Re: Problem with Let's Encrypt Certificate
On 02/18/2017 10:24 PM, Robert L Mathews wrote: On 2/17/17 1:38 PM, chaouche yacine wrote: Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ? No; any SSL software that uses the file will extract the parts it needs from it and convert them to its internal format for future use. It never literally sends the file contents anywhere. It's common and often recommended for a PEM file to contain everything needed; see, for example, the bottom section of: https://www.digicert.com/ssl-support/pem-ssl-creation.htm Doing this avoids the key and certificate files getting out of sync later. I don't use Let's Encrypt but to avoid them getting out of sync, I simply put a time stamp in the filename, e.g. /etc/pki/tls/private/deviant.email-20160427.key /etc/pki/tls/certs/deviant.email-20160427.crt I never re-use a private key, when a cert expires I always generate a new private key with a new CSR. That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key. Let's Encrypt does 3 month certs and re-uses the private key when it generates a new cert. I'm sure it probably could be scripted to use a new private key every time but then I have to have to update the TLSA record frequently (and you have to have the new fingerprint TLSA record in DNS before you start using it) and that would be a hassle. I'm sure it probably could also be scripted to use a new private key every fourth time, too. But for me its just easier to have certs that last a year and I can easily visually see what is going to need my action.
Re: Problem with Let's Encrypt Certificate
On 2/17/17 1:38 PM, chaouche yacine wrote: > Seems wrong to me too, Robert. If you put your private key inside > your certificate, won't it be sent to the client along with it ? No; any SSL software that uses the file will extract the parts it needs from it and convert them to its internal format for future use. It never literally sends the file contents anywhere. It's common and often recommended for a PEM file to contain everything needed; see, for example, the bottom section of: https://www.digicert.com/ssl-support/pem-ssl-creation.htm Doing this avoids the key and certificate files getting out of sync later. -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
Re: Problem with Let's Encrypt Certificate
On 2017-02-17 (11:28 MST), Robert L Mathewswrote: > > ssl_cert = ssl_key = You're also manually specifying these non-default parameters: > > ssl_cipher_list = ... > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 > > For testing, I would simplify. Does it work without any of those three > things set? ssl_protocols = !SSLv2 !SSLv3 is a sensible setting (and should be the default) a no one should still be supporting SSLv2 or SSLv3. I do not have the other settings. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Problem with Let's Encrypt Certificate
On 2017-02-17 (09:58 MST), Bastian Sebodewrote: > > Weirdly my friend uses the same Dovecot Version with Let's Encrypt on > his Server and it works with Thunderbird without any flaws. Mine fails > the same way in his Thunderbird and also in a fresh installation. Well, at least you’ve narrowed the fault down to Thrunderbird. Are you using TB through a proxy? Do you have a corporate LAN or an anti-virus that is behaving as a man-in-the-middle (Anything that claims to protect your web-browsing)? Have you tried from a different connection? Maybe on a different machine with “identical” settings? Usually errors like these indicate you are not getting the secured connection you think you are. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
doveadm: Fatal: All your namespaces have a location setting
Hi, I am trying to migrate mail from an old server and am receiving the following error : doveadm(u...@example.com): Fatal: All your namespaces have a location setting. Only namespaces with empty location settings are converted. (One namespace should default to mail_location setting) I found an old thread (http://www.dovecot.org/list/dovecot/2012-September/068269.html) that referred to "location" being set. However this is not the case with me, my config reads: namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } My dsync conf looks as follows : imapc_host = old-server.example.com imapc_user = %u imapc_features = rfc822.size imapc_features = $imapc_features fetch-headers mail_prefetch_count = 20 imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = yes The command I'm calling is: sudo -u my_dovecot_user doveadm -c /etc/dovecot/dsync_config.conf -o mail_fsync=never backup -R -u u...@example.com imapc:
Re: Sieve not filtering
What I did when encountering a similar issue was to take one of the messages from INBOX that should have been moved elsewhere and use sieve-test on it: sieve-test -Tlevel=matching That generates a lot of output as it goes through every line of the sieve file and shows the actual values that are used for the tests. However, it pointed out my problem quite clearly. Thank you for this. Actually, after many hours of head-bashing, I discovered the problem. sieve doesn't work when you're just using telnet port 25 ! I was doing : ehlo test mail from:sen...@example.com rcpt to:re...@example.com data Subject: hello world Hello World ! . With the above, sieve was simply sending everything to INBOX When I changed my methodology : ehlo test mail from:sen...@example.com rcpt to:re...@example.com data From:To: Subject: hello world Hello World ! . It worked as expected.
Issue connecting to dovecot from remote machine
Hi, I've set up a postfix +dovecot configuration on my debian jessie. But I have a connection issue. When I try to connect from thunderbird it doesn not work. When I check out my debug logs I get : auth-worker(22252): Info: pam(myuser,hostIP): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: correctPassword) Running doveadm auth test tells me I can authenticate with the same password. So I tried connecting via openssl. When I connect from my local host, everything goes fine : * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. a login myUser myPassword a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in But when I run the same thing from my remote laptop, I never get any reply from the imap server. It's as if the request wasn't reaching the server. Although I do get a first reply from the server, I just can't log in. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready. a login myUser myPassword (... and then nothing...) The port is properly open when I run nmap. I really don't get what's wrong. Any of you has any idea? Here are my versions & conf : # dovecot -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-042stab120.16 x86_64 Debian 8.7 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login cram-md5 auth_verbose = yes auth_verbose_passwords = yes disable_plaintext_auth = no info_log_path = /var/log/maildebug.log mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = failure_show_msg=yes session=yes dovecot driver = pam } passdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = postfix mode = 0666 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 0 } } ssl = required ssl_cert =