I am trying to setup a Dovecot/Postfix structure, relying on a MySQL backend. I came across a problem with SSL configuration, and it's really tearing my hair out…
Situation
Dovecot listens on port 993 (IMAPs) and 995 (POP3s). I use the following command to test the connection :
openssl s_client -connect myserver.tld:993
openssl s_client -connect myserver.tld:995
The following error occurs :
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I've made the same tests forcing ssl2
, ssl3
and tls1
, same thing. Now, when I run the same test on port 465 (SMTPs by Postfix) :
openssl s_client -connect myserver.tld:465
I get a magical 220 myserver.tld ESMTP Postfix (Debian/GNU).
Wonderful. MySQL-based authentication even works ! The problem is that Dovecot cannot initiate the SSL connection properly, when Postfix can. Both services share the same configuration, Postfix even uses Dovecot authentication.
Configuration
Dovecot configuration :
ssl = required
ssl_cert = </etc/ssl/myserver/myserver.tld.crt
ssl_key = </etc/ssl/myserver/myserver.tld.key
ssl_verify_client_cert = no
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5
Postfix main configuration :
smtpd_tls_cert_file = /etc/ssl/myserver/myserver.tld.crt
smtpd_tls_key_file = /etc/ssl/myserver/myserver.tld.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 3
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
Postfix master configuration :
smtp inet n - - - - smtpd
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
The SSL certificate is self-signed, I generated it myself. Over SMTP, it looks just fine.
Logs
pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<ffu9UFnxZQBtvqmF>
(I get an "unknown protocol" when trying ssl2 or tls1 with the openssl s_client
utility)
Anyone knows where I made the configuration mistake for Dovecot ?
Best Answer
You have actually disabled SSLv2, SSLv3, and TLSv1.0 in dovecot.
This is a problem because some clients don't yet speak TLSv1.1/TLSv1.2, your only remaining choices.
Try not disabling TLSv1.0 and see if you get any farther.