Dovecot V 2.2.10 SSL issues

Hi, I am having problems with my Dovecot IMAP server. I want to make it use an SSL secure connection. I have set up the system with turning on SSL and pointing it to two SSL certificates.

Here are he errors I see in mail.log:
Code:
Apr 18 17:57:07 dserver1 postfix/smtpd[14587]: connect from 105-237-58-17.access.mtnbusiness.co.za[105.237.58.17]
Apr 18 17:57:08 dserver1 postfix/smtpd[14587]: NOQUEUE: reject: RCPT from 105-237-58-17.access.mtnbusiness.co.za[105.237.58.17]: 554 5.7.1 <therichsheickc@yahoo.com>: Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Apr 18 17:57:08 dserver1 postfix/smtpd[14587]: disconnect from 105-237-58-17.access.mtnbusiness.co.za[105.237.58.17]
Apr 18 18:00:28 dpserver1 postfix/anvil[14589]: statistics: max connection rate 1/60s for (server_ip_here:smtp:105.237.58.17) at Apr 18 17:57:07
Apr 18 18:00:28 dserver1 postfix/anvil[14589]: statistics: max connection count 1 for (server_ip_here:smtp:105.237.58.17) at Apr 18 17:57:07
Apr 18 18:00:28 dserver1 postfix/anvil[14589]: statistics: max cache size 1 at Apr 18 17:57:07
Apr 18 18:02:03 dserver1 postfix/smtpd[14850]: initializing the server-side TLS engine
Apr 18 18:02:03 dserver1 postfix/smtpd[14850]: warning: cannot get RSA certificate from file /etc/ssl/postfix/mail.mydomain.com.csr: disabling TLS support
Apr 18 18:02:03 dserver1 postfix/smtpd[14850]: warning: TLS library problem: error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE:
Apr 18 18:02:03 dserver1 postfix/smtpd[14850]: warning: TLS library problem: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:729:

I used my desktop application called thunderbird to access the IMAP server. However, it gives me errors saying that no connection was made and that it might be that I maxed out the allowable connections. I recently upgraded Dovecot from an older version. I never set any maximum connections setting.

If someone can explain to me what these errors mean I would appreciate it. I am guessing that the issue is with the certificates that have been generated. They might not be trusted. :q
 
The error and warning messages in your mail log come from Postfix, and not from Dovecot.

The issue is, that Postfix can't find the RSA certificate in /etc/ssl/postfix/mail.mydomain.com.csr. Note, that from the file extension I would not expect to find a certificate in this file. CSR means Certificate Signing Request, and if the extension meets the content then this file would not contain a valid certificate, and Postfix would be correct to complain about this.

You would need to furnish the signed certificate together with the private key to Postfix and Dovecot.
 
obsigna said:
The error and warning messages in your mail log come from Postfix, and not from Dovecot.

The issue is, that Postfix can't find the RSA certificate in /etc/ssl/postfix/mail.mydomain.com.csr. Note, that from the file extension I would not expect to find a certificate in this file. CSR means Certificate Signing Request, and if the extension meets the content then this file would not contain a valid certificate, and Postfix would be correct to complain about this.

You would need to furnish the signed certificate together with the private key to Postfix and Dovecot.

You mean both have to have the same certificate?
 
hockey97 said:
obsigna said:
The error and warning messages in your mail log come from Postfix, and not from Dovecot.

The issue is, that Postfix can't find the RSA certificate in /etc/ssl/postfix/mail.mydomain.com.csr. Note, that from the file extension I would not expect to find a certificate in this file. CSR means Certificate Signing Request, and if the extension meets the content then this file would not contain a valid certificate, and Postfix would be correct to complain about this.

You would need to furnish the signed certificate together with the private key to Postfix and Dovecot.

You mean both have to have the same certificate?

Not necessarily, this depends on the domain names involved. If IMAP/POP3 and SMTP all listen on the same IP resolved by the same domain name, e.g. mail.yourdomain.com, then you may assign the same certificate and private key for all services. If you have different domains, e.g. imap.yourdomain.com, pop3.yourdomain.com, smtp.yourdomain.com, then you must assign different certificates and keys for each of the respectively named services, or you may assign a so-called wildcard certificate for all sub-domains of yourdomain.com, that one would have the entry CN="*.yourdomain.com".
 
The main problem is that you're trying to use a signing request (the .csrfile) in place of the real certificate (usually a .crt file), go trough your files and locate the correct certificate file.
 
obsigna said:
hockey97 said:
obsigna said:
The error and warning messages in your mail log come from Postfix, and not from Dovecot.

The issue is, that Postfix can't find the RSA certificate in /etc/ssl/postfix/mail.mydomain.com.csr. Note, that from the file extension I would not expect to find a certificate in this file. CSR means Certificate Signing Request, and if the extension meets the content then this file would not contain a valid certificate, and Postfix would be correct to complain about this.

You would need to furnish the signed certificate together with the private key to Postfix and Dovecot.

You mean both have to have the same certificate?

