Re: Problem with Let's Encrypt Certificate

[Michael A. Peters]

On 02/18/2017 10:24 PM, Robert L Mathews wrote:

On 2/17/17 1:38 PM, chaouche yacine wrote:


Seems wrong to me too, Robert. If you put your private key inside
your certificate, won't it be sent to the client along with it ?


No; any SSL software that uses the file will extract the parts it needs
from it and convert them to its internal format for future use. It never
literally sends the file contents anywhere.

It's common and often recommended for a PEM file to contain everything
needed; see, for example, the bottom section of:

 https://www.digicert.com/ssl-support/pem-ssl-creation.htm

Doing this avoids the key and certificate files getting out of sync later.



I don't use Let's Encrypt but to avoid them getting out of sync, I 
simply put a time stamp in the filename, e.g.


/etc/pki/tls/private/deviant.email-20160427.key
/etc/pki/tls/certs/deviant.email-20160427.crt

I never re-use a private key, when a cert expires I always generate a 
new private key with a new CSR.


That's one of the reasons I don't like Let's Encrypt, with one year 
certs it is easier to look at the certs and see what is going to expire 
in the coming month needing a new private key.


Let's Encrypt does 3 month certs and re-uses the private key when it 
generates a new cert.


I'm sure it probably could be scripted to use a new private key every 
time but then I have to have to update the TLSA record frequently (and 
you have to have the new fingerprint TLSA record in DNS before you start 
using it) and that would be a hassle.


I'm sure it probably could also be scripted to use a new private key 
every fourth time, too.


But for me its just easier to have certs that last a year and I can 
easily visually see what is going to need my action.

Re: Problem with Let's Encrypt Certificate

[Robert L Mathews]

On 2/17/17 1:38 PM, chaouche yacine wrote:

> Seems wrong to me too, Robert. If you put your private key inside
> your certificate, won't it be sent to the client along with it ?

No; any SSL software that uses the file will extract the parts it needs
from it and convert them to its internal format for future use. It never
literally sends the file contents anywhere.

It's common and often recommended for a PEM file to contain everything
needed; see, for example, the bottom section of:

 https://www.digicert.com/ssl-support/pem-ssl-creation.htm

Doing this avoids the key and certificate files getting out of sync later.

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/

Re: Problem with Let's Encrypt Certificate

[@lbutlr]

On 2017-02-17 (11:28 MST), Robert L Mathews  wrote:
> 
> ssl_cert =  ssl_key =  You're also manually specifying these non-default parameters:
> 
> ssl_cipher_list = ...
> ssl_prefer_server_ciphers = yes
> ssl_protocols = !SSLv2 !SSLv3
> 
> For testing, I would simplify. Does it work without any of those three
> things set?

ssl_protocols = !SSLv2 !SSLv3

is a sensible setting (and should be the default) a no one should still be 
supporting SSLv2 or SSLv3. I do not have the other settings.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Problem with Let's Encrypt Certificate

[@lbutlr]

On 2017-02-17 (09:58 MST), Bastian Sebode  wrote:
> 
> Weirdly my friend uses the same Dovecot Version with Let's Encrypt on
> his Server and it works with Thunderbird without any flaws. Mine fails
> the same way in his Thunderbird and also in a fresh installation.

Well, at least you’ve narrowed the fault down to Thrunderbird.

Are you using TB through a proxy? Do you have a corporate LAN or an anti-virus 
that is behaving as a man-in-the-middle (Anything that claims to protect your 
web-browsing)?

Have you tried from a different connection? Maybe on a different machine with 
“identical” settings?

Usually errors like these indicate you are not getting the secured connection 
you think you are.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

doveadm: Fatal: All your namespaces have a location setting

[Ben]

Hi,

I am trying to migrate mail from an old server and am receiving the 
following error :


doveadm(u...@example.com): Fatal: All your namespaces have a location 
setting. Only namespaces with empty location settings are converted. 
(One namespace should default to mail_location setting)


I found an old thread 
(http://www.dovecot.org/list/dovecot/2012-September/068269.html) that 
referred to "location" being set.


However this is not the case with me, my config reads:
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}

My dsync conf looks as follows :
imapc_host = old-server.example.com
imapc_user = %u
imapc_features = rfc822.size
imapc_features = $imapc_features fetch-headers
mail_prefetch_count = 20
imapc_port = 993
imapc_ssl = imaps
imapc_ssl_verify = yes

The command I'm calling is:

sudo -u my_dovecot_user doveadm -c /etc/dovecot/dsync_config.conf -o 
mail_fsync=never backup -R -u u...@example.com imapc:

Re: Sieve not filtering

[Ben]

What I did when encountering a similar issue was to take one of the messages 
from INBOX that should have been moved elsewhere and use sieve-test on it:

sieve-test -Tlevel=matching  

That generates a lot of output as it goes through every line of the sieve file 
and shows the actual values that are used for the tests.  However, it pointed 
out my problem quite clearly.



Thank you for this.

Actually, after many hours of head-bashing, I discovered the problem.

sieve doesn't work when you're just using telnet port 25 !

I was doing :
ehlo test
mail from:sen...@example.com
rcpt to:re...@example.com
data
Subject: hello world
Hello World !
.

With the above, sieve was simply sending everything to INBOX

When I changed my methodology :
ehlo test
mail from:sen...@example.com
rcpt to:re...@example.com
data
From:
To:
Subject: hello world
Hello World !
.

It worked as expected.

Issue connecting to dovecot from remote machine

[Antoine Sirven]

Hi,
I've set up a postfix +dovecot configuration on my debian jessie.
But I have a connection issue. When I try to connect from thunderbird it
doesn not work. When I check out my debug logs I get :
 auth-worker(22252): Info: pam(myuser,hostIP): pam_authenticate()
failed: Authentication failure (password mismatch?) (given password:
correctPassword)

Running doveadm auth test tells me I can authenticate with the same
password.
So I tried connecting via openssl.
When I connect from my local host, everything goes fine :
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready.
a login myUser myPassword
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH
ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY
MOVE] Logged in


But when I run the same thing from my remote laptop, I never get any
reply from the imap server. It's as if the request wasn't reaching the
server. Although I do get a first reply from the server, I just can't
log in.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready.
a login myUser myPassword

(... and then nothing...)

The port is properly open when I run nmap.
I really don't get what's wrong.
Any of you has any idea?
Here are my versions & conf :

# dovecot -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab120.16 x86_64 Debian 8.7
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login cram-md5
auth_verbose = yes
auth_verbose_passwords = yes
disable_plaintext_auth = no
info_log_path = /var/log/maildebug.log
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = failure_show_msg=yes session=yes dovecot
  driver = pam
}
passdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = postfix
mode = 0666
user = postfix
  }
}
service imap-login {
  inet_listener imap {
port = 0
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
port = 0
  }
  inet_listener pop3s {
port = 0
  }
}
ssl = required
ssl_cert =