Re: "no shared cypher", no matter what I try
The problem is solved, thanks to Aki. I was missing the "include" directive in dovecot.conf, because it was not needed in the dovecot version I was using previously. Now I have a related question, and... another problem :-) The question: what is a safer/more sensible value for ssl_cipher_list than the current "ALL"? The problem: now that I can login, a permission/ownership problem came out. In the old server, the mailboxes were owned by user mail_manager, group mail_management In the new server I recreated those users, copied the mailboxes as they were. Postfix / procmail are using that userid, and can write successfully to the mailboxes. Dovecot, instead, cannot. Even if I added the dovecot user to the mail_management group, it keeps generating plenty of errors like this Dec 11 12:34:13 SERVERNAME dovecot: imap(USERNAME): Error: file_dotlock_create(/var/mail/mymail_storage/base/.archive.2018.12/dovecot-uidlist) failed: Permission denied (euid=5000() egid=5000(mail_management) missing +w perm: /var/mail/mymail_storage/base/.archive.2018.12, dir owned by 1001:5000 mode=0755) of course it cannot create the log file because the owner is the mail_manager user (euid 5000) so the question is: what is the good/best practice now? Make dovecot run as user mail_manager? And if yes, how? Or should I change the permissions of all the mailboxes and mail files with chmod -r 775 ? Thanks, Marco
Re: "no shared cypher", no matter what I try
Marco Fioretti skrev den 2018-12-11 11:12: maybe I misunderstood you, but both adding an "ssl = yes" line to this section of dovecot.conf, and commenting out the whole "four lines starting at "inet_listener imaps" do not have any effect : you should not edit dovecot.conf :/ edit config files in conf.d start from zerro now
Re: "no shared cypher", no matter what I try
Ah, the actual problem appears to be that you are not including the
conf.d directory at all in your config, so you are ending up with no
certificate at all. This is handled better in 2.3.x.
Aki
On 11.12.2018 12.01, Aki Tuomi wrote:
> Hi!
>
> You have misconfigured service imap-login, remove the 993 listener
> config (it's there by default) or add ssl = yes to it.
>
> Aki
>
> On 11.12.2018 11.58, Marco Fioretti wrote:
>> hello, and some update
>> short version: the error is still there, but I have some more data to
>> share, thanks in advance for further advice
>>
>> first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
>> not an obsolete version.
>> second... at the moment I can send email through postfix on the same
>> server, with the
>> same certificates (almost: I still have to fix some stuff, but is NOT
>> related to SSL/TLS, e.g
>> reverse DNS).
>>
>> However, running openssl as requested returns "no peer certificate
>> available", and when
>> I connect with mutt to dovecot I still get the "no shared cipher"
>> error. These are the permissions
>> on the certificate files:
>>
>> ls -l /etc/letsencrypt/archive//fullchain1.pem
>> /etc/letsencrypt/archive//privkey1.pem
>> -r. 1 root root 3546 Dec 7 11:59
>> /etc/letsencrypt/archive//fullchain1.pem
>> -r. 1 root root 1704 Dec 7 11:59
>> /etc/letsencrypt/archive//privkey1.pem
>>
>> output of openssl, dovecot -n, its current SSL settings and excerpt of
>> the log file are all below.
