Re: "no shared cypher", no matter what I try
The problem is solved, thanks to Aki. I was missing the "include" directive in dovecot.conf, because it was not needed in the dovecot version I was using previously. Now I have a related question, and... another problem :-) The question: what is a safer/more sensible value for ssl_cipher_list than the current "ALL"? The problem: now that I can login, a permission/ownership problem came out. In the old server, the mailboxes were owned by user mail_manager, group mail_management In the new server I recreated those users, copied the mailboxes as they were. Postfix / procmail are using that userid, and can write successfully to the mailboxes. Dovecot, instead, cannot. Even if I added the dovecot user to the mail_management group, it keeps generating plenty of errors like this Dec 11 12:34:13 SERVERNAME dovecot: imap(USERNAME): Error: file_dotlock_create(/var/mail/mymail_storage/base/.archive.2018.12/dovecot-uidlist) failed: Permission denied (euid=5000() egid=5000(mail_management) missing +w perm: /var/mail/mymail_storage/base/.archive.2018.12, dir owned by 1001:5000 mode=0755) of course it cannot create the log file because the owner is the mail_manager user (euid 5000) so the question is: what is the good/best practice now? Make dovecot run as user mail_manager? And if yes, how? Or should I change the permissions of all the mailboxes and mail files with chmod -r 775 ? Thanks, Marco
Re: "no shared cypher", no matter what I try
Marco Fioretti skrev den 2018-12-11 11:12: maybe I misunderstood you, but both adding an "ssl = yes" line to this section of dovecot.conf, and commenting out the whole "four lines starting at "inet_listener imaps" do not have any effect : you should not edit dovecot.conf :/ edit config files in conf.d start from zerro now
Re: "no shared cypher", no matter what I try
Ah, the actual problem appears to be that you are not including the conf.d directory at all in your config, so you are ending up with no certificate at all. This is handled better in 2.3.x. Aki On 11.12.2018 12.01, Aki Tuomi wrote: > Hi! > > You have misconfigured service imap-login, remove the 993 listener > config (it's there by default) or add ssl = yes to it. > > Aki > > On 11.12.2018 11.58, Marco Fioretti wrote: >> hello, and some update >> short version: the error is still there, but I have some more data to >> share, thanks in advance for further advice >> >> first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is >> not an obsolete version. >> second... at the moment I can send email through postfix on the same >> server, with the >> same certificates (almost: I still have to fix some stuff, but is NOT >> related to SSL/TLS, e.g >> reverse DNS). >> >> However, running openssl as requested returns "no peer certificate >> available", and when >> I connect with mutt to dovecot I still get the "no shared cipher" >> error. These are the permissions >> on the certificate files: >> >> ls -l /etc/letsencrypt/archive//fullchain1.pem >> /etc/letsencrypt/archive//privkey1.pem >> -r. 1 root root 3546 Dec 7 11:59 >> /etc/letsencrypt/archive//fullchain1.pem >> -r. 1 root root 1704 Dec 7 11:59 >> /etc/letsencrypt/archive//privkey1.pem >> >> output of openssl, dovecot -n, its current SSL settings and excerpt of >> the log file are all below. >> >> openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 >> CONNECTED(0003) >> 140141825717912:error:14077410:SSL >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >> failure:s23_clnt.c:769: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 305 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher: >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> Key-Arg : None >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1544521696 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> >> current SSL dovecot settings in conf.d/10-ssl.conf >> >> ssl = yes >> >> ssl_prefer_server_ciphers = yes >> >> ssl_dh_parameters_length = 2048 >> >> sl_min_protocol = TLSv1.2 >> >> ssl_cert = /fullchain1.pem >> ssl_key = /privkey1.pem >> >> ssl_cipher_list = ALL >> >> output of dovecot -n: >> >> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release >> 7.6.1810 (Core) ext4 >> # Hostname: SERVER NAME >> auth_debug = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> mail_location = maildir:/var/mail/mymail_storage/base/ >> passdb { >> args = /etc/imap.v_users >> driver = passwd-file >> } >> service auth { >> unix_listener /var/spool/postfix/private/auth { >> group = postfix >> mode = 0660 >> user = postfix >> } >> } >> service imap-login { >> inet_listener imap { >> port = 0 >> } >> inet_listener imaps { >> port = 993 >> } >> } >> ssl = required >> userdb { >> args = /etc/imap.v_users >> driver = passwd-file >> } >> verbose_ssl = yes >> >> >> >> >> >> this is the error message I get by when I tried to connect with mutt: >> >> >> Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) >> starting up for imap, pop3, lmtp (core dumps disabled) >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, >> ret=1: before/accept initialization [my.home.ip.address] >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: before/accept initialization [my.home.ip.address] >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv2/v3 read client hello A >> [my.home.ip.address] >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: >> where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: error [my.home.ip.address] >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: error [my.home.ip.address] >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: >> SSL_accept() failed: error:1408A0C1:SSL >> routines:ssl3_get_client_hello: >> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected >> (disconnected before auth was ready, waited 0 secs): user=<>, >> rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands >> haking: SSL_accept() failed: error:1408A0C1:SSL >> routines:ssl3_get_client_hello:no shared cipher, >> session= >> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from >> directory: /usr/lib64/dovecot/auth >> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: >>
Re: "no shared cypher", no matter what I try
