On 18.11.2019 22.30, Miro Igov via dovecot wrote: > > Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard > certificates. > > Email clients connect fine, https://www.immuniweb.com/ssl/ tests show > certificates are ok. > > However I can’t make replication work when I add ssl = yes. > > Without ssl it works ok. > > > > I added verbose_ssl in config and error log shows: > > dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept() > failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown > protocol > > > > From the other server 149.x.x.x I tested with openssl: > > > > openssl s_client -connect 188.x.x.x:12333 –crlf -CAfile > /etc/pki/tls/cert.pem > > > > CONNECTED(00000003) > > depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST > Network, CN = USERTrust RSA Certification Authority > > verify return:1 > > depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo > Limited, CN = Sectigo RSA Organization Validation Secure Server CA > > verify return:1 > > depth=0 C = FR, postalCode = 34980, ST = Occitanie, L = Montpellier, > street = 123 Main str, O = My Company, OU = PremiumSSL Wildcard, CN = > *.domain.com > > verify return:1 > > … > > … > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : ECDHE-RSA-AES256-SHA384 > > Session-ID: > 95CF7F07702A50CB7CDC5D478986B5A4682EA945C487E770550EE48BFEA53EBC > > Session-ID-ctx: > > Master-Key: > ECC14F2EE03C04474992A651B3695D78A27A0B07529DB35F61F6FB5F5A5D51395432BDFF37F241BD4B3C4B9E1AB6A929 > > Key-Arg : None > > Krb5 Principal: None > > PSK identity: None > > PSK identity hint: None > > Start Time: 1574108251 > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > > > The configuration of the 2 servers below. > > > > 188.x.x.x > > > > # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf > > # Pigeonhole version 0.5.8 (b7b03ba2) > > # OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final) > > # Hostname: login.domain.com > > default_vsz_limit = 512 M > > doveadm_password = # hidden, use -P to show it > > mail_plugins = " notify replication" > > managesieve_notify_capability = mailto > > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext > > mbox_write_locks = fcntl > > namespace inbox { > > inbox = yes > > location = > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix = > > } > > passdb { > > driver = pam > > } > > plugin { > > mail_replica = tcp:149.x.x.x:12333 > > sieve = file:~/sieve;active=~/.dovecot.sieve > > } > > protocols = imap pop3 > > replication_full_sync_interval = 10 mins > > service aggregator { > > fifo_listener replication-notify-fifo { > > mode = 0666 > > } > > unix_listener replication-notify { > > mode = 0666 > > } > > } > > service doveadm { > > inet_listener { > > port = 12333 > > ssl = yes > > } > > } > > service replicator { > > process_min_avail = 1 > > unix_listener replicator-doveadm { > > mode = 0666 > > } > > } > > ssl_cert = </etc/dovecot/ssl_chain.pem > > ssl_cipher_list = > ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED > > ssl_client_ca_file = /etc/pki/tls/cert.pem > > ssl_dh = # hidden, use -P to show it > > ssl_key = # hidden, use -P to show it > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > local 91.x.x.x { > > protocol imap { > > ssl_cert = </etc/dovecot/ssl_chain.pem > > ssl_key = # hidden, use -P to show it > > } > > } > > local 91.x.x.x { > > protocol pop3 { > > ssl_cert = </etc/dovecot/ssl_chain.pem > > ssl_key = # hidden, use -P to show it > > } > > } > > > > > > 149.x.x.x > > > > > > # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf > > # OS: Linux 2.6.32-754.6.3.el6.x86_64 x86_64 CentOS release 6.10 (Final) > > # Hostname: prime.domain.com > > auth_mechanisms = plain login > > default_vsz_limit = 1 G > > disable_plaintext_auth = no > > doveadm_password = # hidden, use -P to show it > > mail_location = maildir:~/Maildir > > mail_plugins = " notify replication" > > mbox_write_locks = fcntl > > namespace inbox { > > inbox = yes > > location = > > mailbox Archive { > > auto = subscribe > > special_use = \Archive > > } > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Spam { > > auto = subscribe > > special_use = \Junk > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix = > > } > > passdb { > > args = session=yes setcred=yes failure_show_msg=yes dovecot > > driver = pam > > } > > plugin { > > mail_replica = tcp:188.x.x.x:12333 > > } > > protocols = imap pop3 > > replication_full_sync_interval = 10 mins > > replication_max_conns = 11 > > service aggregator { > > fifo_listener replication-notify-fifo { > > mode = 0666 > > } > > unix_listener replication-notify { > > mode = 0666 > > } > > } > > service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > } > > service doveadm { > > inet_listener { > > port = 12333 > > ssl = yes > > } > > } > > service replicator { > > process_min_avail = 1 > > unix_listener replicator-doveadm { > > mode = 0666 > > } > > } > > ssl_cert = </etc/dovecot/ssl_chain.pem > > ssl_cipher_list = > ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!RC4:!IDEA:!3DES:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!CAMELLIA:!SEED > > ssl_client_ca_file = /etc/pki/tls/cert.pem > > ssl_dh = # hidden, use -P to show it > > ssl_key = # hidden, use -P to show it > > userdb { > > driver = passwd > > } > > protocol imap { > > mail_max_userip_connections = 50 > > } > > protocol pop3 { > > pop3_uidl_format = %08Xu%08Xv > > } > > local 178.x.x.x { > > protocol imap { > > ssl_cert = </etc/dovecot/ssl_chain.pem > > ssl_key = # hidden, use -P to show it > > } > > } > > local 178.x.x.x { > > protocol pop3 { > > ssl_cert = </etc/dovecot/ssl_chain.pem > > ssl_key = # hidden, use -P to show it > > } > > } > > > > > > > >
Hi! You need to use tcps in mail_replica. Aki
