1

Topic: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error

==== Provide required information ====
- iRedMail version and backend (LDAP/MySQL/PGSQL): iRedAdmin-Pro-LDAP-1.7.2
- Linux/BSD distribution name and version: CentOS 5.8
- Any related log? Log is helpful for troubleshooting.
====

Hi,

my CentOS updated OpenSSL and after updating dovecote started throwing errors like:

Jun 15 08:22:11 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:22:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:22:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:23:11 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:23:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:23:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:24:11 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:24:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:24:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:25:12 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:25:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:25:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 15 08:26:12 pop3-login: Info: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xx.x, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Jun 15 08:26:32 pop3-login: Info: Login: user=<user@mydomain.com>, method=PLAIN, rip=172.16.1.13, lip=xxx.xxx.xx.x, TLS
Jun 15 08:26:32 POP3(user@mydomain.com): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0

2

Re: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error

Does this client has STARTTLS enabled in mail client?

It says "no auth attempts", looks like this client tried to perform POP3 authentication without STARTTLS.
And i saw some clients can successfully login (... Info: Login: user=<user@mydomain.com>, method=PLAIN ...). So i think your Dovecot config is fine, just a mail client (e.g. Outlook, Thunderbird, etc) issue.

May i know which version of iRedMail you're running? Could you please show us output of command 'dovecot -n' here to help troubleshoot?

3 (edited by ketan.aagja 2012-06-16 17:41:11)

Re: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error

I am using iRedMail-0.8.0 with iRedAdmin-Pro-LDAP-1.7.2

Here is the output for your reference.

[root@mail log]# dovecot -n
# 1.2.17: /etc/dovecot.conf
# OS: Linux 2.6.18-308.8.2.el5 x86_64 CentOS release 5.8 (Final)
log_path: /var/log/dovecot.log
protocols: pop3 pop3s imap imaps managesieve
listen(default): *
listen(imap): *
listen(pop3): *
listen(managesieve): 127.0.0.1:2000
ssl: required
ssl_ca_file: /etc/pki/tls/certs/iRedMail_CA.pem
ssl_cert_file: /etc/pki/tls/certs/iRedMail_CA.pem
ssl_key_file: /etc/pki/tls/private/iRedMail.key
disable_plaintext_auth: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_executable(managesieve): /usr/libexec/dovecot/managesieve-login
mail_max_userip_connections(default): 100
mail_max_userip_connections(imap): 100
mail_max_userip_connections(pop3): 100
mail_max_userip_connections(managesieve): 10
first_valid_uid: 501
last_valid_uid: 501
mail_uid: 501
mail_gid: 501
mail_location: maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mmap_disable: yes
lock_method: dotlock
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_executable(managesieve): /usr/libexec/dovecot/managesieve
mail_process_size: 1024
mail_plugins(default): quota imap_quota autocreate
mail_plugins(imap): quota imap_quota autocreate
mail_plugins(pop3): quota
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
mail_plugin_dir(managesieve): /usr/lib64/dovecot/managesieve
imap_client_workarounds(default): tb-extra-mailbox-sep
imap_client_workarounds(imap): tb-extra-mailbox-sep
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
namespace:
  type: shared
  separator: /
  prefix: Shared/%%u/
  location: maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
  list: children
  subscriptions: yes
lda:
  postmaster_address: root
  auth_socket_path: /var/run/dovecot/auth-master
  mail_plugins: quota sieve autocreate
  sieve_global_path: /mnt/glusterfs/sieve/dovecot.sieve
  log_path: /var/log/sieve.log
auth default:
  mechanisms: plain login
  default_realm: mydomain.com
  user: vmail
  passdb:
    driver: ldap
    args: /etc/dovecot-ldap.conf
  userdb:
    driver: ldap
    args: /etc/dovecot-ldap.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/dovecot-auth
      mode: 438
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 438
      user: vmail
      group: vmail
plugin:
  quota_warning: storage=85%% /usr/local/bin/dovecot-quota-warning.sh 85
  quota_warning2: storage=90%% /usr/local/bin/dovecot-quota-warning.sh 90
  quota_warning3: storage=95%% /usr/local/bin/dovecot-quota-warning.sh 95
  quota: dict:user::proxy::quotadict
  quota_rule: *:storage=0
  expire: Trash 7 Trash/* 7 Junk 30
  expire_dict: proxy::expire
  auth_socket_path: /var/run/dovecot/auth-master
  sieve: /%Lh/sieve/dovecot.sieve
  autocreate: INBOX
  autocreate2: Sent
  autocreate3: Trash
  autocreate4: Drafts
  autocreate5: Junk
  autosubscribe: INBOX
  autosubscribe2: Sent
  autosubscribe3: Trash
  autosubscribe4: Drafts
  autosubscribe5: Junk
  acl: vfile
  acl_shared_dict: proxy::acl
  sieve: /mnt/glusterfs/sieve/%Ld/%Ln/dovecot.sieve
  sieve_dir: /mnt/glusterfs/sieve/%Ld/%Ln
dict:
  expire: db:/var/lib/dovecot/expire/expire.db
  quotadict: mysql:/etc/dovecot-used-quota.conf
  acl: mysql:/etc/dovecot-share-folder.conf

4

Re: routines:SSL3_READ_BYTES:sslv3 alert certificate unknown error

You have below settings in dovecot.conf:

ssl: required
disable_plaintext_auth: yes

it means all mail clients are forced to enable STARTTLS. So, please make sure your clients have STARTTLS enabled in mail client (e.g. Thunderbird, Outlook).

Or, if you still want to allow plain text password, try update above two settings in dovecot.conf to below:

ssl = yes
disable_plaintext_auth = no

'ssl = yes' allows either STARTTLS and plain text is  OK, but use STARTTLS if available.