Hello Aki, maybe I misunderstood you, but both adding an "ssl = yes" line to this section of dovecot.conf, and commenting out the whole "four lines starting at "inet_listener imaps" do not have any effect : service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } this is the error I still get after restarting dovecot, and trying again to connect with mutt: ogin: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=server.ip.address, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session= Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users Il giorno mar 11 dic 2018 alle ore 11:01 Aki Tuomi ha scritto: > > Hi! > > You have misconfigured service imap-login, remove the 993 listener > config (it's there by default) or add ssl = yes to it. > > Aki > > On 11.12.2018 11.58, Marco Fioretti wrote: > > hello, and some update > > short version: the error is still there, but I have some more data to > > share, thanks in advance for further advice > > > > first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is > > not an obsolete version. > > second... at the moment I can send email through postfix on the same > > server, with the > > same certificates (almost: I still have to fix some stuff, but is NOT > > related to SSL/TLS, e.g > > reverse DNS). > > > > However, running openssl as requested returns "no peer certificate > > available", and when > > I connect with mutt to dovecot I still get the "no shared cipher" > > error. These are the permissions > > on the certificate files: > > > > ls -l /etc/letsencrypt/archive//fullchain1.pem > > /etc/letsencrypt/archive//privkey1.pem > > -r. 1 root root 3546 Dec 7 11:59 > > /etc/letsencrypt/archive//fullchain1.pem > > -r. 1 root root 1704 Dec 7 11:59 > > /etc/letsencrypt/archive//privkey1.pem > > > > output of openssl, dovecot -n, its current SSL settings and excerpt of > > the log file are all below. > > > > openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 > > CONNECTED(0003) > > 140141825717912:error:14077410:SSL > > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > > failure:s23_clnt.c:769: > > --- > > no peer certificate available > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 7 bytes and written 305 bytes > > --- > > New, (NONE), Cipher is (NONE) > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher: > > Session-ID: > > Session-ID-ctx: > > Master-Key: > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > SRP username: None > > Start Time: 1544521696 > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > --- > > > > current SSL dovecot settings in conf.d/10-ssl.conf > > > > ssl = yes > > > > ssl_prefer_server_ciphers = yes > > > > ssl_dh_parameters_length = 2048 > > > > sl_min_protocol = TLSv1.2 > > > > ssl_cert = /fullchain1.pem > > ssl_key = /privkey1.pem > > > > ssl_cipher_list = ALL > > > > output of dovecot -n: > > > > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release > > 7.6.1810 (Core) ext4 > > # Hostname: SERVER NAME > > auth_debug = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > mail_location = maildir:/var/mail/mymail_storage/base/ > > passdb { > > args = /etc/imap.v_users > > driver
Re: "no shared cypher", no matter what I try
Hi! You have misconfigured service imap-login, remove the 993 listener config (it's there by default) or add ssl = yes to it. Aki On 11.12.2018 11.58, Marco Fioretti wrote: > hello, and some update > short version: the error is still there, but I have some more data to > share, thanks in advance for further advice > > first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is > not an obsolete version. > second... at the moment I can send email through postfix on the same > server, with the > same certificates (almost: I still have to fix some stuff, but is NOT > related to SSL/TLS, e.g > reverse DNS). > > However, running openssl as requested returns "no peer certificate > available", and when > I connect with mutt to dovecot I still get the "no shared cipher" > error. These are the permissions > on the certificate files: > > ls -l /etc/letsencrypt/archive//fullchain1.pem > /etc/letsencrypt/archive//privkey1.pem > -r. 1 root root 3546 Dec 7 11:59 > /etc/letsencrypt/archive//fullchain1.pem > -r. 1 root root 1704 Dec 7 11:59 > /etc/letsencrypt/archive//privkey1.pem > > output of openssl, dovecot -n, its current SSL settings and excerpt of > the log file are all below. > > openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 > CONNECTED(0003) > 140141825717912:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:769: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 305 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher: > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1544521696 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > current SSL dovecot settings in conf.d/10-ssl.conf > > ssl = yes > > ssl_prefer_server_ciphers = yes > > ssl_dh_parameters_length = 2048 > > sl_min_protocol = TLSv1.2 > > ssl_cert = /fullchain1.pem > ssl_key = /privkey1.pem > > ssl_cipher_list = ALL > > output of dovecot -n: > > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release > 7.6.1810 (Core) ext4 > # Hostname: SERVER NAME > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > mail_location = maildir:/var/mail/mymail_storage/base/ > passdb { > args = /etc/imap.v_users > driver = passwd-file > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > ssl = required > userdb { > args = /etc/imap.v_users > driver = passwd-file > } > verbose_ssl = yes > > > > > > this is the error message I get by when I tried to connect with mutt: > > > Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) > starting up for imap, pop3, lmtp (core dumps disabled) > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, > ret=1: before/accept initialization [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: SSLv2/v3 read client hello A > [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: > where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [my.home.ip.address] > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: > SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello: > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands > haking: SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher, > session= > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from > directory: /usr/lib64/dovecot/auth > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret > from /var/run/dovecot/auth-token-secret.dat > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file > /etc/imap.v_users: Read 1 users in 0 secs
