Re: postfix -1 read errors

2017-10-22 Thread Alef Veld 
My bad, thanks Noel

Sent from my iPhone

On 23 Oct 2017, at 01:54, Noel <noeld...@gmail.com<mailto:noeld...@gmail.com>> 
wrote:

On 10/22/2017 3:26 PM, Alef Veld wrote:
Hi all.
I’m a bit worried about the following read errors i see in my log lately. Mails 
still arrive and get sent fine, but what is going on with this? It doesn’t look 
good. Nothing has change on server side and i restarted all services (dovecot, 
postfix, saslauthd, sql ).

Maybe it’s a temporary iPhone thing (the device im using to read and send 
mails, not the first time that happened. Maybe changing the port will do the 
trick).

Thanks for looking.

The logging you show is from postfix, this is the dovecot list.

If you ask on postfix-users, they'll probably tell you something
similar to: There's no problem here, set smtpd_tls_loglevel to 0 or
1; same for smtp_tls_loglevel

postfix -1 read errors

2017-10-22 Thread Alef Veld 
Hi all.
I’m a bit worried about the following read errors i see in my log lately. Mails 
still arrive and get sent fine, but what is going on with this? It doesn’t look 
good. Nothing has change on server side and i restarted all services (dovecot, 
postfix, saslauthd, sql ).

Maybe it’s a temporary iPhone thing (the device im using to read and send 
mails, not the first time that happened. Maybe changing the port will do the 
trick).

Thanks for looking.

Oct 22 20:19:00 www postfix/smtpd[16117]: SSL_accept:SSLv3 flush data
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => 5 (0x5))
Oct 22 20:19:00 www postfix/smtpd[16117]:  16 03 03 00 86   
.
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA88] 
(134 bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA88] 
(134 bytes => 134 (0x86))
Oct 22 20:19:00 www postfix/smtpd[16117]:  10 00 00 82 00 80 6d 90|41 c3 d3 
9f 15 ea 8f 1c  ..m. A...
Oct 22 20:19:00 www postfix/smtpd[16117]: 0010 a8 1c 08 ed a9 65 dc 5b|29 87 73 
86 31 0e a9 d8  .e.[ ).s.1...
Oct 22 20:19:00 www postfix/smtpd[16117]: 0020 72 54 84 63 5f 9c 59 3e|cd aa da 
e7 a3 1f a9 b3  rT.c_.Y> 
Oct 22 20:19:00 www postfix/smtpd[16117]: 0030 eb 0a 62 2b a4 26 65 d5|9d 63 2b 
c2 e2 8c a2 31  ..b+. .c+1
Oct 22 20:19:00 www postfix/smtpd[16117]: 0040 51 be ba a2 1e 73 45 7f|be 71 40 
46 b9 01 bf 76  QsE. .q@F...v
Oct 22 20:19:00 www postfix/smtpd[16117]: 0050 6e 77 a5 f5 c0 40 81 11|fa 95 57 
e0 06 36 36 a8  nw...@.. ..W..66.
Oct 22 20:19:00 www postfix/smtpd[16117]: 0060 21 c4 08 51 d5 d1 a5 98|6d dd f8 
0b 79 a0 16 54  !..Q m...y..T
Oct 22 20:19:00 www postfix/smtpd[16117]: 0070 4f 38 08 14 ab da a9 99|b7 69 b2 
dc 81 4d aa 2e  O8.. .i...M..
Oct 22 20:19:00 www postfix/smtpd[16117]: 0080 e8 26 57 8d 08 ea
.
Oct 22 20:19:00 www postfix/smtpd[16117]: SSL_accept:SSLv3 read client key 
exchange A
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => 5 (0x5))
Oct 22 20:19:00 www postfix/smtpd[16117]:  14 03 03 00 01   
.
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA88] (1 
bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA88] (1 
bytes => 1 (0x1))
Oct 22 20:19:00 www postfix/smtpd[16117]:  01   
.
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => 5 (0x5))
Oct 22 20:19:00 www postfix/smtpd[16117]:  16 03 03 00 28   
(
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA88] (40 
bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA88] (40 
bytes => 40 (0x28))
Oct 22 20:19:00 www postfix/smtpd[16117]:  89 eb f1 52 0c 38 5a 84|f8 ab 93 
00 f4 ce dc c0  ...R.8Z. 
Oct 22 20:19:00 www postfix/smtpd[16117]: 0010 04 6f 20 0b 55 d6 ea 85|15 d4 f0 
85 c0 13 78 f4  .o .U... ..x.
Oct 22 20:19:00 www postfix/smtpd[16117]: 0020 5c 87 1c ed 2a a0 51 56| 
\...*.QV
Oct 22 20:19:00 www postfix/smtpd[16117]: SSL_accept:SSLv3 read finished A
Oct 22 20:19:00 www postfix/smtpd[16117]: SSL_accept:SSLv3 write change cipher 
spec A
Oct 22 20:19:00 www postfix/smtpd[16117]: SSL_accept:SSLv3 write finished A
Oct 22 20:19:00 www postfix/smtpd[16117]: write to 58130D3F70 [581310B440] (51 
bytes => 51 (0x33))
Oct 22 20:19:00 www postfix/smtpd[16117]:  14 03 03 00 01 01 16 03|03 00 28 
56 47 45 d2 74   ..(VGE.t
Oct 22 20:19:00 www postfix/smtpd[16117]: 0010 69 b8 8d f3 06 30 10 7e|64 42 a3 
5b c8 bc a3 18  i0.~ dB.[
Oct 22 20:19:00 www postfix/smtpd[16117]: 0020 35 eb cc 50 f6 2e 9c 72|2e 3b 1f 
8d 56 1e 1e 80  5..P...r .;..V...
Oct 22 20:19:00 www postfix/smtpd[16117]: 0030 fa c7 6b 
..k
Oct 22 20:19:00 www postfix/smtpd[16117]: SSL_accept:SSLv3 flush data
Oct 22 20:19:00 www postfix/smtpd[16117]: Anonymous TLS connection established 
from 
cpc98338-croy25-2-0-cust350.19-2.cable.virginm.net[82.45.65.95]:
 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => -1 (0x))
Oct 22 20:19:00 www postfix/smtpd[16117]: read from 58130D3F70 [58130FDA83] (5 
bytes => 5 (0x5))