>>
>> openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
>> CONNECTED(0003)
>> 140141825717912:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:769:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 305 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher:
>> Session-ID:
>> Session-ID-ctx:
>> Master-Key:
>> Key-Arg : None
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1544521696
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>>
>> current SSL dovecot settings in conf.d/10-ssl.conf
>>
>> ssl = yes
>>
>> ssl_prefer_server_ciphers = yes
>>
>> ssl_dh_parameters_length = 2048
>>
>> sl_min_protocol = TLSv1.2
>>
>> ssl_cert = /fullchain1.pem
>> ssl_key = /privkey1.pem
>>
>> ssl_cipher_list = ALL
>>
>> output of dovecot -n:
>>
>> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
>> 7.6.1810 (Core) ext4
>> # Hostname: SERVER NAME
>> auth_debug = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> mail_location = maildir:/var/mail/mymail_storage/base/
>> passdb {
>> args = /etc/imap.v_users
>> driver = passwd-file
>> }
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0660
>> user = postfix
>> }
>> }
>> service imap-login {
>> inet_listener imap {
>> port = 0
>> }
>> inet_listener imaps {
>> port = 993
>> }
>> }
>> ssl = required
>> userdb {
>> args = /etc/imap.v_users
>> driver = passwd-file
>> }
>> verbose_ssl = yes
>>
>>
>>
>>
>>
>> this is the error message I get by when I tried to connect with mutt:
>>
>>
>> Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
>> starting up for imap, pop3, lmtp (core dumps disabled)
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
>> ret=1: before/accept initialization [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2002, ret=-1: SSLv2/v3 read client hello A
>> [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
>> where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2002, ret=-1: error [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2002, ret=-1: error [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
>> SSL_accept() failed: error:1408A0C1:SSL
>> routines:ssl3_get_client_hello:
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
>> (disconnected before auth was ready, waited 0 secs): user=<>,
>> rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
>> haking: SSL_accept() failed: error:1408A0C1:SSL
>> routines:ssl3_get_client_hello:no shared cipher,
>> session=
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
>> directory: /usr/lib64/dovecot/auth
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
>>
Re: "no shared cypher", no matter what I try
Hello Aki,
maybe I misunderstood you, but both adding an "ssl = yes" line to this
section of dovecot.conf, and commenting out the whole "four lines
starting at "inet_listener imaps" do not have any effect :
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
this is the error I still get after restarting dovecot, and trying
again to connect with mutt:
ogin: Debug: SSL: where=0x10, ret=1: before/accept initialization
[my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv2/v3 read client hello A
[my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Disconnected
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=my.home.ip.address, lip=server.ip.address, TLS handshaking:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher,
session=
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Read auth token
secret from /var/run/dovecot/auth-token-secret.dat
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: passwd-file
/etc/imap.v_users: Read 1 users
Il giorno mar 11 dic 2018 alle ore 11:01 Aki Tuomi
ha scritto:
>
> Hi!
>
> You have misconfigured service imap-login, remove the 993 listener
> config (it's there by default) or add ssl = yes to it.
>
> Aki
>
> On 11.12.2018 11.58, Marco Fioretti wrote:
> > hello, and some update
> > short version: the error is still there, but I have some more data to
> > share, thanks in advance for further advice
> >
> > first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
> > not an obsolete version.
> > second... at the moment I can send email through postfix on the same
> > server, with the
> > same certificates (almost: I still have to fix some stuff, but is NOT
> > related to SSL/TLS, e.g
> > reverse DNS).
> >
> > However, running openssl as requested returns "no peer certificate
> > available", and when
> > I connect with mutt to dovecot I still get the "no shared cipher"
> > error. These are the permissions
> > on the certificate files:
> >
> > ls -l /etc/letsencrypt/archive//fullchain1.pem
> > /etc/letsencrypt/archive//privkey1.pem
> > -r. 1 root root 3546 Dec 7 11:59
> > /etc/letsencrypt/archive//fullchain1.pem
> > -r. 1 root root 1704 Dec 7 11:59
> > /etc/letsencrypt/archive//privkey1.pem
> >
> > output of openssl, dovecot -n, its current SSL settings and excerpt of
> > the log file are all below.
> >
> > openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
> > CONNECTED(0003)
> > 140141825717912:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> > failure:s23_clnt.c:769:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 7 bytes and written 305 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher:
> > Session-ID:
> > Session-ID-ctx:
> > Master-Key:
> > Key-Arg : None
> > PSK identity: None
> > PSK identity hint: None
> > SRP username: None
> > Start Time: 1544521696
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
> > ---
> >
> > current SSL dovecot settings in conf.d/10-ssl.conf
> >
> > ssl = yes
> >
> > ssl_prefer_server_ciphers = yes
> >
> > ssl_dh_parameters_length = 2048
> >
> > sl_min_protocol = TLSv1.2
> >
> > ssl_cert = /fullchain1.pem
> > ssl_key = /privkey1.pem
> >
> > ssl_cipher_list = ALL
> >
> > output of dovecot -n:
> >
> > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> > 7.6.1810 (Core) ext4
> > # Hostname: SERVER NAME
> > auth_debug = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > mail_location = maildir:/var/mail/mymail_storage/base/
> > passdb {
> > args = /etc/imap.v_users
> > driver
Re: "no shared cypher", no matter what I try
Hi!