Not necessarily, this depends on the domain names involved. If IMAP/POP3 and SMTP all listen on the same IP resolved by the same domain name, e.g. mail.yourdomain.com, then you may assign the same certificate+private key for all services. If you have different domains, e.g. imap.yourdomain.com, pop3.yourdomain.com, smtp.yourdomain.com, then you must assign different certificates+keys for each of the respectively named service, or you may assign a so-called wildcard certificate for all sub-domains of yourdomain.com, that one would have the entry CN="*.yourdomain.com".

I have 2 domain names and 2 IP addresses for each other. I only have one certificate for Dovecot and one for Postfix.
I don't use the same ones for both Dovecot and Postfix.

What you guys pointed out was the issue. I changed the .csr to a .crt and it works. I can log in and look at my mail.
Now, another problem is when I try and write a message. I want to test to see if everything is working properly.

However, with my desktop using Thunderbird I get this error message when trying to send a message:

Code:
"An error occurred sending mail: Unable to establish a secure link with SMTP server mail.mydomain.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider."

Below is the new errors in the maillog file:

Code:
Apr 19 00:36:46 dserver1 postfix/anvil[35587]: statistics: max connection count 1 for (my_server_ip_here:smtp:202.187.160.245) at Apr 19 00:33:25
Apr 19 00:36:46 dserver1 postfix/anvil[35587]: statistics: max cache size 1 at Apr 19 00:33:25
Apr 19 00:38:11 dserver1 postfix/smtpd[35819]: initializing the server-side TLS engine
Apr 19 00:38:11 dserver1 postfix/smtpd[35819]: cannot load Certificate Authority data: disabling TLS support

Do I need to have the CA certificate? I have it loaded but my certificates are self-signed. :q
 
hockey97 said:
Code:
Apr 19 00:36:46 dserver1 postfix/anvil[35587]: statistics: max connection count 1 for (my_server_ip_here:smtp:202.187.160.245) at Apr 19 00:33:25
Apr 19 00:36:46 dserver1 postfix/anvil[35587]: statistics: max cache size 1 at Apr 19 00:33:25
Apr 19 00:38:11 dserver1 postfix/smtpd[35819]: initializing the server-side TLS engine
Apr 19 00:38:11 dserver1 postfix/smtpd[35819]: cannot load Certificate Authority data: disabling TLS support

Do I needs to have the CA certificate? I have it loaded but my certificates are self-signed. :q

Let's assume that you named your CA certificate ca.crt, and that you named the certificate for the mail-in service via Postfix mail_in_service.crt, then you would create the certificate chain as follows:

cat mail_in_service.crt ca.crt > mail_in_service.chn

In /usr/local/etc/postfix/main.cf you would then set:

Code:
smtpd_tls_cert_file = /path/to/the/certs/mail_in_service.chn
Execute postfix reload, and then try again.
 
obsigna said:
hockey97 said:
Code:
Apr 19 00:36:46 dserver1 postfix/anvil[35587]: statistics: max connection count 1 for (my_server_ip_here:smtp:202.187.160.245) at Apr 19 00:33:25
Apr 19 00:36:46 dserver1 postfix/anvil[35587]: statistics: max cache size 1 at Apr 19 00:33:25
Apr 19 00:38:11 dserver1 postfix/smtpd[35819]: initializing the server-side TLS engine
Apr 19 00:38:11 dserver1 postfix/smtpd[35819]: cannot load Certificate Authority data: disabling TLS support

Do I needs to have the CA certificate? I have it loaded but my certificates are self-signed. :q

Let's assume that you named your CA certificate ca.crt, and that you named the certificate for the mail-in service via Postfix mail_in_service.crt, then you would create the certificate chain as follows:

cat mail_in_service.crt ca.crt > mail_in_service.chn

In /usr/local/etc/postfix/main.cf you would then set:

Code:
smtpd_tls_cert_file = /path/to/the/certs/mail_in_service.chn
Execute postfix reload, and then try again.


How would you do it if lets say I own 10 domain names. I need an SSL for each domain. How would you set that up?
 
hockey97 said:
How would you do it if lets say I own 10 domain names. I need an SSL for each domain. How would you set that up?

  • Do you mean, 10 second level domains, e.g. example-one.com, example-two.com, example-three.com, ..., example-ten.com?
  • If yes, do you want to use these domains for different mail-domains, e.g. [users]@example-one.com, ..., [others]@example-ten.com?
  • If yes, is the number of mail accesses (SMTP+IMAP) less than 1 per second, in other words less than apprx. 100000 per day?
  • If yes, I suggest to you, to either create from either of your 10 domains one dedicated sub-domain, e.g. mail.example-one.com or to buy a dedicated 11th domain, e.g. example0-9.com, and then to use either of this for the Mail-eXchanger, for the SMTP/SMTP-Submit service, and for the IMAP/POP service for all mailboxes.
If your answer to yourself to any of the above questions is "no", then please explain in more details what you are pretending to do. And since this would have almost nothing anymore to do with the original issue of the present thread "Dovecot V 2.2.10 ssl issues", it would be best if you could submit your detailed inquiry by opening a new thread.
 
obsigna said:
Previous Post

I just tried what you said in the previous post about creating the .chn file. I restarted postfix and got the same error but notice a new error. Here is what my mail logs are showing:

Code:
May 14 16:50:04 dpserver1 postfix/smtpd[21951]: initializing the server-side TLS engine
May 14 16:50:04 dpserver1 postfix/smtpd[21951]: cannot load Certificate Authority data: disabling TLS support
May 14 16:50:04 dpserver1 dovecot: imap-login: Error: SSL private key file is password protected, but password isn't given
May 14 16:50:04 dpserver1 dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906A068:PEM routines:PEM_do_header:bad password read
May 14 16:50:04 dpserver1 dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs
I looks like one of my certificates is password protected but I never created one when generating those certificates.
 
