[opensuse] Why are different SSL fingerprints returned for imap -- Sandy?
List, Sandy: I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with: /usr/bin/fetchmail -a -v -n --folder spam-learn or whether you get the fingerprint directly from the cert: openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
List, Sandy:
I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:
/usr/bin/fetchmail -a -v -n --folder spam-learn
or whether you get the fingerprint directly from the cert:
openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint
Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.
Sandy? Anybody? -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
David C. Rankin wrote:
List, Sandy:
I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:
/usr/bin/fetchmail -a -v -n --folder spam-learn
or whether you get the fingerprint directly from the cert:
openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint
Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.
Sandy? Anybody?
The openssl command just fetches it out of a file you specify. Is this for sure the one that Dovecot is using? If you use the --sslfingerprint option on the fetchmail command will it indeed fetch? If not, dovecot is using different cert files. Also your fetchmail command was not complete enough (as shown) to even be sure it was reading via imap. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
David C. Rankin wrote:
David C. Rankin wrote:
List, Sandy:
I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:
/usr/bin/fetchmail -a -v -n --folder spam-learn
or whether you get the fingerprint directly from the cert:
openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint
Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.
Sandy? Anybody?
The openssl command just fetches it out of a file you specify. Is this for sure the one that Dovecot is using?
If you use the --sslfingerprint option on the fetchmail command will it indeed fetch? If not, dovecot is using different cert files.
Also your fetchmail command was not complete enough (as shown) to even be sure it was reading via imap.
John, You're shooting at the right target. Here is the situation. After changing the dovecot.pem cert after it expires (annually) I have to update the .fetchmailrc (to provide the proper imap ssl fingerprint to have spamassassin run against the users imap account. When I generate the dovecot.pem it returns a ssl fingerprint: 09 B2.... When that fingerprint does not work with imap, then I just issue the command: /usr/bin/fetchmail -a -v -n --folder pick-any-mail-folder and in the server conversation (which fails due to the wrong fingerprint) it returns another ssl fingerprint: XX XX ... which is the correct fingerprint to access the imap server with. So my WTF? moment occurred when I tried to understand whey the ssl fingerprint returned when generating the dovecot.pem would not work and wasn't the same fingerprint returned from the fetchmail attempt to access the dovecot imap server. So I'm still bewildered there. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Feb 5, 2009 at 10:44 PM, David C. Rankin
John Andersen wrote:
David C. Rankin wrote:
David C. Rankin wrote:
List, Sandy:
I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:
/usr/bin/fetchmail -a -v -n --folder spam-learn
or whether you get the fingerprint directly from the cert:
openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint
Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.
Sandy? Anybody?
The openssl command just fetches it out of a file you specify. Is this for sure the one that Dovecot is using?
If you use the --sslfingerprint option on the fetchmail command will it indeed fetch? If not, dovecot is using different cert files.
Also your fetchmail command was not complete enough (as shown) to even be sure it was reading via imap.
John,
You're shooting at the right target. Here is the situation. After changing the dovecot.pem cert after it expires (annually) I have to update the .fetchmailrc (to provide the proper imap ssl fingerprint to have spamassassin run against the users imap account.
When I generate the dovecot.pem it returns a ssl fingerprint: 09 B2....
When that fingerprint does not work with imap, then I just issue the command:
/usr/bin/fetchmail -a -v -n --folder pick-any-mail-folder
and in the server conversation (which fails due to the wrong fingerprint) it returns another ssl fingerprint: XX XX ... which is the correct fingerprint to access the imap server with.
So my WTF? moment occurred when I tried to understand whey the ssl fingerprint returned when generating the dovecot.pem would not work and wasn't the same fingerprint returned from the fetchmail attempt to access the dovecot imap server.
So I'm still bewildered there.
Well I'm a little out of my area, since I use Cyrus. Some possible causes could be that Dovcot was not restarted, Or, perhaps dovecot runs in a jail into which you have to copy the .pem by some means. Either of these could have it running with last years .pem. -- ----------JSA--------- Someone stole my tag line, so now I have this rental. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Thu, Feb 5, 2009 at 10:44 PM, David C. Rankin
wrote: John Andersen wrote:
David C. Rankin wrote:
David C. Rankin wrote:
List, Sandy:
I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:
/usr/bin/fetchmail -a -v -n --folder spam-learn
or whether you get the fingerprint directly from the cert:
openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint
Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.
Sandy? Anybody?
The openssl command just fetches it out of a file you specify. Is this for sure the one that Dovecot is using?
If you use the --sslfingerprint option on the fetchmail command will it indeed fetch? If not, dovecot is using different cert files.
Also your fetchmail command was not complete enough (as shown) to even be sure it was reading via imap. John,
You're shooting at the right target. Here is the situation. After changing the dovecot.pem cert after it expires (annually) I have to update the .fetchmailrc (to provide the proper imap ssl fingerprint to have spamassassin run against the users imap account.
When I generate the dovecot.pem it returns a ssl fingerprint: 09 B2....
When that fingerprint does not work with imap, then I just issue the command:
/usr/bin/fetchmail -a -v -n --folder pick-any-mail-folder
and in the server conversation (which fails due to the wrong fingerprint) it returns another ssl fingerprint: XX XX ... which is the correct fingerprint to access the imap server with.
So my WTF? moment occurred when I tried to understand whey the ssl fingerprint returned when generating the dovecot.pem would not work and wasn't the same fingerprint returned from the fetchmail attempt to access the dovecot imap server.
So I'm still bewildered there.
Well I'm a little out of my area, since I use Cyrus.
Some possible causes could be that Dovcot was not restarted, Or, perhaps dovecot runs in a jail into which you have to copy the .pem by some means. Either of these could have it running with last years .pem.
Well, I looked at that when it happened and it is certainly normal behavior, but not that dovecot wasn't restarted. There are two different prints coming from somewhere. Looking at it again, I may just not know what I'm looking at. Here is what I'm seeing: openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint SHA1 Fingerprint=9E:29:28:C1:....... /usr/bin/fetchmail -a -v -n --folder spam-learn <snip> fetchmail: mail.3111skyline.com key fingerprint: C1:DB:91:B6:..... They are certainly different. Is the mail fingerprint different from the SHA1 fingerprint? If so, that's the answer, but where do I look to find out why one is used for X and the other for Y? -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint SHA1 Fingerprint=9E:29:28:C1:.......
/usr/bin/fetchmail -a -v -n --folder spam-learn <snip> fetchmail: mail.3111skyline.com key fingerprint: C1:DB:91:B6:.....
They are certainly different. Is the mail fingerprint different from the SHA1 fingerprint? If so, that's the answer, but where do I look to find out why one is used for X and the other for Y?
Well your first command goes directly to that file and fetches it. The second relies on what dovecot passes back. So the question is, does dovecot really use THAT particular file? In /etc/dovecot.conf you should see some lines like #ssl_cert_file = ..... #ssl_key_file = ..... If one points to /etc/ssl/certs/dovecot.pem then you would think the keys would match. If they point elsewhere, your first command needs revision. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
David C. Rankin
-
John Andersen