-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2023-12-29 at 11:32 +0300, Andrei Borzenkov wrote:
On 28.12.2023 22:36, Carlos E. R. wrote:
On Thursday, 2023-12-28 at 18:36 +0300, Andrei Borzenkov wrote:
On 28.12.2023 16:57, Carlos E. R. wrote: ...
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that.
Problem is, TB does not ask to create an exception.
Well, the intended way to use X.509 certificates is to sign them by known CA, not to rely on force accepting them by any particular program. Certificates not signed by a trusted authority are by definition not to be trusted.
Yeah, well... this is going to be used only by myself in my own machines, inside the LAN. Using true certificates would be a waste.
Which does not change a bit in the X.509 model. You must create CA and then sign certificate with this CA even if you do not realize it. openssl does it for you.
Currently, I have TB working by NOT using connection security.
Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names".
Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to:
Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about.
"They" are talking about your certificate.
In a language I don't understand.
In the time of ubiquitous Internet that is a feeble excuse. But if you do not want to spend time learning how to manage certificates, you have your CA that will add this information to the signed certificate for you. But if you refuse to use CA, you need to learn how to do it properly yourself.
I can not obtain an external certificate, I don't have a domain. I use a faked name. YaST no longer has the module to create certificate authorities and certificates. I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies". The dummies part is important.
...
Ah, another post clarifies:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
Most likely the poster did not intend to spoon feed you and give you step by step recipe, but just overall requirement. *How* to add the Subject Alternative Name extension is documented in openssl manuals and in hundreds of the Internet search hits.
That is as good as non existing. I need the for dummies version.
...
Ok, trying to create new certificates:
Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN
real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot #
It doesn't like that "SAN" thing. Blocked again.
Yes, because SAN should go into different section in the configuration file. And SAN may be of different type and you need to give the exact type (is it name, or IP or something else).
Sigh.
I have no idea what you did, where you added these lines or what this script does.
I am using the configuration and script files provided in the distribution.
/etc/dovecot/dovecot-openssl.cnf (copied from /usr/share/dovecot/dovecot-openssl.cnf and edited):
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type
That is the section SAN should go into (there are also other possibilities).
Ok, trying. [...] Yes, certificate created. Restarting dovecot. Trying Thunderbird on laptop... No go, same error.
prompt = no
[ req_dn ] # country (2 letter code) #C=FI C=ES
# State or Province Name (full name) #ST= ST=Murcia
# Locality Name (eg. city) #L=Helsinki L=Cartagena
# Organization (eg. company) #O=Dovecot O=Valinor
# Organizational Unit Name (eg. section) OU=IMAP server
# Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor SAN = telcontar.valinor
Not here.
Understood.
...
And SAN is just one /possible/ reason why certificate is not accepted. Yes, Thunderbird could be more helpful in explaining what it does not like.
(Thunderbird says nothing. It is dovecot which logs the complaint)
dovecot just informs you that a client did not like its certificate.
See note (1) at the end of the post. gist: the log entry is generated when trying to read mail on this desktop from the laptop.
But what you do is not what they do in the dovecot thread I was reading.
I did add the Subject Alternative Name to the generated certificate. Exactly what they said.
Ok, but you understand what they say, I don't. It is chinese to me.
They did:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
which I assumed goes into the dovecot certificate configuration file.