Re: Certificate cache on iOS with sending mail

2017-08-14 Thread Alef Veld 


Sent from my iPhone

> On 14 Aug 2017, at 13:03, Alef Veld <alefv...@outlook.com> wrote:
> 
> Hey Mike.
> The iPhone and MacBook started working, but the two remaining iMacs still 
> have problems. It's really weird. But if the first 2 are working it MUST be 
> something local right?
> 
> I removed the servers and re-added but no go. Maybe I'll need to remove the 
> plist files. I'm just desperate as I have clients that are working.
> 
> Sent from my iPhone
> 
>> On 14 Aug 2017, at 07:48, Mike Bobkiewicz <netadmin@heinatz.hamburg> wrote:
>> 
>> Hi Alef,
>> 
>> most of the times the problem is with Apple´s Mail apps: best bet is to 
>> delete the smtp servers on both Mac and iOS and add them again. I´ve spend 
>> quite some time figuring out what might be wrong with serveral mail servers 
>> but sometimes the Mail apps just kill their prefs.
>> 
>> If you´re still searching the certs on the Mac side: They´re stored in the 
>> key chain.
>> 
>> Hope that helps,
>> 
>> Mike
>> 
>> 
>>> Am 11.08.2017 um 01:15 schrieb Alef Veld:
>>> And iPhone just sits there for a long time, "sending". Sometimes it goes 
>>> through sometimes it doesn't.
>>> 
>>> It's super weird but it has to do with SSL_accept and not reading the 
>>> message fully.
>>> 
>>> I might restore my old certs see if that solves it. I'll try some other 
>>> clients and ip addresses as well, outlook or something.
>>> 
>>> Sent from my iPhone
>>> 
>>>> On 11 Aug 2017, at 00:08, Alef Veld <alefv...@outlook.com> wrote:
>>>> 
>>>> I deleted the certificate already, but I think it only uses that for 
>>>> imap/dovecot. I don't think it actually stores one for smtps (or am I not 
>>>> talking sense here).
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On 10 Aug 2017, at 23:25, Joseph Tam <jtam.h...@gmail.com> wrote:
>>>>> 
>>>>> 
>>>>>> On Thu, 10 Aug 2017, Larry Rosenman wrote:
>>>>>> 
>>>>>> Which mail client on iOS?
>>>>> Sorry, maybe not iOS, but definitely MacOSX Mail app.
>>>>> 
>>>>> Joseph Tam <jtam.h...@gmail.com>
>> 
>> -- 
>> Mit freundlichen Grüßen
>> 
>> Mike Bobkiewicz
>> Heinatz GmbH
>> 
>> Gutenbergring 9
>> 22848 Norderstedt
>> 
>> 0049 40 527 20 30
>> 0049 40 527 86 49
>> 
>> e-mail: netadmin@heinatz.hamburg
>> www.heinatz.hamburg
>> 
>> Heinatz GmbH
>> Firmensitz: Gutenbergring 9, 22848 Norderstedt
>> Registergericht: Amtsgericht Kiel, HRB 4787 NO
>> Geschäftsführer: Frank Heinatz
>> 
>>