A certificate is never password protected, it's the matching secret key that can be password protected. How was the key/cert pair created?
 
kpa said:
A certificate is never password protected, it's the matching secret key that can be password protected. How was the key/cert pair created?
Should I just recreate it? I followed a tutorial on purplehat

Located here: http://www.purplehat.org/?page_id=7

I followed that to the letter. It does talk about setting a password with the key. By default it provides a default password. The tutorial tells me to delete the default password and set it to nothing. Which I did but not sure if there's more needed to cancel out the password.
 
kpa said:
A certificate is never password protected, it's the matching secret key that can be password protected. How was the key/cert pair created?

It's not saying the certificate, it's saying the key:

Code:
May 14 16:50:04 dpserver1 dovecot: imap-login: Error: SSL private key file is password protected, but password isn't given

My guess is the password either needs to be added to the 10-ssl.conf file using the ssl_key_password = configuration option, or you need to remove the password from the key which you can do with the following: openssl rsa -in privateKey.key -out newPrivateKey.key
 
I just followed what you said to do and now got this in my mail log:

Code:
postfix/virtual[7738]: fatal: bad numerical configuration: virtual_minimum_uid = static:125
postfix/master[7432]: warning: process /usr/local/libexec/postfix/virtual pid 7713 exit status 1
postfix/master[7432]: warning: /usr/local/libexec/postfix/virtual: bad command startup -- throttling
I don't know what is wrong here. Just guessing the user ID isn't correct???
 
Well that's related to mail/postfix rather than mail/dovecot2.

On my server virtual_minimum_uid is not set in the configuration file and it looks like it defaults to 100. Your log file suggests that yours is set to static:125 which doesn't look right. The man page makes no mention of the static part and just suggests it should be a numeric value only.
 
xtaz said:
Well that's related to mail/postfix rather than mail/dovecot2.

On my server virtual_minimum_uid is not set in the configuration file and it looks like it defaults to 100. Your log file suggests that yours is set to static:125 which doesn't look right. The man page makes no mention of the static part and just suggests it should be a numeric value only.

I got rid of static and got rid of those errors but now everything works until grabbing my inbox. I get this error now:

Code:
dovecot: imap(email_username): Error: Opening INBOX failed: Mailbox isn't selectable

I don't know what the problem is now. I know the inbox isn't selectable but don't know why. Is there any Dovecot command I can try to see where the mail is going to? I notice the %d won't contain a domain name. I had to replace it with a static domain name. However, I need to figure out why %d isn't populated with a domain name. Right now I just need to find out where it's storing the mail. Right now I changed the maildir to another place and notice there are no more errors but I still cannot write or get any e-mails.
 
From your posts it sounds like you are confusing the Postfix Mail server, and the Dovecot IMAP Server. Incoming email is received by Postfix and locally delivered to a mailbox somewhere on the filesystem. Which is usually /var/mail/$USER for mbox, or $HOME/Maildir for Maildir folders. Which it uses is down to the Postfix home_mailbox option in the configuration. Dovecot is then configured to read mail from this same mailbox. Check the 10-mail.conf file for the mail_location option which should match the same location. Also note that these options will have variables for things like the username or home-directory such as %u or %h.
 
xtaz said:
From your posts it sounds like you are confusing the Postfix Mail server, and the Dovecot IMAP Server. Incoming email is received by Postfix and locally delivered to a mailbox somewhere on the filesystem. Which is usually /var/mail/$USER for mbox, or $HOME/Maildir for Maildir folders. Which it uses is down to the Postfix home_mailbox option in the configuration. Dovecot is then configured to read mail from this same mailbox. Check the 10-mail.conf file for the mail_location option which should match the same location. Also note that these options will have variables for things like the username or home-directory such as %u or %h.

I know the difference, the mail location I set is correct but looks like permission issues. It is spitting out right now:
Code:
Error: opening inbox failed: Mailbox isnt selectable .
I went to the folder to find the permissions. It says ownership postfix, create and delete files. Then group postfix, permissions none.

I am guessing it's a permission issue. Postfix and use it but Dovecot cannot. That is why when I send e-mail. I get no errors. I shows as if it's sent but when I try to view my mailbox I get the error above. However, if I change the location it works fine but I cannot see my e-mail. It looks like I need to give Dovecot permissions to go into this folder.
 
Back
Top