1

Topic: SSL Cert -> Pem with Dovecot 143 failure

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Admin-Pro on CentOS 6 with MySQL
Old cert expiring.
New purchased via Comodo

Key generated and csr done. cert back and combined 4 crt bundle into domain_name_2017.pem

Using: https://docs.iredmail.org/use.a.bought. … icate.html as guide.
This is an old install with many upgrades so had to do some tracking down in references but think I've got almost all working. 
Using Mac with Thunderbird for e-mail client testing.
It shows a Dovercot 143 error.

I have two accounts configured in Thunderbird:
a) IMAP set to 993 - ? SSL/TLS on Mac OS
b) IMAP set to 143 - ? STARTTLE on Mac OS

Altered the settings so ALL are SSL/TLS on 993 -- still get an error.

NOTE:
ssl = required
ssl_cert = </etc/pki/tls/certs/cert.pem
ssl_key = </etc/pki/tls/private/privkey.pem
ssl_ca = </etc/pki/tls/certs/fullchain.pem

In my config the ssl_ca is commented out but it was commented out with old cert and working fine until the change today.  So, what am I missing - doing wrong?


Thank you for the quick help!!!   ;-)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SSL Cert -> Pem with Dovecot 143 failure

What's the error message in Dovecot log file or Thunderbird?
Does it work if you enable 'ssl_ca =' with correct bundle file?

3 (edited by pbf343 2017-12-06 10:44:35)

Re: SSL Cert -> Pem with Dovecot 143 failure

ZhangHuangbin wrote:

What's the error message in Dovecot log file or Thunderbird?

imap.log
imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=x.x.x.x, lip=x.x.x.x, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session=<R/jvv6JfRgBIVP5y>



ZhangHuangbin wrote:

Does it work if you enable 'ssl_ca =' with correct bundle file?

So what is the "correct bundle file" when concatenating them together (& order)?  For example: is it just the Comodo bundle together?   If it is all four, that is the same .pem file? 


They issued the below and this is the order concatenated to: domain_name_date.pem
    STAR_ourdomain.crt
    COMODORSADomainValidationSecureServerCA.crt
    COMODORSAAddTrustCA.crt
    AddTrustEsternalCARoot.crt

4 (edited by pbf343 2017-12-06 11:07:59)

Re: SSL Cert -> Pem with Dovecot 143 failure

FYI:  Did try the modification of ssl_ca value but it failes

ssl_ca =</etc/pki/tls/certs/comodo_wildcard_2017_domain.tld.pem

Is the ssl_ca tied to the database somehow?  Seems to be referenced their via Google alot with it seeking a value of a pem file for the Certificate Authorities. 

Why/how would it have been working previously if commented out and now it fails?

Also, the ssl_key value references a key file generated today.  I do not recall form reading earlier but isn't a pem file a DKEF which is same as generated requests in OpenSSL?  Sorry no Cryptography experience.

5 (edited by pbf343 2017-12-06 11:49:27)

Re: SSL Cert -> Pem with Dovecot 143 failure

Interesting.  Commented back out the ssl_ca from dovecot.conf. 
However, doveconf -n shows this

shutdown_clients = yes
ssl = required
ssl_ca =


Yet, this file:     /etc/dovecot/conf.d/10-ssl.conf     has no value defined as well (commented out).
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
#ssl_ca

6

Re: SSL Cert -> Pem with Dovecot 143 failure

pbf343 wrote:

Interesting.  Commented back out the ssl_ca from dovecot.conf. 
However, doveconf -n shows this

shutdown_clients = yes
ssl = required
ssl_ca =

Wait that might be wrong as running it again does not appear to show up... 


pbf343 wrote:

Yet, this file:     /etc/dovecot/conf.d/10-ssl.conf     has no value defined as well (commented out).
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
#ssl_ca

7

Re: SSL Cert -> Pem with Dovecot 143 failure

iRedMail doesn't use /etc/dovecot/conf.d/*, just /etc/dovecot/dovecot.conf.