Return to Question

Improve formatting

edited Jan 9, 2024 at 9:12

23.6k
25
55
77

I have a mail server that has been running for quite some time. Most of my clients use non-Apple devices or are okay with web-clients. I am only now running into this roadblock, because a new client prefers using the Apple app to read email. They have an older iPad, which maxes out at iOS 9.3.5. Just found out this is rather old. Will my set up run on a more modern iOS?

When that olderWill my set up run on a more modern iOS device attempts IMAP connection, I am getting the following errors.?

Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol Jan 8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session= Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

When that older iOS device attempts IMAP connection, I am getting the following errors.

Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol Jan 8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<7Ag79nIO3MBMFhjy> Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works:

Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data] Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session=<9gkwPHMOyLNChwcP> Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap([email protected])<421260><9gkwPHMOyLNChwcP>: Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0</pre>

With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works:

Here is my setup

Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data] Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Login: user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session= Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap([email protected]): Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0

Ubuntu 22.04.3 LTS

Kernel 5.15.0-91-generic

Dovecot 2.3.16 (7e2e900c1a)

OpenSSL 3.0.2

Certbot 2.8.0

Here is my setup

Ubuntu 22.04.3 LTS
Kernel 5.15.0-91-generic
Dovecot 2.3.16(7e2e900c1a)
OpenSSL 3.0.2
Certbot 2.8.0

$ cat /etc/dovecot/conf.d/10-ssl.conf

ssl = yes verbose_ssl = yes ssl_cert = </etc/letsencrypt/live/host.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/host.domain.net/privkey.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = </etc/ssl/private/dhparam.pem # I've also tried: ssl_min_protocol = TLSv1.3 ssl_min_protocol = TLSv1.2 # I've also tried: SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

SSL-configuration

$ cat /etc/dovecot/conf.d/10-ssl.conf ssl = yes verbose_ssl = yes ssl_cert = &lt;/etc/letsencrypt/live/host.domain.net/fullchain.pem ssl_key = &lt;/etc/letsencrypt/live/host.domain.net/privkey.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = &lt;/etc/ssl/private/dhparam.pem # I've also tried: ssl_min_protocol = TLSv1.3 ssl_min_protocol = TLSv1.2 # I've also tried: SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH</pre>

Dovecot:

$ cat /etc/dovecot/conf.d/10-master.conf service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service imap { } service pop3 { } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service auth-worker { user = vmail } service dict { unix_listener dict { } }

$ cat /etc/dovecot/conf.d/10-master.conf

SSL Labs Test Results

service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service imap { } service pop3 { } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service auth-worker { user = vmail } service dict { unix_listener dict { } }

Overall A Rating. A few highlights from the Configuration section.

SSL Labs Test Results

OverallA Rating. A few highlights from theConfiguration section.

When that older iOS device attempts IMAP connection, I am getting the following errors.

Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol Jan 8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session= Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works:

Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data] Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Login: user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session= Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap([email protected]): Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0

Here is my setup

Ubuntu 22.04.3 LTS
Kernel 5.15.0-91-generic
Dovecot 2.3.16(7e2e900c1a)
OpenSSL 3.0.2
Certbot 2.8.0

$ cat /etc/dovecot/conf.d/10-ssl.conf

ssl = yes verbose_ssl = yes ssl_cert = </etc/letsencrypt/live/host.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/host.domain.net/privkey.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = </etc/ssl/private/dhparam.pem # I've also tried: ssl_min_protocol = TLSv1.3 ssl_min_protocol = TLSv1.2 # I've also tried: SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

$ cat /etc/dovecot/conf.d/10-master.conf

service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service imap { } service pop3 { } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service auth-worker { user = vmail } service dict { unix_listener dict { } }

SSL Labs Test Results

OverallA Rating. A few highlights from theConfiguration section.

Will my set up run on a more modern iOS?

When that older iOS device attempts IMAP connection, I am getting the following errors.

Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol Jan 8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<7Ag79nIO3MBMFhjy> Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works:

Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data] Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session=<9gkwPHMOyLNChwcP> Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap([email protected])<421260><9gkwPHMOyLNChwcP>: Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0</pre>

Here is my setup

Ubuntu 22.04.3 LTS

Kernel 5.15.0-91-generic

Dovecot 2.3.16 (7e2e900c1a)

OpenSSL 3.0.2

Certbot 2.8.0

SSL-configuration

$ cat /etc/dovecot/conf.d/10-ssl.conf ssl = yes verbose_ssl = yes ssl_cert = &lt;/etc/letsencrypt/live/host.domain.net/fullchain.pem ssl_key = &lt;/etc/letsencrypt/live/host.domain.net/privkey.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = &lt;/etc/ssl/private/dhparam.pem # I've also tried: ssl_min_protocol = TLSv1.3 ssl_min_protocol = TLSv1.2 # I've also tried: SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH</pre>

Dovecot:

$ cat /etc/dovecot/conf.d/10-master.conf service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service imap { } service pop3 { } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service auth-worker { user = vmail } service dict { unix_listener dict { } }

SSL Labs Test Results

Overall A Rating. A few highlights from the Configuration section.

added 129 characters in body

Source Link

edited Jan 8, 2024 at 22:51

pollyPaul

When that older iOS device attempts IMAP connection, I am getting the following errors with trying to get IMAP set up for the Apple client.

Source Link

asked Jan 8, 2024 at 19:08

pollyPaul

Apple iPad cannot access IMAP via Dovecot -- SSL unsupported protocol

I have a mail server that has been running for quite some time. Most of my clients use non-Apple devices or are okay with web-clients. I am only now running into this roadblock, because a new client prefers using the Apple app to read email. I am getting the following errors with trying to get IMAP set up for the Apple client.

Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol Jan 8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session= Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works:

Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data] Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Login: user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session= Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap([email protected]): Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0

Here is my setup

Ubuntu 22.04.3 LTS
Kernel 5.15.0-91-generic
Dovecot 2.3.16 (7e2e900c1a)
OpenSSL 3.0.2
Certbot 2.8.0

Config Files

$ cat /etc/dovecot/conf.d/10-ssl.conf

ssl = yes verbose_ssl = yes ssl_cert = </etc/letsencrypt/live/host.domain.net/fullchain.pem ssl_key = </etc/letsencrypt/live/host.domain.net/privkey.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = </etc/ssl/private/dhparam.pem # I've also tried: ssl_min_protocol = TLSv1.3 ssl_min_protocol = TLSv1.2 # I've also tried: SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

$ cat /etc/dovecot/conf.d/10-master.conf

service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service imap { } service pop3 { } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service auth-worker { user = vmail } service dict { unix_listener dict { } }

SSL Labs Test Results

Overall A Rating. A few highlights from the Configuration section.

Protocols
TLS1.3	Yes
TLS1.2	Yes
TLS1.1	No
TLS1.0	No
SSL 3	No
SSL 2	No

Cipher Suites - TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS	128
TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS	256
TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS	256

Cipher Suites - TLS 1.2 (server has no preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH secp521r1 (eq. 15360 bits RSA) FS 128	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH secp521r1 (eq. 15360 bits RSA) FS 256	256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) ECDH secp521r1 (eq. 15360 bits RSA) FS 256	256