CaCert certificate configuration help needed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

CaCert certificate configuration help needed

gw1500se
I was not able to find specific help for configuring the crt file for CaCert. I gleaned from examples the following order:

server certificate
CaCert class 3 certificate
Cacert root certificate

However, when I try to configure my mail reading for IMAP, Dovecot shows the following error in the log:

dovecot: imap-login: Aborted login (no auth attempts):

I am assuming, based on searches for this error, that my crt file is not correct but I don't know what to do at this point. Can someone steer me in the right direction? TIA.
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

lst_hoe02

Zitat von gw1500se <[hidden email]>:

> I was not able to find specific help for configuring the crt file for CaCert.
> I gleaned from examples the following order:
>
> server certificate
> CaCert class 3 certificate
> Cacert root certificate
>
> However, when I try to configure my mail reading for IMAP, Dovecot shows the
> following error in the log:
>
> dovecot: imap-login: Aborted login (no auth attempts):
>
> I am assuming, based on searches for this error, that my crt file is not
> correct but I don't know what to do at this point. Can someone steer me in
> the right direction? TIA.
>
The server (dovecot) needs the server certificate, the matching  
private key and the intermediate CAs, not the root-CA. The client need  
the root-CA in it's "trust store" so you have to make your client  
trusting the CaCert root-CA. For the dovcot side have a look here:
http://wiki2.dovecot.org/SSL/DovecotConfiguration

Regards

Andreas



smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

gw1500se
Thanks for the reply. I guess I should have been more complete in my description. That is where I first started. Not only did that give me the error above but an additional error telling me I was missing the root CA for the signing authority. Searches on that error pointed me to the chained SSL certificates section. That eliminated the root CA error but I still have the posted error.

Perhaps I am still not recognizing which specific section I should be using in that document.
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

Steffen Kaiser-9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 4 Jul 2013, gw1500se wrote:

>
> Perhaps I am still not recognizing which specific section I should be using
> in that document.

increase logging http://wiki2.dovecot.org/Logging esp. section "Logging
verbosity", then try again and check what the MUA is displaying. If it
disconnects because of cert errors, the MUA displays the error.

Regards,

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUdVZZV3r2wJMiz2NAQKpIwf/ZCiL2b+jDU+asctSVTHz7TlkPxzQujGf
0eoW1Rn+O+jEiTdtHC1S3KLDHqTiCQv+dnt7urH+PFymOkK4LMoZQ0omO0k3iNSY
mQp5U855vY9LgVfuEVtCyUg+yGxjXhWgUA9qbJI6bZGUMRu4/mX4aGbK/YdjTZ35
HQNvRHgK+Tg52CSumIAK+As/FDr5ftKzEwT2K5bocb250VxcE673vs+5vDphu8j9
RB+kIi2K3xKoM/sIb3ZV2QBCCs5xLF+jj1FY19+DL/tw3lTQf/zvt6ckrOAcFCi/
FQhYFIbY+yB0hLBAftiVheCrxN+s0JNNfv25NQoKMF/k5Lc98EbG0g==
=i6sh
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

gw1500se
Thanks. I think I turned on all the debug I can but the result is not at all helpful (to me).

Jul  4 13:33:02 public dovecot: auth: Debug: auth client connected (pid=29195)
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
Jul  4 13:33:02 public dovecot: imap-login: Aborted login (no auth attempts): rip=74.176.153.21, lip=69.64.71.47, TLS
Jul  4 13:33:02 public dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

gw1500se
FWIW, here is my doveconf output:

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_debug_passwords = yes
base_dir = /var/run/dovecot/
login_greeting = Dovecot on mydomain.com ready.
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
passdb {
  driver = pam
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/postfix/SSL/server.crt
ssl_key = </etc/postfix/SSL/server.key
userdb {
  driver = passwd
}
verbose_ssl = yes
protocol pop3 {
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

gw1500se
I think I am now close on this. It appears that the user is successfully authenticating via IMAP. However, I am getting permissions errors when it tries to write to the Maildir.

 dovecot: imap(dap): Error: mkdir(/home/dap/Maildir/.imap/INBOX) failed: Operation not permitted
Jul  4 15:02:04 public dovecot: imap(dap): Error: chown(/home/dap/Maildir/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=500(dap), group based on /var/mail/dap)

What am I missing in the previously posted doveconf? TIA.
Reply | Threaded
Open this post in threaded view
|

Re: CaCert certificate configuration help needed

gw1500se
Got it. It seems that when Dovecot tries to create the user's local mail directory, it attempts to set the group as it is in /var/mail. This is not mentioned in the documentation anywhere I could find. That is where it fails. However, it turns out that if you turn off group permissions (0600) in /var/mail/* it will not try to set the group and the local directory is created successfully.