Re: Certificate cache on iOS with sending mail

2017-08-10 Thread Alef Veld 
And iPhone just sits there for a long time, "sending". Sometimes it goes 
through sometimes it doesn't.

It's super weird but it has to do with SSL_accept and not reading the message 
fully. 

I might restore my old certs see if that solves it. I'll try some other clients 
and ip addresses as well, outlook or something.

Sent from my iPhone

> On 11 Aug 2017, at 00:08, Alef Veld <alefv...@outlook.com> wrote:
> 
> I deleted the certificate already, but I think it only uses that for 
> imap/dovecot. I don't think it actually stores one for smtps (or am I not 
> talking sense here).
> 
> Sent from my iPhone
> 
>> On 10 Aug 2017, at 23:25, Joseph Tam <jtam.h...@gmail.com> wrote:
>> 
>> 
>>> On Thu, 10 Aug 2017, Larry Rosenman wrote:
>>> 
>>> Which mail client on iOS?
>> 
>> Sorry, maybe not iOS, but definitely MacOSX Mail app.
>> 
>> Joseph Tam <jtam.h...@gmail.com>

Re: Certificate cache on iOS with sending mail

2017-08-10 Thread Alef Veld 
I deleted the certificate already, but I think it only uses that for 
imap/dovecot. I don't think it actually stores one for smtps (or am I not 
talking sense here).

Sent from my iPhone

> On 10 Aug 2017, at 23:25, Joseph Tam  wrote:
> 
> 
>> On Thu, 10 Aug 2017, Larry Rosenman wrote:
>> 
>> Which mail client on iOS?
> 
> Sorry, maybe not iOS, but definitely MacOSX Mail app.
> 
> Joseph Tam

Re: Certificate cache on iOS with sending mail

2017-08-10 Thread Alef Veld 
macOS mail for sure, latest OS.
I know it's not a dovecot issue, but I can't be sure as this all started after 
I changed my dovecot cert. Does smtps using saslauthd through dovecot not have 
anything to do with it? (But tls in main.cf uses different certs.

Anyway the bizarre thing is that my MacBook still happily sends and receives 
mail. I noticed an additional error today though, SSL_accept error. This seems 
to coincide with the -1 error, it only reads a few bytes. 

Something went wrong and I don't know how to fix it. I deleted the accounts, 
but it doesn't even verify it anymore. Dovecot works fine, but no more sending 
mail. All because I changed the dovecot cert seemingly.

So yes I think it's a local issue, and something is stuck in limbo. but no clue 
on how to fix it. The iPhone mysteriously started working again this afternoon. 

