John Andersen wrote:

David C. Rankin wrote:

...

David C. Rankin wrote:

...

List, Sandy:

I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:

/usr/bin/fetchmail -a -v -n --folder spam-learn

or whether you get the fingerprint directly from the cert:

openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint

Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.

Sandy? Anybody?

The openssl command just fetches it out of a file you specify. Is this for sure the one that Dovecot is using?

If you use the --sslfingerprint option on the fetchmail command will it indeed fetch? If not, dovecot is using different cert files.

Also your fetchmail command was not complete enough (as shown) to even be sure it was reading via imap.

John, You're shooting at the right target. Here is the situation. After changing the dovecot.pem cert after it expires (annually) I have to update the .fetchmailrc (to provide the proper imap ssl fingerprint to have spamassassin run against the users imap account. When I generate the dovecot.pem it returns a ssl fingerprint: 09 B2.... When that fingerprint does not work with imap, then I just issue the command: /usr/bin/fetchmail -a -v -n --folder pick-any-mail-folder and in the server conversation (which fails due to the wrong fingerprint) it returns another ssl fingerprint: XX XX ... which is the correct fingerprint to access the imap server with. So my WTF? moment occurred when I tried to understand whey the ssl fingerprint returned when generating the dovecot.pem would not work and wasn't the same fingerprint returned from the fetchmail attempt to access the dovecot imap server. So I'm still bewildered there. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

John Andersen wrote:

On Thu, Feb 5, 2009 at 10:44 PM, David C. Rankin wrote:

...

John Andersen wrote:

...

David C. Rankin wrote:

...

David C. Rankin wrote:

...

List, Sandy:

I am trying to figure out why different SSL fingerprints are returned for a dovecot imap mailbox depending on whether you get the fingerprint from a fetchmail dump with:

/usr/bin/fetchmail -a -v -n --folder spam-learn

or whether you get the fingerprint directly from the cert:

openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint

Am I looking at different fingerprints? the mail.domain fingerprint versus the SHA1 fingerprint? Confused. What says the brain trust.

Sandy? Anybody?

The openssl command just fetches it out of a file you specify. Is this for sure the one that Dovecot is using?

If you use the --sslfingerprint option on the fetchmail command will it indeed fetch? If not, dovecot is using different cert files.

Also your fetchmail command was not complete enough (as shown) to even be sure it was reading via imap. John,

You're shooting at the right target. Here is the situation. After changing the dovecot.pem cert after it expires (annually) I have to update the .fetchmailrc (to provide the proper imap ssl fingerprint to have spamassassin run against the users imap account.

When I generate the dovecot.pem it returns a ssl fingerprint: 09 B2....

When that fingerprint does not work with imap, then I just issue the command:

/usr/bin/fetchmail -a -v -n --folder pick-any-mail-folder

and in the server conversation (which fails due to the wrong fingerprint) it returns another ssl fingerprint: XX XX ... which is the correct fingerprint to access the imap server with.

So my WTF? moment occurred when I tried to understand whey the ssl fingerprint returned when generating the dovecot.pem would not work and wasn't the same fingerprint returned from the fetchmail attempt to access the dovecot imap server.

So I'm still bewildered there.

Well I'm a little out of my area, since I use Cyrus.

Some possible causes could be that Dovcot was not restarted, Or, perhaps dovecot runs in a jail into which you have to copy the .pem by some means. Either of these could have it running with last years .pem.

Well, I looked at that when it happened and it is certainly normal behavior, but not that dovecot wasn't restarted. There are two different prints coming from somewhere. Looking at it again, I may just not know what I'm looking at. Here is what I'm seeing: openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -fingerprint SHA1 Fingerprint=9E:29:28:C1:....... /usr/bin/fetchmail -a -v -n --folder spam-learn <snip> fetchmail: mail.3111skyline.com key fingerprint: C1:DB:91:B6:..... They are certainly different. Is the mail fingerprint different from the SHA1 fingerprint? If so, that's the answer, but where do I look to find out why one is used for X and the other for Y? -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org