(...) failed: Value too large for defined data type

[Aki Tuomi]

> On September 25, 2016 at 4:54 PM Christophe Bricout 
>  wrote:
> 
> 
> Dear All,
> 
> SUMMARY: 
> Dovecot shows an issue when "localstatedir" path is too long
> The issue exists also with dovecot-2.2.25
> 
> CONFIGURATION:
> The configure options are:
> 
> ./configure --prefix=${TARGET_DIR} \
> --sysconfdir=${TARGET_DIR}/cfg \
> --localstatedir=${TARGET_DIR}/var \
> --with-ssl=openssl \
> --with-sqlite \
> --disable-shared
> 
> RESULTS:
> When executing dovecot (as root), the followin message appears:
> 
> Error: service(dict): 
> net_listen_unix(//localbin/minnowboard-turbot-applications/1.0/linux/x86_64-linux/localbin/dovecot/2.2.18/linux/x86_64-linux/var/run/dovecot/dict)
>  failed: Value too large for defined data type
> Error: service(config): 
> net_listen_unix(/localbin/minnowboard-turbot-applications/1.0/linux/x86_64-linux/localbin/dovecot/2.2.18/linux/x86_64-linux/var/run/dovecot/config)
>  failed: Value too large for defined data type
> ---
> 
> WORKAROUND:
> The problem is solved by defining shorten localstatedir or using base_dir = 
> /var/run/dovecot.
> 
> It seems the path lengh causing a such issue. Path Lengh > 127
> 
> Available for additional experiments
> Best Regards

Hi! 

Unix socket maximum path len is 108 characters. This is *nix limitation, not 
dovecot.

---
Aki Tuomi
Dovecot oy

Re: Proxy IMAP/POP

[Aki Tuomi]

> On September 23, 2016 at 10:06 PM Luis Miguel Flores dos Santos 
>  wrote:
> 
> 
> Hello, I'm try configure dovecot to proxy imap and pop but I can't, follow my 
> configurations:
> 
> dovecot version = 2.2.10
> 
> My configuration:
> 
> dovecot -n
> # 2.2.10: /etc/dovecot/dovecot.conf
> # OS: Linux 3.18.35 x86_64 CentOS Linux release 7.2.1511 (Core)
> auth_mechanisms = plain login
> auth_username_format = %n
> disable_plaintext_auth = no
> mail_location = maildir:~/Maildir
> mbox_write_locks = fcntl
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   driver = pam
> }
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> ssl = no
> ssl_cert =  ssl_key =  userdb {
>   driver = passwd
> }
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> 
> grep -v '^ *\(#.*\)\?$' dovecot-sql.conf
> 
> driver = mysql
> connect = "host=127.0.0.1 dbname=mail user=root password=PASS"
> password_query = SELECT NULL AS password, 'Y' as nopassword, host, destuser, 
> 'Y' AS proxy FROM proxy WHERE user = '%u'
> 
> /var/log/maillog:
> 
> RHDOVECOT dovecot: auth: Fatal: Unknown database driver 'mysql'
> 
> 
> **OBS: I followed this wiki: 
> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
> and installed dovecot-mysql.x86_64,
> My server is a CentOS Linux release 7.2.1511 (Core)
> 
> Anyone can help me?
> 
> Thanks.
> 
> 
> 
> Atenciosamente,
> 
> Luis Miguel

Your dovecot has no mysql support. 

Aki

configure fail if libssl is named libssl-opt

[A. Schulze]

Hello,

I try to build dovecot with my own version of openssl. It's compiled in a way 
the libraries can coexist without symbol conflict with
the real OpenSSL in /usr: They are named libssl-opt and libcrypto-opt.

Now configure fail to find my libssl-opt:

   CFLAGS="..." CXXFLAGS="..." CPPFLAGS="..." LDFLAGS="..." SSL_LIBS='-lssl-opt 
-lcrypto-opt' ./configure ... --with-ssl=openssl
   ...
   checking for SSL_read in -lssl... no
   configure: error: Can't build with OpenSSL: libssl not found

Is there an other way to tell configure the ssl libraries have other names?

Andreas

Re: Self-Signed Certificate issue

[Darryl Baker]

Building a new certificate as described in a previous email worked.

*Darryl Baker*

On Sun, Sep 25, 2016 at 5:19 AM, chaouche yacine 
wrote:

> *From:* Darryl Baker 
>
>
> *To:* dovecot@dovecot.org
> *Sent:* Friday, September 23, 2016 6:07 PM
> *Subject:* Self-Signed Certificate issue
>
> I keep getting what I am interpreting as
> a missing CA cert. The message is:
>
> dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
>
> That's because your client doesn't know about the certificate *issuer* so
> it doesn't trust it (the certificate), it's not an *authority* (the A in
> CA). What you need to do is include the *issuer's* certificate in your
> server's. But even then, the issuer was yourself, and your are not trusted
> either on the client's side. So what you need to do is install the root
> certificate in the client's machine so that certificates signed with it are
> trusted. When root cert is trusted on the client side, it will trust the
> intermediate (issuer) certificate because it was signed by it, and trust
> the server's certificate because it was signed by the intermediate (this is
> why it's called a certificate *chain* which often has only one intermediate
> CA although many intermediates are possible).
>
> So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT
>
>
>
>