Re: "no shared cypher", no matter what I try
hello, and some update short version: the error is still there, but I have some more data to share, thanks in advance for further advice first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is not an obsolete version. second... at the moment I can send email through postfix on the same server, with the same certificates (almost: I still have to fix some stuff, but is NOT related to SSL/TLS, e.g reverse DNS). However, running openssl as requested returns "no peer certificate available", and when I connect with mutt to dovecot I still get the "no shared cipher" error. These are the permissions on the certificate files: ls -l /etc/letsencrypt/archive//fullchain1.pem /etc/letsencrypt/archive//privkey1.pem -r. 1 root root 3546 Dec 7 11:59 /etc/letsencrypt/archive//fullchain1.pem -r. 1 root root 1704 Dec 7 11:59 /etc/letsencrypt/archive//privkey1.pem output of openssl, dovecot -n, its current SSL settings and excerpt of the log file are all below. openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993 CONNECTED(0003) 140141825717912:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544521696 Timeout : 300 (sec) Verify return code: 0 (ok) --- current SSL dovecot settings in conf.d/10-ssl.conf ssl = yes ssl_prefer_server_ciphers = yes ssl_dh_parameters_length = 2048 sl_min_protocol = TLSv1.2 ssl_cert = /fullchain1.pem ssl_key = /privkey1.pem ssl_cipher_list = ALL output of dovecot -n: # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: SERVER NAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes this is the error message I get by when I tried to connect with mutt: Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled) Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error [my.home.ip.address] Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello: Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands haking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session= Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs
Re: "no shared cypher", no matter what I try
On Sat, 2018-12-08 at 11:03 +0100, Marco Fioretti wrote: > Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below. Here is my 10-ssl.conf on my CentOS box. I am using the TLS config from https://weakdh.org/sysadmin.html --- ssl = yes ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes #regenerates every week ssl_dh_parameters_length = 2048 ssl_cert = signature.asc Description: This is a digitally signed message part
Re: "no shared cypher", no matter what I try
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
Re: "no shared cypher", no matter what I try
I ran into that error message with a different application and it turned out that the server certificate was expired. -- Doug > On 8 December 2018, at 12:22, David Gardner wrote: > > Have you tried connecting with openssl c_client, with a cypher list of all? > > My suspicion is that one of the pair of programs is only > using old, weak cyphers [due to age and the other only strong ones. > > > David
Re: "no shared cypher", no matter what I try
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
Re: "no shared cypher", no matter what I try
Marco Fioretti skrev den 2018-12-08 11:03: I have had to reinstall my email server on another Linux (centos 7.6) reinstalls often helps make the same problems with precompiled distros :=) is openssl installed or what ssl api is in use ? did you create a bug report to centos mantainers ? its not a postfix/dovecot problem that ssl is not working lets encrypt is irrelevant
Re: "no shared cypher", no matter what I try
> On 08 December 2018 at 12:03 Marco Fioretti wrote: > > > Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below. > > Now, messages ARE delivered in the right IMAP mailboxes, but when I > try to connect with Mutt from my home computer, mutt says, before > prompting for a password: > > gnutls_handshake: A TLS fatal alert has been received.(Handshake failed) > > the corresponding output of dovecot in /var/log/maillog is below. The > gist of it **seems** to me to be the "no shared cipher" part, but I > may be wrong. In any case, I have already tried to search online for > that string, and other relevant parts of the log, without success. All > I have found is suggestions to change the values of ssl_protocols > and/or ssl_cipher_list to some non-default value, but I have tried all > those tips without success. Current values of those variables are > these: > > grep -v ^# /etc/dovecot/conf.d/10-ssl.conf > > ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU > > any pointer to what to check or change next is VERY welcome. > > Thanks in advance, > Marco > > # > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert: > where=0x4008, ret=552: fatal handshake failure [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error: > SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept() > failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher, session= > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token > secret from /var/run/dovecot/auth-token-secret.dat > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file > /etc/imap.v_users: Read 1 users in 0 secs > > # > dovecot --version > 2.2.36 (1f10bfa63) > > > # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release > 7.6.1810 (Core) ext4 > # Hostname: MYSERVERNAME > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > mail_location = maildir:/var/mail//base/ > passdb { > args = /etc/imap.v_users > driver = passwd-file > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > ssl = required > userdb { > args = /etc/imap.v_users > driver = passwd-file > } > verbose_ssl = yes Can you comment out ssl_cipher_list and ssl_protocols? Is your certificate ECC certificate? Aki