Sent from my iPhone

> On 10 Aug 2017, at 23:25, Joseph Tam  wrote:
> 
> 
>> On Thu, 10 Aug 2017, Larry Rosenman wrote:
>> 
>> Which mail client on iOS?
> 
> Sorry, maybe not iOS, but definitely MacOSX Mail app.
> 
> Joseph Tam

Re: Certificate cache on iOS with sending mail

2017-08-10 Thread Alef Veld 
And it's weird because it takes a long time to send and sometimes it does get 
sent. 

Sent from my iPhone

> On 10 Aug 2017, at 13:57, Alef Veld <alefv...@outlook.com> wrote:
> 
> So I generated a new certificate for dovecot, and ever since I have this 
> weird problem that my iPhone can still receive mail but cannot send using 
> that mailserver. Same for my iMac.
> 
> My laptop works fine still and can do both.
> Local issue you would say right.
> 
> I'm wondering if there is any cache for a certificate or something, my 
> maillog shows up something like 10 bytes read, -1. So it returns an error. I 
> deleted the accounts and created them again, still no go.
> 
> Anyone had anything similar before?
> 
> Sent from my iPhone

Re: is a self signed certificate always invalid the first time?

2017-08-10 Thread Alef Veld 
I just need my internal users to download their mail, right now it's not 
something I'm terribly worried about. I'm just glad I got it all working so far 
:-)

Once I do my apache to SSL as well I'll probably get paid certificates or one 
letsencrypt certificate for all.

Sent from my iPhone

> On 10 Aug 2017, at 12:43, Ralph Seichter  wrote:
> 
>> On 10.08.2017 09:18, Stephan von Krawczynski wrote:
>> 
>> It would be far better to use a self-signed certificate that can be
>> checked through some instance/host set inside your domain.
> 
> I have been running a CA for 15+ years, generating certificates only for
> servers I personally maintain. Since my business is too small to be able
> to afford all the steps required to have my CA trusted by Mozilla, Apple
> etc., this approach leaves me with the same problem self-signed certs
> have: How can I make third party applications like web browsers or MUAs
> trust the certs I created?
> 
> For some of my customers, I can add my CA certs (root and intermediary)
> to their keystores, so the end user does not see a thing. For other
> customers, I can hand over cert fingerprints so end users can manually
> accept the connections after checking the fingerprint (guess how many
> users actually do that).
> 
> Naturally, this does not work for publicly available services, where
> there is currently no alternative to using well-known CAs. Of course
> their certs are not technically better than my own CA's or than self-
> signed certs, and their processes are sometimes garbage, the fuckups of
> Symantec being case in point. Symantec even just sold off their whole CA
> business to DigiCert; it seems they never really recovered from
> generating fake google.com certificates two years ago:
> 
> https://security.googleblog.com/2015/09/improved-digital-certificate-security.html
> 
> To get back on topic: if the OP can live with self-signed certs, that's
> perfectly fine. If Alef needs people to be able to connect to his
> Dovecot server without verifying/confirming the certificate, a CA like
> Let's Encrypt is a better choice. As far as Postfix is concerned, there
> is hardly any reason to use a well-known CA, because opportunistic TLS
> for SMTP does not care about trust chains.
> 
> -Ralph

Certificate cache on iOS with sending mail

2017-08-10 Thread Alef Veld 
So I generated a new certificate for dovecot, and ever since I have this weird 
problem that my iPhone can still receive mail but cannot send using that 
mailserver. Same for my iMac.

My laptop works fine still and can do both.
Local issue you would say right.

I'm wondering if there is any cache for a certificate or something, my maillog 
shows up something like 10 bytes read, -1. So it returns an error. I deleted 
the accounts and created them again, still no go.

Anyone had anything similar before?

Sent from my iPhone

Re: is a self signed certificate always invalid the first time?

2017-08-10 Thread Alef Veld 
I completely agree (having said that I'm pretty new to all this so I might be 
full of it). 

You should run your own CA if you have an active financial interest in your 
company (say your the owner). No added benefit to have your certificate 
certified by a third party, why would they care about that one client). 
Ofcourse people would say "but ofcourse you would verify your own certificate" 
but in that case they probably don't understand how it all works.

