On 29/04/16 22:36, Sam Varshavchik wrote:
>>> I finally have a 0.76.0 ubuntu install to test and trying to get this to
>>> work...
>>>
>>> > - courier, courier-imap: add support for TLS SNI when Courier is built 
>>> > with OpenSSL.
>>>
>>> I've added this vhost settings but no sign the LetsEncrypt certificate is
>>> being delivered to Thunderbird.
>>>
>>> ~ ls -1 /etc/courier/*renta.net
>>> defaultdomain.ded1649.renta.net
>>> dsnfrom.ded1649.renta.net
>>> esmtpd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
>>> imapd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
>>> vhost.ded1649.renta.net
>
> Find the pid that's listening on localhost, then run strace on it. In my case 
> it's pid 15018.
>
> # strace -s 256 -f -o z -p 15018
>
> Then, use couriertls like this:
>
> TLS_TRUSTCERTS=/etc/pki/tls/cert.pem TLS_VERIFYPEER=none couriertls \
>     -host=localhost -port=143 -protocol=imap -verify=localhost
>
> Fedora installs all trusted certs in /etc/pki/tls/cert.pem; use the 
> equivalent for Debian, Ubuntu, etc…
>
> The connection attempt will fail to verify the "localhost" certificate, of 
> course. That's fine. Then:
>
> # grep imapd.pem z
> 2734  access("/usr/lib/courier-imap/share/imapd.pem.localhost", R_OK) = -1 
> ENOENT (No such file or directory)
> 2734  access("/usr/lib/courier-imap/share/imapd.pem", R_OK) = 0
> 2734  open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 10
>
> That shows that the server process tried to open imapd.pem.localhost, first.

Excellent, thank you Sam! Every variation I tried results in...

21989 access("/etc/courier/imapd.pem.xxx.xxx.104.254", R_OK) = -1 ENOENT (No 
such file or directory)
21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5
21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5

I don't seem to be able to use the -host=localhost parameter to couriertls.

My "netstat -tanup" gives me...

tcp6       0      0 :::465                  :::*                    LISTEN      
21926/couriertcpd
tcp6       0      0 :::25                   :::*                    LISTEN      
21895/couriertcpd
tcp6       0      0 :::993                  :::*                    LISTEN      
21947/couriertcpd
tcp6       0      1 xxx.xxx.104.254:993     xxx.xxx.99.177:54272    FIN_WAIT1   
-

Which is odd but the last field does indeed show an ip4 connection.

I used the below as I don't enable STARTTLS on 143 and -host=localhost
results in an almost empty strace dump file (like it's not even hitting
localhost at all)...

~ strace -s 256 -f -o z -p 21947
~ TLS_TRUSTCERTS=/etc/ssl/certs TLS_VERIFYPEER=none couriertls 
-host=xxx.xxx.104.254 -port=993 -protocol=imap -verify=localhost

And no matter if I use any combination of localhost, ded1649.renta.net or the
IP for -host or -verify I always get the "imapd.pem.xxx.xxx.104.254" result 
above.

- is a PTR record required for ded1649.renta.net?

- is it possible the 0.76.0 package I am using is missing a build flag?

- anything other than vhost.ded1649.renta.net and imapd.pem.ded1649.renta.net 
needed?


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to