2

I have quite standard installation of postfix and dovecot on Ubuntu 12.10. I generated my own certificates and got them signed by cacert.org.

The process of creating certs was like below:

openssl genrsa -out mail.myhostname.key 4096 openssl req -new -key mail.myhostname.key -out mail.myhostname.csr wget http://www.cacert.org/certs/root.txt sudo cp root.txt /etc/ssl/certs/cacert.crt # here Submitting the CSR to CAcert takes place # placing result certificate from CAcert into /etc/postfix/ssl/mail.myhostname.crt

This is my dovecot configuration sudo cat /etc/dovecot/conf.d/10-ssl.conf:

## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/postfix/ssl/mail.myhostname.crt ssl_key = </etc/postfix/ssl/mail.myhostname.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) ssl_ca = </etc/postfix/ssl/cacert.crt # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. #ssl_parameters_regenerate = 168 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

I cannot get Outlook working, which worked quite fine before setting my own certs (despite some warnings). I heard there may be some problems with "Microsoft Mail" and Outlook, which are more sensitive compared to Thunderbird, but that shouldn't be an issue.

Screen from client program:

enter image description here

This is head of source="/var/log/mail.log" from splunk and shows the problem

 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.2XX.XXX, lip=37.23X.XX.XXX host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.2XX.XXX, lip=37.23X.XX.XXX, TLS handshaking: Disconnected host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:34.000 AM Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 12:20:33.000 AM Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.2XX.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog

this is output of openssl test openssl s_client -connect mail.myhostname:995:

CONNECTED(00000003) depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = [email protected] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=*.myhostname i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- some certificate info.. -----END CERTIFICATE----- subject=/CN=*.myhostname issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] --- No client certificate CA names sent --- SSL handshake has read 4548 bytes and written 487 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 4EE9B3ED672B5989A52B5338C6173E5C525080C1D46D37A327E501ED70A73625 Session-ID-ctx: Master-Key: 5DD1ED05C32F5B0FE07F20FDEEE80D622D6873CE7E9D954F4CC6644ED0E86A6A30603A387651135D6F7CA792F2377901 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 4e 3f 50 2c 3f 61 47 9f-f0 61 b4 26 31 ce 2c 9f N?P,?aG..a.&1.,. 0010 - ce 83 1b b5 20 88 45 a9-71 cd 35 29 3e 4b 5c 29 .... .E.q.5)>K\) 0020 - d8 31 e0 3f 47 2b d3 05-d3 73 62 78 ac a9 91 f8 .1.?G+...sbx.... 0030 - 51 89 b5 cd 20 2a 92 7a-68 8f d7 ae 01 10 46 df Q... *.zh.....F. 0040 - 35 c9 4b 50 86 1a 1b bc-5f 66 b9 29 7a bd 41 be 5.KP...._f.)z.A. 0050 - a0 76 ba e3 95 2c 85 ef-cd 21 c5 be ee c1 4b e3 .v...,...!....K. 0060 - c7 9e e3 8a 63 6d a6 cb-9f be 25 d5 b6 61 c0 27 ....cm....%..a.' 0070 - b5 09 46 e5 79 e0 34 6f-8d 6b db 96 17 40 18 ea ..F.y.4o.k...@.. 0080 - 25 c2 b0 12 96 20 1a 25-e1 7a 22 3e 74 6c 9e e8 %.... .%.z">tl.. 0090 - 61 f0 24 e7 5f 8a 5d e1-ab 43 c0 a7 74 43 09 cf a.$._.]..C..tC.. Start Time: 1433543614 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- +OK The greatest mail program is ready

I don't understand the verify error:num=19:self signed certificate in certificate chain part. In which way it is self signed, if I'm using a trustable CAcert authority ?

I censored IPs and hostname because my server is still fragile

There is also thing about stacking certs for Dovecot (in link http://wiki2.dovecot.org/SSL/DovecotConfiguration). Table shows this order:

Dovecot's public certificate - what's this ?

TDC SSL Server CA - is it my public key from cacert?

TDC Internet Root CA is it cacert root ?

Globalsign Partners CA - what's this?

As for the moment, /etc/postfix/ssl/cacert.crt holds only CAcert root.

Can this cause problems and brake TLS handshake ?

Update:

Mail works with Thunderbird, but still asks user to accept a certificate, which is kind of unwanted behavior - which I didn't expect while having certs from cacert.org

Logs from splunk:

 6/6/15 1:38:43.000 AM Jun 6 01:38:43 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:43.000 AM Jun 6 01:38:43 myhostname dovecot: imap([email protected]): Disconnected: Logged out bytes=8/328 host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=89.77.22X.XXX, lip=37.233.XX.XXX, mpid=13141, TLS host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: auth-worker: mysql(localhost): Connected to database postfix host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:41.000 AM Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.22X.XXX, lip=37.233.XX.XXX, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48 host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=560: fatal unknown CA [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.22X.XXX] host = myhostname source = /var/log/mail.log sourcetype = postfix_syslog 6/6/15 1:38:08.000 AM Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.22X.XXX]
Improve this question

3 Answers 3

Reset to default
1

I generated my own certificates and got them signed by cacert.org.

cacert.org ist not trusted by any major OS today. It was once with Debian, but was removed there too. It might be still in some *BSD. Notable no browser, no windows, Android, Mac OS... will trust this CA.

I don't understand the verify error:num=19:self signed certificate in certificate chain part. In which way it is self signed, if I'm using a trustable CAcert authority ?

Even if you have cacert locally installed openssl s_client will not use any CA by default to check, so everything is untrusted. And given the output you include the root certificate, which is wrong anyway. root certificates in the chain are ignored because the trusted root has to be local on the system already.

Improve this answer
1

Perhaps this project would be your solution (and mine):

https://letsencrypt.org/

Improve this answer
0

I just got a report from allaboutspam.com with many warnings and one blacklist on barracudacentral.

I thought this would be more easy, but it takes about 80% of my key activity, and I don't want to pay extra for a recognized certificate.

I'm moving to a hosted mail solution, and leaving my server for being only a WWW server and data processing / analysis machine. Thanks @steffen-ullrich !

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.