Ofcourse once your own company grows large you run the same risk of entropy 
(incorrect documentation or records, no trained staff, no up to date procedures 
etc.) large companies have to deal with. Maybe if you had one person working 
full time on it, or an automated process handling things it would be more 
secure and reliable.

Was diginotar the Dutch company, I think I remember that one.

Sent from my iPhone

> On 10 Aug 2017, at 08:18, Stephan von Krawczynski  wrote:
> 
> On Wed, 9 Aug 2017 08:39:30 -0700
> Gregory Sloop  wrote:
> 
>> AV> So i’m using dovecot, and i created a self signed certificate
>> AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches
>> AV> my mail server.  
>> 
>> AV> The first time it connects in mac mail however, it says the
>> AV> certificate is invalid and another server might pretend to be me etc.  
>> 
>> AV> I then have the option of trusting it.  
>> 
>> AV> Is this normal behaviour? Will it always be invalid if it’s not signed
>> AV> by a third party?  
>> 
>> Yes.
>> The point of a trusted CA signing your cert is that they have steps to
>> "verify" who you are and that you're "authorized" to issue certs for the
>> listed FQDNs. Without that, ANYONE could create a cert, and sign it and then
>> present it to people connecting to your mail server [perhaps using a MITM
>> style attack.] The connecting party would have no way to tell if your cert
>> vs the attackers cert was actually valid.
>> 
>> It would be like showing up at the bank and having this exchange: 
>> 
>> You: "Hey, I'm Jim Bob - can I take money out of his account?"
>> Bank: "Do you have some ID?"
>> You: "Yeah! See, I have this plastic card with my picture and name, that I
>> ginned up in the basement."
>> 
>> Now does the bank say: "Yeah, that looks fine." or do they say "You know we
>> really need ID [a certificate] that's authenticated and issued [signed] by
>> the state [third-party/trusted CA.]."
>> 
>> I think it's obvious that accepting your basement produced ID would be a
>> problem. [Even if we also admit that while the state issued ID (or trusted
>> CA signed certs) has some additional value, it isn't without potential
>> flaws, etc.]
>> 
>> The alternative would be to add your CA cert [the one you signed the server
>> cert with] to all the connecting clients as a trusted CA. This way your self
>> signed cert would now be "trusted."
>> 
>> [The details are left as an exercise to the reader. Google is your friend.] 
>> 
>> -Greg
> 
> This was exactly the global thinking - until the day DigiNotar fell.
> Since that day everybody should be aware that the true problem of a
> certificate is not its issuer, but the "trusted" third party CA.
> This could have been known way before of course by simply thinking about the
> basics. Do you really think your certificate gets more trustworthy because
> some guys from South Africa (just an example) say it is correct, running a
> _business_? Honestly, that is just naive.
> It would be far better to use a self-signed certificate that can be checked
> through some instance/host set inside your domain. Because only then the only
> one being responsible and trustworthy is yourself. And that is the way it
> should be.
> Everything else involving third party business is just bogus.
> 
> -- 
> Regards,
> Stephan
>

Re: is a self signed certificate always invalid the first time?

