Dec 29, 2023: iRedMail-1.6.8 has been released.

**migr** · 2020-07-01 16:41:38

migr
Member
Offline

Registered: 2020-07-01
Posts: 3

Topic: can not connect to dovecot using tls 1.2

my dovecot server does not accept connections with TLSv1.2, however 1, 1.1 & 1.3 are working

openssl s_client -crlf -connect ripley.calvi.de:993 -tls1_2 -> fails

postfix is working fine on all protocols

any idea what might be wrong ?

====
iRedMail version: 1.1 MYSQL edition
Deployed with downloadable installer
Ubuntu 18.04.4 LTS
ApacheiRedAdmin-Pro
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2020-07-02 10:12:10

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: can not connect to dovecot using tls 1.2

Please enable debug mode in Dovecot and try this command again.
Any related error in Dovecot log files (/var/log/dovecot/*.log)?

**migr** · 2020-07-07 20:42:47

migr
Member
Offline

Registered: 2020-07-01
Posts: 3

Re: can not connect to dovecot using tls 1.2

Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [134.119.49.73]
Jul 7 14:41:53 ripley dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=134.119.49.73, lip=93.180.156.246, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<2JnkUNmpVtCGdzFJ>

**migr** · 2020-07-07 20:59:38

migr
Member
Offline

Registered: 2020-07-01
Posts: 3

Re: can not connect to dovecot using tls 1.2

and my ssl config

# http://wiki2.dovecot.org/SSL/DovecotConfiguration
# ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_protocols = !SSLv2 !SSLv3

ssl = required
verbose_ssl = yes

ssl_cert = </etc/letsencrypt/live/ripley.calvi.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/ripley.calvi.de/privkey.pem

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
ssl_prefer_server_ciphers = yes

**ZhangHuangbin** · 2020-07-09 22:54:10

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: can not connect to dovecot using tls 1.2

- Weird, with your "ssl_protocols" setting, TLSv1 - 1.3 should all work.
- Did you try to test with mail client applications? e.g. Thunderbird, it should use TLSv1.2, or maybe 1.3, please give it a try.

if mail client applications don't use TLSv1.2, I suggest posting to Dovecot mailing list to get some support from developers:
https://www.dovecot.org/support

Dec 29, 2023: iRedMail-1.6.8 has been released.

can not connect to dovecot using tls 1.2

Posts: 5

1 Topic by migr 2020-07-01 16:41:38 (edited by migr 2020-07-01 16:46:14)

Topic: can not connect to dovecot using tls 1.2

2 Reply by ZhangHuangbin 2020-07-02 10:12:10

Re: can not connect to dovecot using tls 1.2

3 Reply by migr 2020-07-07 20:42:47

Re: can not connect to dovecot using tls 1.2

4 Reply by migr 2020-07-07 20:59:38

Re: can not connect to dovecot using tls 1.2

5 Reply by ZhangHuangbin 2020-07-09 22:54:10

Re: can not connect to dovecot using tls 1.2

Posts: 5