Re: configure fail if libssl is named libssl-opt

[A. Schulze]

Am 25.09.2016 um 18:23 schrieb A. Schulze:

Is there an other way to tell configure the ssl libraries have other names?


solved: using pkg-config and correct .pc files :-)

Andreas

fail to compile with openssl-1.1.x

[A. Schulze]

Hi again,

now I get compile errors. Is openssl-1.1.xy supported?

iostream-openssl.c: In function 'openssl_iostream_verify_client_cert':
iostream-openssl.c:118:37: error: dereferencing pointer to incomplete type
  subject = X509_get_subject_name(ctx->current_cert);
 ^
iostream-openssl.c:127:37: error: dereferencing pointer to incomplete type
X509_verify_cert_error_string(ctx->error), certname));

Andreas  ^

Setting hostdomain

[Arie Peterson]

Hi all,


Preparing for a replication setup, I read (at the bottom of 
) that `dovecot --hostdomain` should 
give a different output on the two servers. This is not the case for me: both 
give "localhost". I'm trying to change my configuration to set the hostdomain 
to another value, but I can't find how to do this.

I tried:

• setting the environment variable DOVECOT_HOSTDOMAIN=mydomain in 
/etc/default/dovecot (which is read by the init script);

• adding the line
import_environment = TZ DOVECOT_HOSTDOMAIN=mydomain
to dovecot.conf;

• the combination of both of the above.

However, after restarting dovecot none of these changes seem to have any 
effect: `dovecot --hostdomain` still returns "localhost".

This is with dovecot version 2.2.13.

How should one change this setting?


Thanks,

Arie

Re: fail to compile with openssl-1.1.x

[Aki Tuomi]

> On September 25, 2016 at 9:32 PM "A. Schulze"  wrote:
> 
> 
> Hi again,
> 
> now I get compile errors. Is openssl-1.1.xy supported?
> 
> iostream-openssl.c: In function 'openssl_iostream_verify_client_cert':
> iostream-openssl.c:118:37: error: dereferencing pointer to incomplete type
>subject = X509_get_subject_name(ctx->current_cert);
>   ^
> iostream-openssl.c:127:37: error: dereferencing pointer to incomplete type
>  X509_verify_cert_error_string(ctx->error), certname));
> 
> Andreas  ^

Only with master branch. And it's not yet officially supported. 

Aki Tuomi
Dovecot oy

Re: Setting hostdomain

[Christian Kivalo]

On 2016-09-25 20:34, Arie Peterson wrote:

Hi all,


Preparing for a replication setup, I read (at the bottom of
) that `dovecot --hostdomain` 
should
give a different output on the two servers. This is not the case for 
me: both
give "localhost". I'm trying to change my configuration to set the 
hostdomain

to another value, but I can't find how to do this.

I tried:

• setting the environment variable DOVECOT_HOSTDOMAIN=mydomain in
/etc/default/dovecot (which is read by the init script);

• adding the line
import_environment = TZ DOVECOT_HOSTDOMAIN=mydomain
to dovecot.conf;

• the combination of both of the above.

However, after restarting dovecot none of these changes seem to have 
any

effect: `dovecot --hostdomain` still returns "localhost".


whats the output of 'hostname -f'

whats in your /etc/hostname and /etc/hosts?

there was a thead a few weeks ago on how to have dovecot use a different 
hostname than the system hostname see

http://www.dovecot.org/list/dovecot/2016-August/105284.html


This is with dovecot version 2.2.13.

How should one change this setting?


Thanks,

Arie


--
 Christian Kivalo

Re: Setting hostdomain

[Arie Peterson]

Christian Kivalo wrote:

> whats the output of 'hostname -f'
> 
> whats in your /etc/hostname and /etc/hosts?

That was indeed the problem. The output of `hostname -f` was "localhost", 
indicating how dovecot gets that result as well for its "hostdomain".

Changing the first line of /etc/hosts to
127.0.0.1  full.domain.name nameofthisparticularcomputer localhost

, `dovecot --hostdomain` now returns "full.domain.name", as I wanted.

Thanks a lot for your quick responses Christian!


Kind regards,

Arie

Re: Self-Signed Certificate issue

[Joseph Tam]

Darryl Baker writes:


I am running a small email site which I am moving from uw-imapd and Solaris
to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed
certificate for this site. I am using Thunderbird as the test client. I've
tried both the pre-built snakeoil certificate and building a special one
for dovecot. In /var/log/mail.err I keep getting what I am interpreting as
a missing CA cert. The message is:

dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

The certificate was created by:

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem
-keyout /etc/ssl/private/dovecot.pem


Are you using this as a server certificate or as a client certificate?  Please
output your dovecot's configuration, esp. your SSL setup.

doveconf -n | grep ssl

Joseph Tam