2017-08-09 Thread Alef Veld 
Great, i’ll try that out.
> On 9 Aug 2017, at 17:20, Larry Rosenman <larry...@gmail.com> wrote:
> 
> Yes, yes, and yes. 
> 
> This is what I do for https://webmail.lerctr.org, imap.lerctr.org, 
> smtp.lerctr.org, et al. 
> 
> 
> -- 
> Larry Rosenman http://www.lerctr.org/~ler
> Phone: +1 214-642-9640 E-Mail: larry...@gmail.com
> US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
> 
> 
> On 8/9/17, 11:19 AM, "dovecot on behalf of Alef Veld" 
> <dovecot-boun...@dovecot.org on behalf of alefv...@outlook.com> wrote:
> 
>Cheers Remko and Ralph. I think there was some mention in the lets encrypt 
> FAQ that certbot doesn't do email.
> 
>But I understand I can use their generated very for dovecot, postfix and 
> https? That would be good indeed.
> 
>Anyone know of any manual, or can I just replace the certs in the dovecot 
> and postfix locations with theirs? Do dovecot, postfix and apache all support 
> .pem format?
> 
>Sent from my iPhone
> 
>> On 9 Aug 2017, at 17:07, Ralph Seichter <m16+dove...@monksofcool.net> wrote:
>> 
>>> On 09.08.2017 17:49, Alef Veld wrote:
>>> 
>>> I think let’s encrypt uses certbot though and it can’t do email
>>> certificates (although i’m sure i can convert the cert i get from
>>> let’s encrypt, i’ll look into it.
>> 
>> I'm not sure what you mean by "can’t do email certificates"? In any
>> case, Let's Encrypt issues certificates that can be used by Dovecot
>> for IMAP and simultaneously by Apache or nginx for HTTPS and Postfix
>> for SMTP. The certificates are issued for servers, not for specific
>> software or protocols.
>> 
>> -Ralph
> 
> 
>

Re: is a self signed certificate always invalid the first time?

2017-08-09 Thread Alef Veld 
Thank you Ralph. I’ll have a look around myself first, don’t want others to 
waste their time on my homework.

Sorry for some reason i get replies from every individual , so when i reply it 
sends it to both.
I would expect replies to come from dovecot@dovecot.org as well.

I will strip the individual emails out and just reply to dovecot.
> On 9 Aug 2017, at 17:30, Ralph Seichter <m16+dove...@monksofcool.net> wrote:
> 
> On 09.08.2017 18:18, Alef Veld wrote:
> 
>> Anyone know of any manual, or can I just replace the certs in the
>> dovecot and postfix locations with theirs? Do dovecot, postfix and
>> apache all support .pem format?
> 
> Google "dovecot letsencrypt" is your friend. ;-) If you have questions
> about details, we can discuss them of course. Also, please limit your
> replies to my messages to the mailing list; you keep triggering my spam
> protection.
> 
> -Ralph

Re: is a self signed certificate always invalid the first time?

2017-08-09 Thread Alef Veld 
Cheers Remko and Ralph. I think there was some mention in the lets encrypt FAQ 
that certbot doesn't do email.

But I understand I can use their generated very for dovecot, postfix and https? 
That would be good indeed.

Anyone know of any manual, or can I just replace the certs in the dovecot and 
postfix locations with theirs? Do dovecot, postfix and apache all support .pem 
format?

Sent from my iPhone

> On 9 Aug 2017, at 17:07, Ralph Seichter <m16+dove...@monksofcool.net> wrote:
> 
>> On 09.08.2017 17:49, Alef Veld wrote:
>> 
>> I think let’s encrypt uses certbot though and it can’t do email
>> certificates (although i’m sure i can convert the cert i get from
>> let’s encrypt, i’ll look into it.
> 
> I'm not sure what you mean by "can’t do email certificates"? In any
> case, Let's Encrypt issues certificates that can be used by Dovecot
> for IMAP and simultaneously by Apache or nginx for HTTPS and Postfix
> for SMTP. The certificates are issued for servers, not for specific
> software or protocols.
> 
> -Ralph

Re: is a self signed certificate always invalid the first time?

2017-08-09 Thread Alef Veld 
Thanks Ralph, i’ll look into that.

I think let’s encrypt uses certbot though and it can’t do email certificates 
(although i’m sure i can convert the cert i get from let’s encrypt, i’ll look 
into it.
> On 9 Aug 2017, at 16:40, Ralph Seichter <m16+dove...@monksofcool.net> wrote:
> 
> On 09.08.2017 17:20, Alef Veld wrote:
> 
>> So i’m using dovecot, and i created a self signed certificate with
>> mkcert.sh based on dovecot-openssl.cnf. The name in there matches my
>> mail server.
>> 
>> The first time it connects in mac mail however, it says the certificate
>> is invalid and another server might pretend to be me etc.
> 
> This is to be expected for self-signed certificates. The MUA (Apple Mail
> in your case) cannot know that the certificate is trusted until you
> confirm it.
> 
> For certificates signed by third parties, the client (or OS) performs
> the same checks. If a chain of trust can be established based on the
> client/OS certificate store, which comes pre-populated with well-known
> third party CA certificates, allowing to verify certificate signatures,
> your MUA will trust the presented certificate without you confirming it.
> 
> I recommend you look into using a free Let's Encrypt certificate (see
> https://letsencrypt.org/) instead of a self-signed certificate.
> 
> -Ralph

Re: is a self signed certificate always invalid the first time?

