On 29/04/16 22:36, Sam Varshavchik wrote: >>> I finally have a 0.76.0 ubuntu install to test and trying to get this to >>> work... >>> >>> > - courier, courier-imap: add support for TLS SNI when Courier is built >>> > with OpenSSL. >>> >>> I've added this vhost settings but no sign the LetsEncrypt certificate is >>> being delivered to Thunderbird. >>> >>> ~ ls -1 /etc/courier/*renta.net >>> defaultdomain.ded1649.renta.net >>> dsnfrom.ded1649.renta.net >>> esmtpd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem >>> imapd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem >>> vhost.ded1649.renta.net > > Find the pid that's listening on localhost, then run strace on it. In my case > it's pid 15018. > > # strace -s 256 -f -o z -p 15018 > > Then, use couriertls like this: > > TLS_TRUSTCERTS=/etc/pki/tls/cert.pem TLS_VERIFYPEER=none couriertls \ > -host=localhost -port=143 -protocol=imap -verify=localhost > > Fedora installs all trusted certs in /etc/pki/tls/cert.pem; use the > equivalent for Debian, Ubuntu, etc… > > The connection attempt will fail to verify the "localhost" certificate, of > course. That's fine. Then: > > # grep imapd.pem z > 2734 access("/usr/lib/courier-imap/share/imapd.pem.localhost", R_OK) = -1 > ENOENT (No such file or directory) > 2734 access("/usr/lib/courier-imap/share/imapd.pem", R_OK) = 0 > 2734 open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 10 > > That shows that the server process tried to open imapd.pem.localhost, first.
Excellent, thank you Sam! Every variation I tried results in... 21989 access("/etc/courier/imapd.pem.xxx.xxx.104.254", R_OK) = -1 ENOENT (No such file or directory) 21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5 21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5 I don't seem to be able to use the -host=localhost parameter to couriertls. My "netstat -tanup" gives me... tcp6 0 0 :::465 :::* LISTEN 21926/couriertcpd tcp6 0 0 :::25 :::* LISTEN 21895/couriertcpd tcp6 0 0 :::993 :::* LISTEN 21947/couriertcpd tcp6 0 1 xxx.xxx.104.254:993 xxx.xxx.99.177:54272 FIN_WAIT1 - Which is odd but the last field does indeed show an ip4 connection. I used the below as I don't enable STARTTLS on 143 and -host=localhost results in an almost empty strace dump file (like it's not even hitting localhost at all)... ~ strace -s 256 -f -o z -p 21947 ~ TLS_TRUSTCERTS=/etc/ssl/certs TLS_VERIFYPEER=none couriertls -host=xxx.xxx.104.254 -port=993 -protocol=imap -verify=localhost And no matter if I use any combination of localhost, ded1649.renta.net or the IP for -host or -verify I always get the "imapd.pem.xxx.xxx.104.254" result above. - is a PTR record required for ded1649.renta.net? - is it possible the 0.76.0 package I am using is missing a build flag? - anything other than vhost.ded1649.renta.net and imapd.pem.ded1649.renta.net needed? ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users