1 (edited by user1 2012-10-31 10:14:21)

Topic: SSL certificate not reading properly

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12.04
====

Hi all, I setup iRedMail and it was working great, thanks to ZhangHuangbin for the great effort! Now I am attempting to remove the Outlook warning message about self sign certificate. I went ahead and got 1 Cert from godaddy.com. I changed the setting for apache2, Postfix and Dovecot to point the new SSL cert.

Problem, the apache2 and Postfix is working fine, the https://your_server/mail stop showing the warning and Postfix over tls also stop prompting me about the cert. But for Dovecot it still have the same warning message. And when I look at the Cert it provided (when i connect using outlook there is a view cert button), it seems to be a different cert altogether, it is signed by FortiGate CA (mine is from godaddy).

I have googled quite a fair bit and I tried various way. I add in the ssl_key_password, ssl_ca but it didnt work also.

I followed this article but the problem still persist.
# http://www.axelsegebrecht.com/how-to/in … -iredmail/

I look at this topic but the merging of cert didnt help too.
http://www.iredmail.org/forum/topic808- … daddy.html

To me it seems like dovecot is using my cert at all, but I am sure the below is point correctly at the correct folder.
I have give the folder the correct permission too.
ssl_key_file = /etc/ssl/private/[yourname].key
ssl_cert_file = /etc/ssl/certs/[yourname].crt


Thanks for reading till the end. I'll truly appreciate any help or suggestions given.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SSL certificate not reading properly

Ubuntu 12.04 ships Dovecot-2.x, you should use below settings in /etc/dovecot/dovecot.conf instead:

ssl_cert = </path/to/your/cert.crt
ssl_key = </path/to/your/cert.key

Hope it helps.

3

Re: SSL certificate not reading properly

Hey thanks for the reply.
I have tried with and without it. It still behave the same.

The weird part is using the exact same cert for apache2 web server and postfix works. But fails for dovecot. hmm...

4

Re: SSL certificate not reading properly

- Do you have duplicate settings of ssl_cert and ssl_key in dovecot.conf?
- if not, show us output of command "dovecot -n" please.

5 (edited by user1 2012-10-31 14:34:28)

Re: SSL certificate not reading properly

Nope, i have commented out all the other ssl_cert and ssl_key that comes with the default iRedMail.

Here goes "dovecot -n"

# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-32-generic-pae i686 Ubuntu 12.04.1 LTS 
auth_mechanisms = PLAIN LOGIN
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  expire = db:/var/lib/dovecot/expire/expire.db
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 1001
last_valid_uid = 1001
listen = *
log_path = /var/log/dovecot.log
mail_gid = 1002
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_uid = 1001
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk
  expire = Trash 7 Trash/* 7 Junk 30
  expire_dict = proxy::expire
  quota = dict:user::proxy::quotadict
  quota_rule = *:storage=1G
  quota_warning = storage=85%% quota-warning 85 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=95%% quota-warning 95 %u
  sieve = /%Lh/sieve/dovecot.sieve
  sieve_dir = /%Lh/sieve
  sieve_global_dir = /var/vmail/sieve
  sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = pop3 imap sieve
service auth {
  unix_listener /var/spool/postfix/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl_cert = </aaa/4/merged5.crt
ssl_key = </asd/proximityjobs.key
ssl_key_password = secretpassword
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
verbose_ssl = yes
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  log_path = /var/log/sieve.log
  mail_plugins = quota sieve autocreate acl
  postmaster_address = root
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins = quota imap_quota autocreate acl imap_acl
}
protocol pop3 {
  mail_plugins = quota
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

6

Re: SSL certificate not reading properly

Any related error log in Dovecot log file (/var/log/dovecot.log)?

7

Re: SSL certificate not reading properly

The log seems ok. This log is generated by my attempt to connect to the mail server and it prompts for if I would want to accept the cert, I chose no.

Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [10.0.2.2]
Nov 01 09:24:40 pop3-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [10.0.2.2]
Nov 01 09:24:42 pop3-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [10.0.2.2]
Nov 01 09:24:42 pop3-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [10.0.2.2]
Nov 01 09:24:42 pop3-login: Info: Disconnected (no auth attempts): rip=10.0.2.2, lip=10.0.2.15, TLS

8

Re: SSL certificate not reading properly

No idea yet, sorry.

But you don't have "ssl = required" or "ssl = yes" in dovecot.conf.

9

Re: SSL certificate not reading properly

No problem, its ok.
I checked i did have ssl = yes, in the dovecot.conf

Thanks for the fast response.