[solved] dovecot ssl/tls problem

Discussion in 'Server Operation' started by Tomislav Aurednik, May 31, 2017.

  1. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    I've a big problem. Dovecot won't recieve mail with the ssl/tls configuration. The config is the same as on my old server (Ubuntu 14.04) where it works. With the original config file it works also.
    dovecot.conf (the added part)
    listen = *,[::]
    protocols = imap pop3 imaps pop3s
    auth_mechanisms = plain login
    disable_plaintext_auth = yes
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_privileged_group = vmail
    postmaster_address = postmaster@my.domain.si
    ssl_dh_parameters_length = 2048
    ssl = required
    ssl_require_crl = yes
    ssl_cert = </etc/ssl/private/ispserver.pem
    ssl_key = </etc/ssl/private/ispserver.pem
    ssl_ca = </etc/ssl/private/ispserver.pem
    ssl_protocols = !SSLv2 !SSLv3
    ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECD
    HE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128
    -SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE
    -ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:D
    HE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-G
    CM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT
    :!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    ssl_prefer_server_ciphers = yes
    ssl_dh_parameters_length = 2048
    [ ...default config ]

    netstat -ntlp | grep LISTEN
    ...
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 12952/dovecot
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 12952/dovecot
    ...
    tcp6 0 0 :::993 :::* LISTEN 12952/dovecot
    tcp6 0 0 :::995 :::* LISTEN 12952/dovecot

    openssl s_client -connect localhost:995 -> output is the correct cert and at the end +OK Dovecot ready.
    openssl s_client -connect localhost:993 -> output is the correct cert and at the end * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

    But if I try to telnet from my PC
    telnet 192.168.xxx.xxx 993 or telnet 192.168.xxx.xxx 995 I get only black screen? but if I try ports 25, 587 I get "220 my.domain.si ESMTP (Ubuntu)"

    Did I forgot to config something? Is there any other way to test it?
     
  2. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    I enabled the log and I got this when I tryed to telnet:
    master: Info: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disabled)
    2017-05-31 09:50:10 config: Warning: service auth { client_limit=1000 } is lower than required under max. load (2800)
    2017-05-31 09:50:10 config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2703)
    2017-05-31 09:50:44 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<FPVtLc1QXqwAAAAAAAAAAAAAAAAAAAAB>
    2017-05-31 09:51:43 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.123.15]
    2017-05-31 09:51:43 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.123.15]
    2017-05-31 09:51:43 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.123.15]
    2017-05-31 09:51:44 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<f18CMc1QbKwAAAAAAAAAAAAAAAAAAAAB>
    2017-05-31 09:52:27 imap-login: Debug: SSL error: Disconnected

    running commands telnet 192.168.xxx.xxx imap or 192.168.xxx.xxx pop3 works!
     
    Last edited: May 31, 2017
  3. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    It was a permission problem and not ssl/tls. The custom config file had 640 permissions, changing them to 644 solved the problem.
     

Share This Page