For testing I ve set the two variable TLS_CERTFILE and TLS_DHPARAMS to non existing files (last char deleted), but I dont get any error messages when restarting imap-ssl.
TLS_CERTFILE=/etc/courier/imapd_startcom_20160719.cr TLS_DHPARAMS=/etc/courier/dhparams.pe And when I set the variable smtpd_tls_cert_file in main.cf of Postfix to a non existing cert file (last char deleted), smtpd_tls_cert_file = /etc/ssl/certs/mail.txbweb.de.20160719.cr I get the same unknown protocol error message! openssl s_client -starttls smtp -connect mail.txbweb.de:25 CONNECTED(00000003) 3074377404:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 285 bytes and written 330 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE This means that courier doesnt read my certificate even when it is set correctly? Is "cat /etc/ssl/private/mail.txbweb.de.key /etc/ssl/certs/mail.txbweb.de.20160719.crt /etc/ssl/certs/startcom.sca.server2.crt > /etc/courier/imapd_startcom_20160719.crt" still the correct method to create the cert file for courier-imap-ssl? Am 2016-07-31 18:32, schrieb Sam Varshavchik: > tba...@txbweb.de writes: > >> I use the default config file of imapd-ssl. I just defined the path to >> the certificate. The other variables you mentioned aren't set and I >> already generated a stronger dhparam.pem. Last year I already was >> affected by a "bug" >> (https://bugzilla.mozilla.org/show_bug.cgi?id=1183650#c27) and a >> stronger dhparam.pem was the solution. I repeated it with >> >> root@txbweb /etc/ssl/certs # rm /etc/courier/dhparams.pem >> root@txbweb /etc/ssl/certs # DH_BITS=2048 mkdhparams >> >> This time, it doesnt help. The output of "openssl s_client -starttls >> imap -connect mail.txbweb.de:143" should be the same as "openssl >> s_client -starttls smtp -connect mail.txbweb.de:25", right? Very >> confusing. > > They use different configuration files: imapd-ssl versus esmtpd-ssl. > > There must be some different config settings between them. In the end, > it's the same SSL wrapper binary, couriertls, that negotiates the SSL > connection based on the settings in each environment. Each > configuration file is a slightly disguised shell script whose only > purpose is to set the environment variables, which are read by > couriertls to configure an SSL connection. > > If the settings are identical, the end result should be the same. > couriertls does not know and does not care whether the connection is > for SMTP or IMAP. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Courier-imap mailing list > Courier-imap@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap ------------------------------------------------------------------------------ _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