And here you use two files, carlos.conf and ssl.conf that I don't have and I don't know what they mean. The only configuration file I have is "dovecot-openssl.cnf", which this instant is: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/dovecot-openssl.cnf [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no SAN = telcontar.valinor [ req_dn ] C=ES ST=Murcia L=Cartagena O=Valinor OU=IMAP server CN = telcontar.valinor emailAddress=postmaster@telcontar.valinor [ cert_type ] nsCertType = server Telcontar:/etc/dovecot #
bor@bor-Latitude-E5450:/tmp/san$ diff -up carlos.conf ssl.conf --- carlos.conf 2023-12-29 11:05:22.348010259 +0300 +++ ssl.conf 2023-12-29 11:01:19.248547835 +0300 @@ -29,7 +29,7 @@ OU=IMAP server # Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor -SAN = telcontar.valinor +#SAN = telcontar.valinor
# E-mail contact @@ -39,3 +39,4 @@ emailAddress=postmaster@telcontar.valino
[ cert_type ] nsCertType = server +subjectAltName = DNS:telcontar.valinor bor@bor-Latitude-E5450:/tmp/san$ openssl req -new -x509 -nodes -config ssl.conf -out dovecot.crt -keyout devecot.pem .......................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .............................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -subject -fingerprint -noout -ext subjectAltName -in dovecot.crt subject=C = ES, ST = Murcia, L = Cartagena, O = Valinor, OU = IMAP server, CN = telcontar.valinor, emailAddress = postmaster@telcontar.valinor SHA1 Fingerprint=91:16:B5:2E:00:0E:8C:97:C9:65:0B:58:3F:C5:E7:8E:2E:01:A8:60 X509v3 Subject Alternative Name: DNS:telcontar.valinor bor@bor-Latitude-E5450:/tmp/san$
Ok, using this config file: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/dovecot-openssl.cnf [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no SAN = telcontar.valinor [ req_dn ] C=ES ST=Murcia L=Cartagena O=Valinor OU=IMAP server CN = telcontar.valinor emailAddress=postmaster@telcontar.valinor [ cert_type ] nsCertType = server Telcontar:/etc/dovecot # And this script, using your modification: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/mkcert.sh umask 077 OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.crt KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi if [ ! -d $KEYDIR ]; then echo "$SSLDIR/private directory doesn't exist" exit 1 fi if [ -f $CERTFILE ]; then echo "$CERTFILE already exists, won't overwrite" exit 1 fi if [ -f $KEYFILE ]; then echo "$KEYFILE already exists, won't overwrite" exit 1 fi $OPENSSL req -new -x509 -nodes -days 20000 -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 20000 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -ext subjectAltName -in $CERTFILE || exit 2 Telcontar:/etc/dovecot # Restarting dovecot, trying from laptop, same error. Telcontar:/etc/dovecot # rm /etc/ssl/private/dovecot.* Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ..............................................................+++++ .............................+++++ writing new private key to '/etc/ssl/private/dovecot.pem' - ----- subject=C = ES, ST = Murcia, L = Cartagena, O = Valinor, OU = IMAP server, CN = telcontar.valinor, emailAddress = postmaster@telcontar.valinor SHA1 Fingerprint=89:F7:D0:DE:FE:C3:1C:18:96:90:20:35:A4:1B:21:A8:0D:E8:A7:11 real 0m0.044s user 0m0.039s sys 0m0.005s Telcontar:/etc/dovecot # systemctl restart dovecot Note (1) I found out that the log entry was generated when the Thunderbird in the laptop tried to read email on the desktop machine. <2.6> 2023-12-29T12:53:11.468007+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<bfssraQNasDAqAIT> ie: user=<>, rip=192.168.2.19, lip=192.168.1.14, the 192.168.1.14 machine is the the desktop (Leap 15.4), where Dovecot is running. The 192.168.2.19 machine is the laptop (Leap 15.5). When the laptop tries to read an email on the desktop, the error log entry appears in the desktop, instantly. The laptop also runs another Dovecot. There is no error there: 2023-12-29T13:03:06.704944+01:00 Laicolasse dovecot: imap-login: Login: user=<cer>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7945, TLS, session=<I1Sn0KQN0Lt/AAAB> The certificate was generated in the same manner, back in July. The configuration of Thunderbird (laptop) is slighlty different: server name: localhost username: cer Connection security: STARTTLS Authentication method: Normal Password. And most importantly, there is an exception entry for localhost. That is the QUID of the question. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZY673xwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVnEcAnjSDRwvnPZKnNRewjenj cfhamLZ9AJ9vVSZyUY7DNz5/0LHBzc8UT6oymw== =6x5h -----END PGP SIGNATURE-----