1 (edited by migr 2020-07-01 16:46:14)

Topic: can not connect to dovecot using tls 1.2

my dovecot server does not accept connections with TLSv1.2, however 1, 1.1 & 1.3 are working

openssl s_client -crlf -connect ripley.calvi.de:993 -tls1_2 -> fails

postfix is working fine on all protocols

any idea what might be wrong ?


====
iRedMail version: 1.1 MYSQL edition
Deployed with downloadable installer
Ubuntu 18.04.4 LTS
ApacheiRedAdmin-Pro
====

2

Re: can not connect to dovecot using tls 1.2

Please enable debug mode in Dovecot and try this command again.
Any related error in Dovecot log files (/var/log/dovecot/*.log)?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: can not connect to dovecot using tls 1.2

Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [134.119.49.73]
Jul  7 14:41:53 ripley dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=134.119.49.73, lip=93.180.156.246, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<2JnkUNmpVtCGdzFJ>

4

Re: can not connect to dovecot using tls 1.2

and my ssl config

# http://wiki2.dovecot.org/SSL/DovecotConfiguration
# ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_protocols = !SSLv2 !SSLv3

ssl = required
verbose_ssl = yes

ssl_cert = </etc/letsencrypt/live/ripley.calvi.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/ripley.calvi.de/privkey.pem

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
ssl_prefer_server_ciphers = yes

5

Re: can not connect to dovecot using tls 1.2

- Weird, with your "ssl_protocols" setting, TLSv1 - 1.3 should all work.
- Did you try to test with mail client applications? e.g. Thunderbird, it should use TLSv1.2, or maybe 1.3, please give it a try.

if mail client applications don't use TLSv1.2, I suggest posting to Dovecot mailing list to get some support from developers:
https://www.dovecot.org/support

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee