[oS-en] Problem with dovecot certificates
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)): <2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT> And Thunderbird can not open some folders. I have this in my notes from the previous time it happened (in July): Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096 Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++- "mkcert.sh" is the one from /usr/share/dovecot/, as well as "dovecot-openssl.cnf" (edited, of course). The certificates are recent: Telcontar:/etc/dovecot # ls -l /etc/ssl/private/dovecot.* /etc/dovecot/dh.pem - -rw-r--r-- 1 root root 769 Jul 2 15:01 /etc/dovecot/dh.pem - -rw------- 1 root root 1066 Jul 2 14:41 /etc/ssl/private/dovecot.crt - -rw------- 1 root root 912 Jul 2 14:41 /etc/ssl/private/dovecot.pem Telcontar:/etc/dovecot # So they can't be expired. The dovecot config is correct, AFAICS: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes ssl_options = no_compression Telcontar:/etc/dovecot # In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB. What can I do? (Google is not helping) - -- Cheers Carlos E. R. (from 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZYx3IRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfViecAn2mf+iXezQMraoR6HRPz GknrZ/gYAJ0aoSZ5AVYXptI12pVcnfThv0ipJw== =tyO5 -----END PGP SIGNATURE-----
On 12/27/2023 14:12:33, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
And Thunderbird can not open some folders.
I have this in my notes from the previous time it happened (in July):
Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096
Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++-
"mkcert.sh" is the one from /usr/share/dovecot/, as well as "dovecot-openssl.cnf" (edited, of course).
The certificates are recent:
Telcontar:/etc/dovecot # ls -l /etc/ssl/private/dovecot.* /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Jul 2 15:01 /etc/dovecot/dh.pem -rw------- 1 root root 1066 Jul 2 14:41 /etc/ssl/private/dovecot.crt -rw------- 1 root root 912 Jul 2 14:41 /etc/ssl/private/dovecot.pem Telcontar:/etc/dovecot #
So they can't be expired.
The dovecot config is correct, AFAICS:
Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes ssl_options = no_compression Telcontar:/etc/dovecot #
In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB.
What can I do?
(Google is not helping)
-- Cheers
Carlos E. R. (from 15.4 x86_64 at Telcontar)
Ask on the Dovecot list as well?
On 27.12.2023 22:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
Client that connects to dovecot does not like its certificate.
And Thunderbird can not open some folders.
I have this in my notes from the previous time it happened (in July):
Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096
Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++-
"mkcert.sh" is the one from /usr/share/dovecot/, as well as "dovecot-openssl.cnf" (edited, of course).
The certificates are recent:
Telcontar:/etc/dovecot # ls -l /etc/ssl/private/dovecot.* /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Jul 2 15:01 /etc/dovecot/dh.pem -rw------- 1 root root 1066 Jul 2 14:41 /etc/ssl/private/dovecot.crt -rw------- 1 root root 912 Jul 2 14:41 /etc/ssl/private/dovecot.pem Telcontar:/etc/dovecot #
So they can't be expired.
The dovecot config is correct, AFAICS:
Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes ssl_options = no_compression Telcontar:/etc/dovecot #
In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB.
What can I do?
(Google is not helping)
Well, searching for "SSL alert umber 42" or "SSL_accept() failed: error:14094412" brings some quite promising hits, including discussion of this exact problem on dovecot list.
On 2023-12-27 21:00, Andrei Borzenkov wrote:
On 27.12.2023 22:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
Client that connects to dovecot does not like its certificate.
And Thunderbird can not open some folders. >
I have this in my notes from the previous time it happened (in July):
Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096
Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++-
"mkcert.sh" is the one from /usr/share/dovecot/, as well as "dovecot-openssl.cnf" (edited, of course).
The certificates are recent:
Telcontar:/etc/dovecot # ls -l /etc/ssl/private/dovecot.* /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Jul 2 15:01 /etc/dovecot/dh.pem -rw------- 1 root root 1066 Jul 2 14:41 /etc/ssl/private/dovecot.crt -rw------- 1 root root 912 Jul 2 14:41 /etc/ssl/private/dovecot.pem Telcontar:/etc/dovecot #
So they can't be expired.
The dovecot config is correct, AFAICS:
Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes ssl_options = no_compression Telcontar:/etc/dovecot #
In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB.
What can I do?
(Google is not helping)
Well, searching for "SSL alert umber 42" or "SSL_accept() failed: error:14094412" brings some quite promising hits, including discussion of this exact problem on dovecot list.
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that. Problem is, TB does not ask to create an exception. Currently, I have TB working by NOT using connection security. Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names". Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to: Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance). I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about. If it is "/etc/dovecot/dh.pem", I have no idea at all. Also, I have no idea how to extend the validity of the certificate to be "forever", not just two years. [...] Oh, yes, I do, but I forgot. I had edited mkcert.sh: #$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ # -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 #CER 20230602 $OPENSSL req -new -x509 -nodes -days 3650 -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 Seems I missed the second "365". Ah, another post clarifies: CN = example.com SAN.1 = example.com SAN.2 = www.example.com or CN = www.example.com SAN.1 = www.example.com SAN.2 = example.com Post <https://dovecot.org/list/dovecot/2022-September/125358.html> says: +++·······················
cert had an invalid/incorrect hostname
fyi, https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird ... cert_override.txt This is an optional file used to store a security exception. It appears to store the host name , thus preventing you from creating a security exception for a rotating SMTP server. ... for ref, Firefox: How to audit & reset the list of trusted servers/CAs https://access.redhat.com/solutions/1549043 ·······················++- Well, it is not true in my case, file "cert_override.txt" doesn't contain any reference to my computer, because it was deleted, as I said in my first post. Ok, trying to create new certificates: Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot # It doesn't like that "SAN" thing. Blocked again. # Common Name (*.example.com is also possible) #CN=imap.example.com CN=telcontar.valinor SAN=telcontar.valinor -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 28.12.2023 16:57, Carlos E. R. wrote: ...
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that.
Problem is, TB does not ask to create an exception.
Well, the intended way to use X.509 certificates is to sign them by known CA, not to rely on force accepting them by any particular program. Certificates not signed by a trusted authority are by definition not to be trusted.
Currently, I have TB working by NOT using connection security.
Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names".
Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to:
Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about.
"They" are talking about your certificate.
If it is "/etc/dovecot/dh.pem", I have no idea at all.
Also, I have no idea how to extend the validity of the certificate to be "forever", not just two years. [...] Oh, yes, I do, but I forgot. I had edited mkcert.sh:
#$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ # -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 #CER 20230602 $OPENSSL req -new -x509 -nodes -days 3650 -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
Seems I missed the second "365".
10 years is not "forever".
Ah, another post clarifies:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
or
CN = www.example.com SAN.1 = www.example.com SAN.2 = example.com
...
Ok, trying to create new certificates:
Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN
real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot #
It doesn't like that "SAN" thing. Blocked again.
I have no idea what you did, where you added these lines or what this script does. bor@bor-Latitude-E5450:/tmp/san$ cat san.cnf [req_ext] subjectAltName = @alt_names [alt_names] IP.1 = 10.10.10.13 IP.2 = 10.10.10.14 IP.3 = 10.10.10.17 DNS.1 = centos8-2.example.com DNS.2 = centos8-3.example.com bor@bor-Latitude-E5450:/tmp/san$ openssl genrsa -out domain.key 2048 bor@bor-Latitude-E5450:/tmp/san$ openssl req -key domain.key -new -out domain.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: bor@bor-Latitude-E5450:/tmp/san$ bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt -extfile san.cnf -extensions req_ext Certificate request self-signature ok subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -noout -text -in domain.crt | grep -A3 'X509v3 extensions' X509v3 extensions: X509v3 Subject Alternative Name: IP Address:10.10.10.13, IP Address:10.10.10.14, IP Address:10.10.10.17, DNS:centos8-2.example.com, DNS:centos8-3.example.com X509v3 Subject Key Identifier: bor@bor-Latitude-E5450:/tmp/san$ And SAN is just one /possible/ reason why certificate is not accepted. Yes, Thunderbird could be more helpful in explaining what it does not like.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2023-12-28 at 18:36 +0300, Andrei Borzenkov wrote:
On 28.12.2023 16:57, Carlos E. R. wrote: ...
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that.
Problem is, TB does not ask to create an exception.
Well, the intended way to use X.509 certificates is to sign them by known CA, not to rely on force accepting them by any particular program. Certificates not signed by a trusted authority are by definition not to be trusted.
Yeah, well... this is going to be used only by myself in my own machines, inside the LAN. Using true certificates would be a waste.
Currently, I have TB working by NOT using connection security.
Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names".
Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to:
Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about.
"They" are talking about your certificate.
In a language I don't understand. My certificates are: /etc/ssl/private/dovecot.pem /etc/ssl/private/dovecot.crt /etc/dovecot/dh.pem And are generated locally per the instrucctions in the dovecot package.
If it is "/etc/dovecot/dh.pem", I have no idea at all.
Also, I have no idea how to extend the validity of the certificate to be "forever", not just two years. [...] Oh, yes, I do, but I forgot. I had edited mkcert.sh:
# $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ # -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 # CER 20230602 $OPENSSL req -new -x509 -nodes -days 3650 -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
Seems I missed the second "365".
10 years is not "forever".
It is good enough :-) I could perhaps write down a hundred years. :-}
Ah, another post clarifies:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
or
CN = www.example.com SAN.1 = www.example.com SAN.2 = example.com
...
Ok, trying to create new certificates:
Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN
real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot #
It doesn't like that "SAN" thing. Blocked again.
I have no idea what you did, where you added these lines or what this script does.
I am using the configuration and script files provided in the distribution. /etc/dovecot/dovecot-openssl.cnf (copied from /usr/share/dovecot/dovecot-openssl.cnf and edited): [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) #C=FI C=ES # State or Province Name (full name) #ST= ST=Murcia # Locality Name (eg. city) #L=Helsinki L=Cartagena # Organization (eg. company) #O=Dovecot O=Valinor # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor SAN = telcontar.valinor # E-mail contact #emailAddress=postmaster@example.com emailAddress=postmaster@telcontar.valinor [ cert_type ] nsCertType = server And the script is /etc/dovecot/mkcert.sh, (copied from /usr/share/dovecot/mkcert.sh and edited): !/bin/sh # Generates a self-signed certificate. # Edit dovecot-openssl.cnf before running this. umask 077 OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.crt KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi if [ ! -d $KEYDIR ]; then echo "$SSLDIR/private directory doesn't exist" exit 1 fi if [ -f $CERTFILE ]; then echo "$CERTFILE already exists, won't overwrite" exit 1 fi if [ -f $KEYFILE ]; then echo "$KEYFILE already exists, won't overwrite" exit 1 fi #$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 #CER 20230602 $OPENSSL req -new -x509 -nodes -days 3650 -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 3650 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
bor@bor-Latitude-E5450:/tmp/san$ cat san.cnf [req_ext] subjectAltName = @alt_names
[alt_names] IP.1 = 10.10.10.13 IP.2 = 10.10.10.14 IP.3 = 10.10.10.17 DNS.1 = centos8-2.example.com DNS.2 = centos8-3.example.com bor@bor-Latitude-E5450:/tmp/san$ openssl genrsa -out domain.key 2048 bor@bor-Latitude-E5450:/tmp/san$ openssl req -key domain.key -new -out domain.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: bor@bor-Latitude-E5450:/tmp/san$ bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt -extfile san.cnf -extensions req_ext Certificate request self-signature ok subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -noout -text -in domain.crt | grep -A3 'X509v3 extensions' X509v3 extensions: X509v3 Subject Alternative Name: IP Address:10.10.10.13, IP Address:10.10.10.14, IP Address:10.10.10.17, DNS:centos8-2.example.com, DNS:centos8-3.example.com X509v3 Subject Key Identifier: bor@bor-Latitude-E5450:/tmp/san$
And SAN is just one /possible/ reason why certificate is not accepted. Yes, Thunderbird could be more helpful in explaining what it does not like.
(Thunderbird says nothing. It is dovecot which logs the complaint) But what you do is not what they do in the dovecot thread I was reading. They did: CN = example.com SAN.1 = example.com SAN.2 = www.example.com which I assumed goes into the dovecot certificate configuration file. Maybe the utilities in Leap 15.4 are too old and do not recognize that syntax. :-? - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZY3OSRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVaJ8An180K9EN/DnHn6y3SN49 8T7HduasAKCA431RVmA0QZCRWqMu8qE5z68ZIQ== =6i+f -----END PGP SIGNATURE-----
On 28.12.2023 22:36, Carlos E. R. wrote:
On Thursday, 2023-12-28 at 18:36 +0300, Andrei Borzenkov wrote:
On 28.12.2023 16:57, Carlos E. R. wrote: ...
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that.
Problem is, TB does not ask to create an exception.
Well, the intended way to use X.509 certificates is to sign them by known CA, not to rely on force accepting them by any particular program. Certificates not signed by a trusted authority are by definition not to be trusted.
Yeah, well... this is going to be used only by myself in my own machines, inside the LAN. Using true certificates would be a waste.
Which does not change a bit in the X.509 model. You must create CA and then sign certificate with this CA even if you do not realize it. openssl does it for you.
Currently, I have TB working by NOT using connection security.
Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names".
Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to:
Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about.
"They" are talking about your certificate.
In a language I don't understand.
In the time of ubiquitous Internet that is a feeble excuse. But if you do not want to spend time learning how to manage certificates, you have your CA that will add this information to the signed certificate for you. But if you refuse to use CA, you need to learn how to do it properly yourself. ...
Ah, another post clarifies:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
Most likely the poster did not intend to spoon feed you and give you step by step recipe, but just overall requirement. *How* to add the Subject Alternative Name extension is documented in openssl manuals and in hundreds of the Internet search hits.
or
CN = www.example.com SAN.1 = www.example.com SAN.2 = example.com
...
Ok, trying to create new certificates:
Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN
real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot #
It doesn't like that "SAN" thing. Blocked again.
Yes, because SAN should go into different section in the configuration file. And SAN may be of different type and you need to give the exact type (is it name, or IP or something else).
I have no idea what you did, where you added these lines or what this script does.
I am using the configuration and script files provided in the distribution.
/etc/dovecot/dovecot-openssl.cnf (copied from /usr/share/dovecot/dovecot-openssl.cnf and edited):
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type
That is the section SAN should go into (there are also other possibilities).
prompt = no
[ req_dn ] # country (2 letter code) #C=FI C=ES
# State or Province Name (full name) #ST= ST=Murcia
# Locality Name (eg. city) #L=Helsinki L=Cartagena
# Organization (eg. company) #O=Dovecot O=Valinor
# Organizational Unit Name (eg. section) OU=IMAP server
# Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor SAN = telcontar.valinor
Not here. ...
And SAN is just one /possible/ reason why certificate is not accepted. Yes, Thunderbird could be more helpful in explaining what it does not like.
(Thunderbird says nothing. It is dovecot which logs the complaint)
dovecot just informs you that a client did not like its certificate.
But what you do is not what they do in the dovecot thread I was reading.
I did add the Subject Alternative Name to the generated certificate. Exactly what they said.
They did:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
which I assumed goes into the dovecot certificate configuration file.
bor@bor-Latitude-E5450:/tmp/san$ diff -up carlos.conf ssl.conf --- carlos.conf 2023-12-29 11:05:22.348010259 +0300 +++ ssl.conf 2023-12-29 11:01:19.248547835 +0300 @@ -29,7 +29,7 @@ OU=IMAP server # Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor -SAN = telcontar.valinor +#SAN = telcontar.valinor # E-mail contact @@ -39,3 +39,4 @@ emailAddress=postmaster@telcontar.valino [ cert_type ] nsCertType = server +subjectAltName = DNS:telcontar.valinor bor@bor-Latitude-E5450:/tmp/san$ openssl req -new -x509 -nodes -config ssl.conf -out dovecot.crt -keyout devecot.pem .......................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .............................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -subject -fingerprint -noout -ext subjectAltName -in dovecot.crt subject=C = ES, ST = Murcia, L = Cartagena, O = Valinor, OU = IMAP server, CN = telcontar.valinor, emailAddress = postmaster@telcontar.valinor SHA1 Fingerprint=91:16:B5:2E:00:0E:8C:97:C9:65:0B:58:3F:C5:E7:8E:2E:01:A8:60 X509v3 Subject Alternative Name: DNS:telcontar.valinor bor@bor-Latitude-E5450:/tmp/san$
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2023-12-29 at 11:32 +0300, Andrei Borzenkov wrote:
On 28.12.2023 22:36, Carlos E. R. wrote:
On Thursday, 2023-12-28 at 18:36 +0300, Andrei Borzenkov wrote:
On 28.12.2023 16:57, Carlos E. R. wrote: ...
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that.
Problem is, TB does not ask to create an exception.
Well, the intended way to use X.509 certificates is to sign them by known CA, not to rely on force accepting them by any particular program. Certificates not signed by a trusted authority are by definition not to be trusted.
Yeah, well... this is going to be used only by myself in my own machines, inside the LAN. Using true certificates would be a waste.
Which does not change a bit in the X.509 model. You must create CA and then sign certificate with this CA even if you do not realize it. openssl does it for you.
Currently, I have TB working by NOT using connection security.
Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names".
Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to:
Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about.
"They" are talking about your certificate.
In a language I don't understand.
In the time of ubiquitous Internet that is a feeble excuse. But if you do not want to spend time learning how to manage certificates, you have your CA that will add this information to the signed certificate for you. But if you refuse to use CA, you need to learn how to do it properly yourself.
I can not obtain an external certificate, I don't have a domain. I use a faked name. YaST no longer has the module to create certificate authorities and certificates. I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies". The dummies part is important.
...
Ah, another post clarifies:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
Most likely the poster did not intend to spoon feed you and give you step by step recipe, but just overall requirement. *How* to add the Subject Alternative Name extension is documented in openssl manuals and in hundreds of the Internet search hits.
That is as good as non existing. I need the for dummies version.
...
Ok, trying to create new certificates:
Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN
real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot #
It doesn't like that "SAN" thing. Blocked again.
Yes, because SAN should go into different section in the configuration file. And SAN may be of different type and you need to give the exact type (is it name, or IP or something else).
Sigh.
I have no idea what you did, where you added these lines or what this script does.
I am using the configuration and script files provided in the distribution.
/etc/dovecot/dovecot-openssl.cnf (copied from /usr/share/dovecot/dovecot-openssl.cnf and edited):
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type
That is the section SAN should go into (there are also other possibilities).
Ok, trying. [...] Yes, certificate created. Restarting dovecot. Trying Thunderbird on laptop... No go, same error.
prompt = no
[ req_dn ] # country (2 letter code) #C=FI C=ES
# State or Province Name (full name) #ST= ST=Murcia
# Locality Name (eg. city) #L=Helsinki L=Cartagena
# Organization (eg. company) #O=Dovecot O=Valinor
# Organizational Unit Name (eg. section) OU=IMAP server
# Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor SAN = telcontar.valinor
Not here.
Understood.
...
And SAN is just one /possible/ reason why certificate is not accepted. Yes, Thunderbird could be more helpful in explaining what it does not like.
(Thunderbird says nothing. It is dovecot which logs the complaint)
dovecot just informs you that a client did not like its certificate.
See note (1) at the end of the post. gist: the log entry is generated when trying to read mail on this desktop from the laptop.
But what you do is not what they do in the dovecot thread I was reading.
I did add the Subject Alternative Name to the generated certificate. Exactly what they said.
Ok, but you understand what they say, I don't. It is chinese to me.
They did:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
which I assumed goes into the dovecot certificate configuration file.
And here you use two files, carlos.conf and ssl.conf that I don't have and I don't know what they mean. The only configuration file I have is "dovecot-openssl.cnf", which this instant is: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/dovecot-openssl.cnf [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no SAN = telcontar.valinor [ req_dn ] C=ES ST=Murcia L=Cartagena O=Valinor OU=IMAP server CN = telcontar.valinor emailAddress=postmaster@telcontar.valinor [ cert_type ] nsCertType = server Telcontar:/etc/dovecot #
bor@bor-Latitude-E5450:/tmp/san$ diff -up carlos.conf ssl.conf --- carlos.conf 2023-12-29 11:05:22.348010259 +0300 +++ ssl.conf 2023-12-29 11:01:19.248547835 +0300 @@ -29,7 +29,7 @@ OU=IMAP server # Common Name (*.example.com is also possible) #CN=imap.example.com CN = telcontar.valinor -SAN = telcontar.valinor +#SAN = telcontar.valinor
# E-mail contact @@ -39,3 +39,4 @@ emailAddress=postmaster@telcontar.valino
[ cert_type ] nsCertType = server +subjectAltName = DNS:telcontar.valinor bor@bor-Latitude-E5450:/tmp/san$ openssl req -new -x509 -nodes -config ssl.conf -out dovecot.crt -keyout devecot.pem .......................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .............................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -subject -fingerprint -noout -ext subjectAltName -in dovecot.crt subject=C = ES, ST = Murcia, L = Cartagena, O = Valinor, OU = IMAP server, CN = telcontar.valinor, emailAddress = postmaster@telcontar.valinor SHA1 Fingerprint=91:16:B5:2E:00:0E:8C:97:C9:65:0B:58:3F:C5:E7:8E:2E:01:A8:60 X509v3 Subject Alternative Name: DNS:telcontar.valinor bor@bor-Latitude-E5450:/tmp/san$
Ok, using this config file: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/dovecot-openssl.cnf [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no SAN = telcontar.valinor [ req_dn ] C=ES ST=Murcia L=Cartagena O=Valinor OU=IMAP server CN = telcontar.valinor emailAddress=postmaster@telcontar.valinor [ cert_type ] nsCertType = server Telcontar:/etc/dovecot # And this script, using your modification: Telcontar:/etc/dovecot # egrep -v "^[[:space:]]*$|^#" /etc/dovecot/mkcert.sh umask 077 OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.crt KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi if [ ! -d $KEYDIR ]; then echo "$SSLDIR/private directory doesn't exist" exit 1 fi if [ -f $CERTFILE ]; then echo "$CERTFILE already exists, won't overwrite" exit 1 fi if [ -f $KEYFILE ]; then echo "$KEYFILE already exists, won't overwrite" exit 1 fi $OPENSSL req -new -x509 -nodes -days 20000 -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 20000 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -ext subjectAltName -in $CERTFILE || exit 2 Telcontar:/etc/dovecot # Restarting dovecot, trying from laptop, same error. Telcontar:/etc/dovecot # rm /etc/ssl/private/dovecot.* Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ..............................................................+++++ .............................+++++ writing new private key to '/etc/ssl/private/dovecot.pem' - ----- subject=C = ES, ST = Murcia, L = Cartagena, O = Valinor, OU = IMAP server, CN = telcontar.valinor, emailAddress = postmaster@telcontar.valinor SHA1 Fingerprint=89:F7:D0:DE:FE:C3:1C:18:96:90:20:35:A4:1B:21:A8:0D:E8:A7:11 real 0m0.044s user 0m0.039s sys 0m0.005s Telcontar:/etc/dovecot # systemctl restart dovecot Note (1) I found out that the log entry was generated when the Thunderbird in the laptop tried to read email on the desktop machine. <2.6> 2023-12-29T12:53:11.468007+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<bfssraQNasDAqAIT> ie: user=<>, rip=192.168.2.19, lip=192.168.1.14, the 192.168.1.14 machine is the the desktop (Leap 15.4), where Dovecot is running. The 192.168.2.19 machine is the laptop (Leap 15.5). When the laptop tries to read an email on the desktop, the error log entry appears in the desktop, instantly. The laptop also runs another Dovecot. There is no error there: 2023-12-29T13:03:06.704944+01:00 Laicolasse dovecot: imap-login: Login: user=<cer>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7945, TLS, session=<I1Sn0KQN0Lt/AAAB> The certificate was generated in the same manner, back in July. The configuration of Thunderbird (laptop) is slighlty different: server name: localhost username: cer Connection security: STARTTLS Authentication method: Normal Password. And most importantly, there is an exception entry for localhost. That is the QUID of the question. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZY673xwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVnEcAnjSDRwvnPZKnNRewjenj cfhamLZ9AJ9vVSZyUY7DNz5/0LHBzc8UT6oymw== =6x5h -----END PGP SIGNATURE-----
"CER" == Carlos E R <robin.listas@telefonica.net> writes:
CER> I can not obtain an external certificate, I don't have a domain. I CER> use a faked name. CER> YaST no longer has the module to create certificate authorities and CER> certificates. CER> I would learn How to do it, if someone points me to a "how to create CER> CA and certificates for dovecot that makes Thunderbird happy, for CER> dummies". As a starting point https://gist.github.com/Soarez/9688998 -- Life is endless possibilities, and there is choice!
On 29.12.2023 18:06, Togan Muftuoglu via openSUSE Users wrote:
"CER" == Carlos E R <robin.listas@telefonica.net> writes:
CER> I can not obtain an external certificate, I don't have a domain. I CER> use a faked name.
CER> YaST no longer has the module to create certificate authorities and CER> certificates.
CER> I would learn How to do it, if someone points me to a "how to create CER> CA and certificates for dovecot that makes Thunderbird happy, for CER> dummies".
As a starting point https://gist.github.com/Soarez/9688998
Not relevant to this discussion, but apparently OpenSSL introduced a bug since this page was created. The command openssl x509 -req -in example.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.org.crt no more creates serial file. Looking in sources, this file is never read or created when CSR is used as input, random serial number is generated. This seems to be changed in a huge commit in 2020. I do not know whether this particular behavior change was intentional, commit message is not really descriptive. But I guess not, I fail to see the usage of this "feature".
On 29.12.2023 15:30, Carlos E. R. wrote:
I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies".
The dummies part is important.
Sorry, I do not know such document. Certificate management is complex, and making guide which is correct, reasonably complete and suitable for complete dummies is probably quite challenging task by itself. Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected. If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with. The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
On 29.12.2023 18:47, Andrei Borzenkov wrote:
On 29.12.2023 15:30, Carlos E. R. wrote:
I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies".
The dummies part is important.
Sorry, I do not know such document. Certificate management is complex, and making guide which is correct, reasonably complete and suitable for complete dummies is probably quite challenging task by itself.
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with.
The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
OK, actually I did get the same errors from dovecot. But I also was able to override them in TB. So this confirms that the problem is on the TB side. The self-signed certificate *is* invalid and will always be. Until you either enroll it as trusted root (which strictly speaking is invalid as well - the same certificate cannot be used both for CA and end-system without some form of exceptional override) or use client side overrides. Why you do not get prompts from TB to add exception I do not know. But that is also rather different issue which has absolutely nothing to do with dovecot.
On 29.12.2023 21:41, Andrei Borzenkov wrote:
On 29.12.2023 18:47, Andrei Borzenkov wrote:
On 29.12.2023 15:30, Carlos E. R. wrote:
I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies".
The dummies part is important.
Sorry, I do not know such document. Certificate management is complex, and making guide which is correct, reasonably complete and suitable for complete dummies is probably quite challenging task by itself.
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with.
The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
OK, actually I did get the same errors from dovecot. But I also was able to override them in TB. So this confirms that the problem is on the TB side. The self-signed certificate *is* invalid and will always be. Until you either enroll it as trusted root (which strictly speaking is invalid as well - the same certificate cannot be used both for CA and end-system without some form of exceptional override) or use client side overrides.
Why you do not get prompts from TB to add exception I do not know. But that is also rather different issue which has absolutely nothing to do with dovecot.
And to continue with the SAN saga ... Apparently TB does a series of checks and returns the first problem found. With self-signed certificate it never gets past the "no certificate authority" check so SAN is completely irrelevant. Why TB does not return error 48 (to indicate missing certificate authority) I do not know. I got 48 when I created X509v1 certificate with MD5 hash which should be considered invalid today. So I created my own CA and imported its certificate and signed certificate for dovecot - which now becomes signed with trusted CA - and *now* I got completely different message from TB that certificate does not belong to this site and someone may be trying to impersonate it. At this point SAN becomes important, because only now TB actually checks it. To eliminate *this* error I had to add Subject Alternative Name extension with the DNS name matching *exactly* the host name used on the *client* side. So discussion on the dovecot mailing list was totally correct - as long as we are talking about "real" certificate, not some self-signed mongrel. And in case you still refuse to see behind the trees - no official public commercial CA was involved. No exceptions had to be accepted. And NSS can be configured to use system-wide trust list, so CA certificate needs to be deployed just once for all users, current and future. Yes, certificate management is complicated. And no, you cannot expect to get step by step guide for dummies that can be used under any conditions without applying your own brains to understand what you are doing and, more importantly, *why* you need to do exactly that.
On 2023-12-29 16:47, Andrei Borzenkov wrote:
On 29.12.2023 15:30, Carlos E. R. wrote:
I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies".
The dummies part is important.
Sorry, I do not know such document. Certificate management is complex, and making guide which is correct, reasonably complete and suitable for complete dummies is probably quite challenging task by itself.
Togan posted a nice link, but at some point I got lost. For instance: The certificate is then sent to the issuer, and if he approves the request a certificate should be sent back. Issuer? Who is the issuer? It is only me. I can not send anything to anyone. You will probably laugh, but a document that tries to be easy does not end being easy. (The word "Issuer" is not defined prior to its first occurrence). So, forget it.
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with.
An update led to the issue. It was working, and one day it was not. Not my doing.
The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
Huh, not that trivial. I searched, and posted several links I found about it. There is a program somewhere to generate the lines. I just had an idea. Create a new Thunderbird profile with a single local account on my dovecot. YES! The wizard asks me to instantly add an exception (for telcontar.valinor:143). If I ask to "get certificate", it stalls and everything greys out. I have to cancel and try again, and this time say "confirm exception". I can see the "cert_override.txt". I will copy paste the line to the main profile, while it is stopped, then start it. I have to save this post and retake later. [...] Doesn't work. The file "cert_override.txt" has the line for "telcontar.valinor", but Settings/Manage Certificates doesn't, and I still can not open mails in my local dovecot. YAGGGH! I think that what is missing is that the certificate has to be imported into "cert9.db" file. (Can't import the certificate, it can only do from some https:// address) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
"CER" == Carlos E R <robin.listas@telefonica.net> writes:
CER> Togan posted a nice link, but at some point I got lost. For instance: CER> The certificate is then sent to the issuer, and if he approves CER> the request a certificate should be sent back. CER> Issuer? Who is the issuer? It is only me. I can not send anything to CER> anyone. You are missing the forest and just concentrated on a tree. Just follow the code and you will get all the things you need. You are the issuer, so do you need to send it to someone or to yourself No. just keep the CA file in handy place, you may need it again. But the main question is if it is your internal lan why do you even need ssl certificate at all. just set dovecot not to listen ssl ports and don't ask for tls settings. CER> You will probably laugh, but a document that tries to be easy does CER> not end being easy. Check out my signature ;) Have an easy going new year Togan -- Life is endless possibilities, and there is choice!
On 2023-12-29 21:11, Togan Muftuoglu via openSUSE Users wrote:
"CER" == Carlos E R <robin.listas@telefonica.net> writes:
CER> Togan posted a nice link, but at some point I got lost. For instance:
CER> The certificate is then sent to the issuer, and if he approves CER> the request a certificate should be sent back.
CER> Issuer? Who is the issuer? It is only me. I can not send anything to CER> anyone.
You are missing the forest and just concentrated on a tree. Just follow the code and you will get all the things you need.
You are the issuer, so do you need to send it to someone or to yourself No. just keep the CA file in handy place, you may need it again.
But the main question is if it is your internal lan why do you even need ssl certificate at all. just set dovecot not to listen ssl ports and don't ask for tls settings.
Because from laptop to main computer, in the LAN, it doesn't work without SSL. The problem is Thunderbird actually, not dovecot. Thunderbird, in the current profile, in two computers, does not ask about the certificate, does not prompt to make an exception. A new profile does work, but creating a new profile with all the accounts is a quite large undertaking. Previously it did work. Thunderbird has been rewritten in a big part, and there are things that worked and now don't.
CER> You will probably laugh, but a document that tries to be easy does CER> not end being easy.
Check out my signature ;)
Have an easy going new year
Togan
--
Life is endless possibilities, and there is choice!
Heh. I will have a look at your new post, thanks. But now I just want to relax without thinking much about anything... -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 29.12.2023 23:58, Carlos E. R. wrote:
On 2023-12-29 21:11, Togan Muftuoglu via openSUSE Users wrote:
> "CER" == Carlos E R <robin.listas@telefonica.net> writes:
CER> Togan posted a nice link, but at some point I got lost. For instance:
CER> The certificate is then sent to the issuer, and if he approves CER> the request a certificate should be sent back.
CER> Issuer? Who is the issuer? It is only me. I can not send anything to CER> anyone.
You are missing the forest and just concentrated on a tree. Just follow the code and you will get all the things you need.
You are the issuer, so do you need to send it to someone or to yourself No. just keep the CA file in handy place, you may need it again.
But the main question is if it is your internal lan why do you even need ssl certificate at all. just set dovecot not to listen ssl ports and don't ask for tls settings.
Because from laptop to main computer, in the LAN, it doesn't work without SSL.
That's becoming ridiculous. You need SSL because you configured your systems to use SSL. Configure your systems to not use SSL.
The problem is Thunderbird actually, not dovecot. Thunderbird, in the current profile, in two computers, does not ask about the certificate, does not prompt to make an exception. A new profile does work, but creating a new profile with all the accounts is a quite large undertaking.
You have been told multiple times to use the real trusted CA to obtain your certificates. You refuse to do it. Now you pay the price of refusing to do it.
Previously it did work.
Without knowing what "previously" means exactly it does not offer any starting point. "Previously" Internet worked without SSL at all.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2023-12-30 at 08:57 +0300, Andrei Borzenkov wrote:
On 29.12.2023 23:58, Carlos E. R. wrote:
On 2023-12-29 21:11, Togan Muftuoglu via openSUSE Users wrote:
>> "CER" == Carlos E R > writes:
...
But the main question is if it is your internal lan why do you even need ssl certificate at all. just set dovecot not to listen ssl ports and don't ask for tls settings.
Because from laptop to main computer, in the LAN, it doesn't work without SSL.
That's becoming ridiculous. You need SSL because you configured your systems to use SSL. Configure your systems to not use SSL.
Some software I was using, I do not remember which, demanded SSL. And that was not a problem at the time, because TB just made exceptions fine.
The problem is Thunderbird actually, not dovecot. Thunderbird, in the current profile, in two computers, does not ask about the certificate, does not prompt to make an exception. A new profile does work, but creating a new profile with all the accounts is a quite large undertaking.
You have been told multiple times to use the real trusted CA to obtain your certificates. You refuse to do it. Now you pay the price of refusing to do it.
How can I use an external true certificate, when I have no real domain name?
Previously it did work.
Without knowing what "previously" means exactly it does not offer any starting point. "Previously" Internet worked without SSL at all.
Months ago. It started happening on 2023-06-15T13:46:55 with connections from the laptop to the desktop. Laptop has Leap 15.5, desktop has 15.4 cer@Telcontar:~> zgrep "SSL alert number 42" /var/log/mail*z | less archived logs start on /var/log/mail-20230103.xz (2022-12-04), problem entries start here: /var/log/mail-20230703.xz:<2.6> 2023-06-15T13:46:55.903964+02:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.1.126, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<fnMNoCn+hqnAqAF+> (older laptop; new laptop home was a clone from this one) /var/log/mail-20230703.xz:<2.6> 2023-06-15T13:55:21.927621+02:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.17, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<YMI2vin+2qDAqAIR> (new laptop, home clone made) and continue till I departed from home: /var/log/mail-20231226.xz:<2.6> 2023-08-14T14:03:48.444949+02:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aBri2uAC0p3AqAIT> and continued when I came back from my travel: /var/log/mail-20231226.xz:<2.6> 2023-12-13T04:42:10.399887+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 1 secs): user=<>, rip=192.168.2.22, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<N8Gy81sMbMbAqAIW> These connections are just automatic attempts by the Thunderbird in the laptop to check for new email every 10 minutes on the desktop imap server. I was not looking at them, I don't normally need this. The connections from desktop TB to desktop Dovecot are not logged, yet they fail. All that time, the connections from TB on desktop to dovecot on desktop were working. I did not realize the logs were talking about the laptop, so I renewed the certificate on the desktop machine this month, and then the current problem started, because the current TB is unable to make an exception for the new certificate. It doesn't even ask. The connection from laptop TB to laptop dovecot is working perfectly. It has an exception in place and I have not touched it. Problem will be when the certificate expires. [...] The issue was solved by you finding how to tell TB to prompt about the certificate, in another post I happened to read before sending this. Thankyou! :-) - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZZAcXxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVDYcAnirYqDyVXu+xOYU0RjGp +Jvxb/EvAJ9PEUoqyLSZ8CBh6BwaO05iiPwGfA== =fAWj -----END PGP SIGNATURE-----
"CER" == Carlos E R <robin.listas@telefonica.net> writes:
CER> Togan posted a nice link, but at some point I got lost. For instance: CER> The certificate is then sent to the issuer, and if he approves CER> the request a certificate should be sent back. CER> Issuer? Who is the issuer? It is only me. I can not send anything to CER> anyone. CER> You will probably laugh, but a document that tries to be easy does CER> not end being easy. CER> (The word "Issuer" is not defined prior to its first occurrence). CER> So, forget it. try this one no explanation just copy paste and run https://gist.github.com/vansergen/231f30fbcbb597618aef746ed41edf30 -- Life is endless possibilities, and there is choice!
On 29.12.2023 22:46, Carlos E. R. wrote:
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
It asks when I select INBOX from the dovecot account (may not be needed) and press "Get Messages" button. It does not ask when it attempts to download messages in the background.
If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with.
An update led to the issue. It was working, and one day it was not. Not my doing.
The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
Huh, not that trivial. I searched, and posted several links I found about it. There is a program somewhere to generate the lines.
It has three fields - server:port, SHA256 OID and SHA256 certificate fingerprint itself. It apparently may also contains forth field (specific certificate problems that are to be ignored) and the fifth field which is effectively additional checksum, but my TB here did not generate them. It is the fifth field that is not trivial, yes. And yes, there is Python script to generate all five fields.
I just had an idea. Create a new Thunderbird profile with a single local account on my dovecot.
YES! The wizard asks me to instantly add an exception (for telcontar.valinor:143). If I ask to "get certificate", it stalls and everything greys out. I have to cancel and try again, and this time say "confirm exception".
I can see the "cert_override.txt". I will copy paste the line to the main profile, while it is stopped, then start it.
I have to save this post and retake later.
[...]
Doesn't work. The file "cert_override.txt" has the line for "telcontar.valinor",
That is wrong. It has to be line for the exact server + port number. bor@bor-Latitude-E5450:~$ cat ~/.thunderbird/lug37pt8.default/cert_override.txt # PSM Certificate Override Settings file # This is a generated file! Do not edit. localhost:1993: OID.2.16.840.1.101.3.4.2.1 79:24:B9:DE:7A:38:89:4E:07:30:95:70:A6:26:38:88:C2:05:9B:75:38:61:B4:17:16:CC:AA:44:1C:F2:61:D6 bor@bor-Latitude-E5450:~$
but Settings/Manage Certificates doesn't, and I still can not open mails in my local dovecot.
YAGGGH!
I think that what is missing is that the certificate has to be imported into "cert9.db" file.
(Can't import the certificate, it can only do from some https:// address)
On 2023-12-30 06:17, Andrei Borzenkov wrote:
On 29.12.2023 22:46, Carlos E. R. wrote:
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
It asks when I select INBOX from the dovecot account (may not be needed) and press "Get Messages" button. It does not ask when it attempts to download messages in the background.
THANK YOU, THANK YOU, THANK YOU, THANK YOU! That worked! YOoHOO! :-DDDDD
If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with.
An update led to the issue. It was working, and one day it was not. Not my doing.
The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
Huh, not that trivial. I searched, and posted several links I found about it. There is a program somewhere to generate the lines.
It has three fields - server:port, SHA256 OID and SHA256 certificate fingerprint itself. It apparently may also contains forth field (specific certificate problems that are to be ignored) and the fifth field which is effectively additional checksum, but my TB here did not generate them. It is the fifth field that is not trivial, yes. And yes, there is Python script to generate all five fields.
I just had an idea. Create a new Thunderbird profile with a single local account on my dovecot.
YES! The wizard asks me to instantly add an exception (for telcontar.valinor:143). If I ask to "get certificate", it stalls and everything greys out. I have to cancel and try again, and this time say "confirm exception".
I can see the "cert_override.txt". I will copy paste the line to the main profile, while it is stopped, then start it.
I have to save this post and retake later.
[...]
Doesn't work. The file "cert_override.txt" has the line for "telcontar.valinor",
That is wrong. It has to be line for the exact server + port number.
It was the correct port for the mode it had autodetected: "STARTTLS + Normal password". I reconfigured the old TB in the same mode. Currently I have (after adding the exception with the method you found) port 993, SSL/TLS + Normal password. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-12-30 14:22, Carlos E. R. wrote:
On 2023-12-30 06:17, Andrei Borzenkov wrote:
On 29.12.2023 22:46, Carlos E. R. wrote:
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
It asks when I select INBOX from the dovecot account (may not be needed) and press "Get Messages" button. It does not ask when it attempts to download messages in the background.
THANK YOU, THANK YOU, THANK YOU, THANK YOU!
That worked!
YOoHOO! :-DDDDD
To clarify for the archive: One has to click on the cloud shaped mini-icon on the top left corner of the left hand panel, with the INBOX selected. Other methods of "getting email" (in context menu, for instance, or background download) do not ask about the certificate. Now, those of you reading this, as the certificate I configured to last 10 years, please be kind enough to point me to this post in Dec 2033 ;-) /etc/ssl/private/dovecot.pem and /etc/ssl/private/dovecot.crt have a validity of 20000 days, counting from Dec 29 12:50, that is, 2078-10-01 12:50:00 (Hum. I just realized I can not write the year on crontab :-( ) The /etc/dovecot/dh.pem, I don't know what validity it has. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Sat, 30 Dec 2023 19:19:45 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
(Hum. I just realized I can not write the year on crontab :-( )
You can run a cron job every month that tests for the year first. (you could run it every minute if you wanted :)
On 2023-12-30 21:38, Dave Howorth wrote:
On Sat, 30 Dec 2023 19:19:45 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
(Hum. I just realized I can not write the year on crontab :-( )
You can run a cron job every month that tests for the year first. (you could run it every minute if you wanted :)
Sure :-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/30/23 07:22, Carlos E. R. wrote:
cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
It asks when I select INBOX from the dovecot account (may not be needed) and press "Get Messages" button. It does not ask when it attempts to download messages in the background.
THANK YOU, THANK YOU, THANK YOU, THANK YOU!
That worked!
What cert_override.txt is being modified? (and thank you for your write-up about the little-cloud icon -- that I had never seen before.... what do we call it? a "magic cloud obscure icon"? -- David C. Rankin, J.D.,P.E.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2023-12-31 at 03:22 -0600, David C. Rankin wrote:
On 12/30/23 07:22, Carlos E. R. wrote:
cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
It asks when I select INBOX from the dovecot account (may not be needed) and press "Get Messages" button. It does not ask when it attempts to download messages in the background.
THANK YOU, THANK YOU, THANK YOU, THANK YOU!
That worked!
What cert_override.txt is being modified?
cer@Telcontar:~/.thunderbird/RANDOM.sequndus> cat cert_override.txt # PSM Certificate Override Settings file # This is a generated file! Do not edit. telcontar.valinor:993: OID.2.16.840.1.101.3.4.2.1 89:7B:DE:72:F1:0B:1C:3C:... ... Modifying it manually did not work. I wrote: telcontar.valinor:143: OID.2.16.840.1.101.3.4.2.1 89:7B:DE:72:F1:0B:1C:3C:... The different port is because at that point I was trying starttls instead of ssl/tls.
(and thank you for your write-up about the little-cloud icon -- that I had never seen before.... what do we call it? a "magic cloud obscure icon"?
I thought it was just decoration... - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZZFezxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVC0YAn1c24ZJlIi1qrao43t9j y6CGAOSNAJ4o78CD6UxB/WsnmAMAYck6rKOcIw== =M9mH -----END PGP SIGNATURE-----
On 31.12.2023 12:22, David C. Rankin wrote:
On 12/30/23 07:22, Carlos E. R. wrote:
cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
It asks when I select INBOX from the dovecot account (may not be needed) and press "Get Messages" button. It does not ask when it attempts to download messages in the background.
THANK YOU, THANK YOU, THANK YOU, THANK YOU!
That worked!
What cert_override.txt is being modified?
(and thank you for your write-up about the little-cloud icon -- that I had never seen before.... what do we call it? a "magic cloud obscure icon"?
The https://bugzilla.mozilla.org/show_bug.cgi?id=1764770 is rather educational. It even describes how to configure TB to allow port 993 in certificate management dialogue (network.security.ports.banned.override with value 993).
On 2023-12-31 14:44, Andrei Borzenkov wrote:
On 31.12.2023 12:22, David C. Rankin wrote:
On 12/30/23 07:22, Carlos E. R. wrote:
(and thank you for your write-up about the little-cloud icon -- that I had never seen before.... what do we call it? a "magic cloud obscure icon"?
The
https://bugzilla.mozilla.org/show_bug.cgi?id=1764770
is rather educational. It even describes how to configure TB to allow port 993 in certificate management dialogue (network.security.ports.banned.override with value 993).
I'll copy it here, it seems significant. https://bugzilla.mozilla.org/show_bug.cgi?id=1764770#c49 +++··························· This describes a work around for if you never see the exception dialog after clicking "Get Messages". One other thing I noticed is that there appears to be another way to override a bad certificate but it doesn't work. Specifically I'm referring to: Setting | Privacy & Security | Manage Certificates... | Servers | Add Exception... You should be able to enter your configured imap server name and port and click "Get Certificate" and override it. However, when I entered mine, like this: wally.dbnet.lan:993 it just says no info and I see no network activity in wireshark. I found that for this to work you have to add a new item in the TB Config Editor (Settings | General | Config Editor...). In the box at the top enter network.security.ports.banned.override, choose the "String" radio button and click +. Then enter the port number for imap TLS, 993 and click the blue "Save" button. Then probably restart TB. Now when you enter your configured server name and port, e.g., wally.dbnet.lan:993 and click "Get Certificate", TB will successfully download the certificate and allow you to set the exception (permanent or temporary). The only problem here is that this only works for security TLS (port 993) and not for STARTTLS (port 143). So you will need to switch your imap security from STARTTLS to SSL/TLS. (I think most servers that support STARTTLS also support TLS and is the preferred protocol.) If I include 143 in the comma separated list of network.security.ports.banned.override ports, e.g., 993,143 I see the connection made to the server port 143 but imap command STARTTLS is never sent to begin the TLS handshake so it fails. Re: https://stackoverflow.com/questions/63947262/thunderbird-78-how-to-add-secur... Also after writing this I see that this issue has been mention in some other bug reports. ···························++- Some comments say that you have to click the get messages button several times, it is random. Comment 52 says why the code is in that button. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-12-31 19:48, Carlos E. R. wrote:
On 2023-12-31 14:44, Andrei Borzenkov wrote:
On 31.12.2023 12:22, David C. Rankin wrote:
On 12/30/23 07:22, Carlos E. R. wrote:
(and thank you for your write-up about the little-cloud icon -- that I had never seen before.... what do we call it? a "magic cloud obscure icon"?
The
https://bugzilla.mozilla.org/show_bug.cgi?id=1764770
is rather educational. It even describes how to configure TB to allow port 993 in certificate management dialogue (network.security.ports.banned.override with value 993).
I'll copy it here, it seems significant.
Oh, and it is possible to activate a log. https://wiki.mozilla.org/MailNews:Logging -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/27/23 13:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
And Thunderbird can not open some folders.
Very, very long-running problem, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1671736 Claims it is resolved -- it isn't and never has been. There is something botched in tbirds acceptance of a changed self-signed cert. I was hit with this just about every year as the cert expired until I finally just went to using Let's Encrypt real certificates (you can use the same cert for web and mail servers) I'd load certbot and just get the free cert for your domain, set up your web and mail servers to use them and be done with it. Otherwise, you can't get rid of the old cert cached somewhere in the tbird profile and you end up having to install new cert, restart dovecot, delete your mailbox from within tbird and re-create it and it will then, and only then, give you the ability to "create an exception" for your new self-signed cert. Royal pain.... -- David C. Rankin, J.D.,P.E.
On 2023-12-28 06:16, David C. Rankin wrote:
On 12/27/23 13:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
And Thunderbird can not open some folders.
Very, very long-running problem, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1671736
Claims it is resolved -- it isn't and never has been. There is something botched in tbirds acceptance of a changed self-signed cert. I was hit with this just about every year as the cert expired until I finally just went to using Let's Encrypt real certificates (you can use the same cert for web and mail servers)
I'd load certbot and just get the free cert for your domain, set up your web and mail servers to use them and be done with it.
I refuse to use external certificates. Also, I use a faked domain, I don't have a true domain.
Otherwise, you can't get rid of the old cert cached somewhere in the tbird profile and you end up having to install new cert, restart dovecot, delete your mailbox from within tbird and re-create it and it will then, and only then, give you the ability to "create an exception" for your new self-signed cert.
Royal pain....
Ah, restart dovecot. I had forgotten that ingredient in the vodoo concoction. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/28/2023 08:59:51, Carlos E. R. wrote:
On 2023-12-28 06:16, David C. Rankin wrote:
On 12/27/23 13:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
And Thunderbird can not open some folders.
Very, very long-running problem, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1671736
Claims it is resolved -- it isn't and never has been. There is something botched in tbirds acceptance of a changed self-signed cert. I was hit with this just about every year as the cert expired until I finally just went to using Let's Encrypt real certificates (you can use the same cert for web and mail servers)
I'd load certbot and just get the free cert for your domain, set up your web and mail servers to use them and be done with it.
I refuse to use external certificates.
Do you care to express a reason for this?
Also, I use a faked domain, I don't have a true domain.
So, this setup does not communicate with the "outside world" at all? Only internal? If so, why bother with certificates at all? Who is going to "sniff" your comms?