2017-08-09 Thread Alef Veld 
Thanks Greg, that makes total sense.
Appreciate your reply.

On 9 Aug 2017, at 16:39, Gregory Sloop 
> wrote:




AV> So i’m using dovecot, and i created a self signed certificate
AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches my 
mail server.

AV> The first time it connects in mac mail however, it says the
AV> certificate is invalid and another server might pretend to be me etc.

AV> I then have the option of trusting it.

AV> Is this normal behaviour? Will it always be invalid if it’s not signed by a 
third party?

Yes.
The point of a trusted CA signing your cert is that they have steps to "verify" 
who you are and that you're "authorized" to issue certs for the listed FQDNs.
Without that, ANYONE could create a cert, and sign it and then present it to 
people connecting to your mail server [perhaps using a MITM style attack.] The 
connecting party would have no way to tell if your cert vs the attackers cert 
was actually valid.

It would be like showing up at the bank and having this exchange:

You: "Hey, I'm Jim Bob - can I take money out of his account?"
Bank: "Do you have some ID?"
You: "Yeah! See, I have this plastic card with my picture and name, that I 
ginned up in the basement."

Now does the bank say: "Yeah, that looks fine." or do they say "You know we 
really need ID [a certificate] that's authenticated and issued [signed] by the 
state [third-party/trusted CA.]."

I think it's obvious that accepting your basement produced ID would be a 
problem. [Even if we also admit that while the state issued ID (or trusted CA 
signed certs) has some additional value, it isn't without potential flaws, etc.]

The alternative would be to add your CA cert [the one you signed the server 
cert with] to all the connecting clients as a trusted CA. This way your self 
signed cert would now be "trusted."

[The details are left as an exercise to the reader. Google is your friend.]

-Greg

is a self signed certificate always invalid the first time?

2017-08-09 Thread Alef Veld 
So i’m using dovecot, and i created a self signed certificate with mkcert.sh 
based on dovecot-openssl.cnf. The name in there matches my mail server.

The first time it connects in mac mail however, it says the certificate is 
invalid and another server might pretend to be me etc.

I then have the option of trusting it.

Is this normal behaviour? Will it always be invalid if it’s not signed by a 
third party?

Thank you.

mail storage auto detection failed?

2017-06-08 Thread Alef Veld 
Hi everyone. Nice to meet you.

I’m new to dovecot and i came across a problem it seems.

I setup a new user called sales with useradd, and gave it a password. Although 
it has a home directory, i set login to /sbin/nologin.

When logging into the pop server on port 110 (with telnet) i get this in the 
logs:

dovecot: pop3-login: Login: user=, method=PLAIN, rip=127.0.0.1,   
lip=127.0.0.1, mpid=12938, secured, session=<94SotWVRoAB/AAAB>
Jun  7 21:49:24 www dovecot: pop3(sales): Error: user sales: Initialization 
failed: Namespace '': Mail storage autodetection failed with home=/home/sales
Jun  7 21:49:24 www dovecot: pop3(sales): Error: Invalid user settings. Refer 
to server log for more information.


Did i have to initialise the mailbox in the homedirectory? What did i forget. I 
didn't change anything to the default dovecot.conf, i just installed the 
package with yum install dovecot (so latest version). This error also shows up 
when logging into port 143. Thanks for your help.

My dovecot -n output if that helps is :
[ec2-user@www log]$ dovecot -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 4.9.20-10.30.amzn1.x86_64 x86_64
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  prefix =
}
passdb {
  driver = pam
}
ssl = required
ssl_cert =