On 2023-12-28 18:44, joe a wrote:
On 12/28/2023 08:59:51, Carlos E. R. wrote:
On 2023-12-28 06:16, David C. Rankin wrote:
On 12/27/23 13:12, Carlos E. R. wrote:
Very, very long-running problem, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1671736
Claims it is resolved -- it isn't and never has been. There is something botched in tbirds acceptance of a changed self-signed cert. I was hit with this just about every year as the cert expired until I finally just went to using Let's Encrypt real certificates (you can use the same cert for web and mail servers)
I'd load certbot and just get the free cert for your domain, set up your web and mail servers to use them and be done with it.
I refuse to use external certificates.
Do you care to express a reason for this?
It is ridiculous to use them in a LAN.
Also, I use a faked domain, I don't have a true domain.
So, this setup does not communicate with the "outside world" at all? Only internal?
Exactly.
If so, why bother with certificates at all? Who is going to "sniff" your comms?
Nobody. But some other software demanded it and refused to work, I don't remember which. I might at some point use it over internet, but my IP would still be dynamic, and the connection would perhaps be a tunnel over ssh. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2023-12-27 at 23:16 -0600, David C. Rankin wrote:
On 12/27/23 13:12, Carlos E. R. wrote:
rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
And Thunderbird can not open some folders.
Very, very long-running problem, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1671736
Claims it is resolved -- it isn't and never has been. There is something botched in tbirds acceptance of a changed self-signed cert. I was hit with this just about every year as the cert expired until I finally just went to using Let's Encrypt real certificates (you can use the same cert for web and mail servers)
I'd load certbot and just get the free cert for your domain, set up your web and mail servers to use them and be done with it.
Can't and won't. I don't have a domain, this is all inside a LAN with a faked domain.
Otherwise, you can't get rid of the old cert cached somewhere in the tbird profile and you end up having to install new cert, restart dovecot, delete your mailbox from within tbird and re-create it and it will then, and only then, give you the ability to "create an exception" for your new self-signed cert.
Royal pain....
I found some instructions here: <https://unix.stackexchange.com/questions/123367/thunderbird-fails-to-connect-to-dovecot-and-postfix> * in the problematic email acount in incoming mail server settings I temporarily changed the address of the mail server, * I created a new account with correct incoming mails server adress, when receiving emails I accepted wtih no problem the certificate, * I deleted the new account. and I restored the correct address of the incoming mail server in the original account. (on step 1, I had to restart TB). Nah, doesn't work. The "new" account only sees "INBOX" folder. The old one sees them all (many cached), sees the mails (probably cached), but can read none. It gets stuck at "checking mail server capabilities" for a long time. Oh, it gave up silently without reading the message. This is in dovecot log entry: <2.6> 2023-12-28T21:01:33.228061+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<svraYZcNvofAqAIT> <2.6> 2023-12-28T21:01:33.228453+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<PfvaYZcNxIfAqAIT> I can work I TB by saying "security none". Huh, could, now it doesn't. Restart TB... now it works, after asking for my mail password (the user password to the Linux account). Alpine is /happy/ with my certificates: "O Gugle pus" {localhost/novalidate-cert/user=cer}in_gplus, - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZY3qLxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVp+cAn0n46RYMUoyRD1BEBYIo 0f84XLR8AJ4/Z6ROR0n82J5oVtg+FZJmjT/dTQ== =ItQl -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2023-12-27 at 20:12 +0100, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT>
There is something I didn't realize in the message above: user=<>, rip=192.168.2.19, lip=192.168.1.14 192.168.1.14 is this machine, telcontar. Now, 192.168.2.19? That's my DHCP range, it is actually my laptop machine, which has configured Telcontar as an account it can access. So, the log entries pertain to another machine, another Thunderbird! If in the laptop I disable the connection security (set to none), then the laptop Thunderbird complains that Telcontar:imap doesn't suppport this authentication setting (none). THAT is the reason I need a certificate for dovecot in a LAN with a faked domain. The log entry appears instantly in Telcontar when I try to read an email from the laptop. But the stupid Thunderbird doesn't ask about setting an exception or anything! :-/ Maybe I could set the exception manually in cert_override.txt, but the file says: # PSM Certificate Override Settings file # This is a generated file! Do not edit. ... nimrodel.valinor:993: OID.2.16.840.1.101.3.4.2.1 E3:15:18:84:2E:F0:04:BE:29:E2:EC:13:E6:AD:F7:31:C5:4F:59:F1:D6:E8:EB:67:ED:DD:D6:E6:2D:3C:2E:1E Besides the "do not edit" notice, I have no idea about how to find out what to write there, besides the host and port. [...] Found something, but it is not that simple... <https://udn.realityripple.com/docs/Archive/Misc_top_level/Cert_override.txt> <https://groups.google.com/g/mozilla.dev.security/c/wTUr2YNgzyQ> and <https://github.com/Osmose/firefox-cert-override> Another idea would be to create my own certificate authority first, then the certificates. No idea how to go about that. But it seems that there are many people with this problem. Even FF/TB devs. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZY42XRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVO3AAnj/1dbmlqteokXebo08M YfSOwc7IAJwPcdtDU3UOw5Ha7+moq4I/jQ//xQ== =wUkd -----END PGP SIGNATURE-----
On 2023-12-27 20:12, Carlos E. R. wrote:
Summary:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT>
(that was attempts to connect from laptop to desktop) ...
I have this in my notes from the previous time it happened (in July):
Regenerate certificates. +++.................... cd /etc/dovecot rm /etc/ssl/private/dovecot.pem rm /etc/ssl/private/dovecot.crt bash mkcert.sh time openssl dhparam -out /etc/dovecot/dh.pem 4096
Delete certificate in Thunderbird (settings, search for "cert"), Manage Certificates, Servers tab. Then "Get messages / "cer", authorize cert. ....................++-
...
In Thunderbird, I have deleted the certificate, per my notes. The intention is that Thunderbird will now complain about the certificate, and I can add an exception, but it is not asking. I also restarted TB.
What can I do?
The problem was that one has to click on the cloud mini-icon at the top left of the left hand panel in Thunderbird to "get messages", and then TB asks about the certificate and allows to make an exception. If you get to "get certificates" in some context menu, it doesn't work (today). If TB is attempting to connect in the background, it doesn't work. And that solved the problem for me :-) Some of you have insisted in me getting an external gratis certificate. Problem is, I don't have a true domain, but a faked one in my LAN. I understand they ask for a domain. Some of you have asked why have a certificate at all if all I am using it is in a LAN. Well, I'll answer with a question: why has telnet been deprecated, removed from the default distribution, and everybody insists in using ssh, even in a LAN? Well, the reason for using a certificate with email is the same as for using ssh in a LAN. I don't need authentication, but I do want encryption. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Sat, 30 Dec 2023 20:39:11 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
Well, the reason for using a certificate with email is the same as for using ssh in a LAN. I don't need authentication, but I do want encryption.
ssh doesn't need a certificate to provide encryption.
On 2023-12-30 21:51, Dave Howorth wrote:
On Sat, 30 Dec 2023 20:39:11 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
Well, the reason for using a certificate with email is the same as for using ssh in a LAN. I don't need authentication, but I do want encryption.
ssh doesn't need a certificate to provide encryption.
Absolutely. I agree. But my purpose when using a certificate with Dovecot is to achieve encryption. It is not my choice to use such a complicated system, I use what is available... -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
participants (7)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
David C. Rankin -
joe a -
Togan Muftuoglu -
toganm@dinamizm.com