You have misconfigured service imap-login, remove the 993 listener
config (it's there by default) or add ssl = yes to it.
Aki
On 11.12.2018 11.58, Marco Fioretti wrote:
> hello, and some update
> short version: the error is still there, but I have some more data to
> share, thanks in advance for further advice
>
> first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
> not an obsolete version.
> second... at the moment I can send email through postfix on the same
> server, with the
> same certificates (almost: I still have to fix some stuff, but is NOT
> related to SSL/TLS, e.g
> reverse DNS).
>
> However, running openssl as requested returns "no peer certificate
> available", and when
> I connect with mutt to dovecot I still get the "no shared cipher"
> error. These are the permissions
> on the certificate files:
>
> ls -l /etc/letsencrypt/archive//fullchain1.pem
> /etc/letsencrypt/archive//privkey1.pem
> -r. 1 root root 3546 Dec 7 11:59
> /etc/letsencrypt/archive//fullchain1.pem
> -r. 1 root root 1704 Dec 7 11:59
> /etc/letsencrypt/archive//privkey1.pem
>
> output of openssl, dovecot -n, its current SSL settings and excerpt of
> the log file are all below.
>
> openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
> CONNECTED(0003)
> 140141825717912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:769:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher:
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1544521696
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> current SSL dovecot settings in conf.d/10-ssl.conf
>
> ssl = yes
>
> ssl_prefer_server_ciphers = yes
>
> ssl_dh_parameters_length = 2048
>
> sl_min_protocol = TLSv1.2
>
> ssl_cert = /fullchain1.pem
> ssl_key = /privkey1.pem
>
> ssl_cipher_list = ALL
>
> output of dovecot -n:
>
> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core) ext4
> # Hostname: SERVER NAME
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> mail_location = maildir:/var/mail/mymail_storage/base/
> passdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 0
> }
> inet_listener imaps {
> port = 993
> }
> }
> ssl = required
> userdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> verbose_ssl = yes
>
>
>
>
>
> this is the error message I get by when I tried to connect with mutt:
>
>
> Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
> starting up for imap, pop3, lmtp (core dumps disabled)
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
> ret=1: before/accept initialization [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: SSLv2/v3 read client hello A
> [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
> where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
> SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
> (disconnected before auth was ready, waited 0 secs): user=<>,
> rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
> haking: SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher,
> session=
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
> directory: /usr/lib64/dovecot/auth
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
> from /var/run/dovecot/auth-token-secret.dat
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
> /etc/imap.v_users: Read 1 users in 0 secs
Re: "no shared cypher", no matter what I try
hello, and some update
short version: the error is still there, but I have some more data to
share, thanks in advance for further advice
first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
not an obsolete version.
second... at the moment I can send email through postfix on the same
server, with the
same certificates (almost: I still have to fix some stuff, but is NOT
related to SSL/TLS, e.g
reverse DNS).
However, running openssl as requested returns "no peer certificate
available", and when
I connect with mutt to dovecot I still get the "no shared cipher"
error. These are the permissions
on the certificate files:
ls -l /etc/letsencrypt/archive//fullchain1.pem
/etc/letsencrypt/archive//privkey1.pem
-r. 1 root root 3546 Dec 7 11:59
/etc/letsencrypt/archive//fullchain1.pem
-r. 1 root root 1704 Dec 7 11:59
/etc/letsencrypt/archive//privkey1.pem
output of openssl, dovecot -n, its current SSL settings and excerpt of
the log file are all below.
openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
CONNECTED(0003)
140141825717912:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher:
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544521696
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
current SSL dovecot settings in conf.d/10-ssl.conf
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
sl_min_protocol = TLSv1.2
ssl_cert = /fullchain1.pem
ssl_key = /privkey1.pem
ssl_cipher_list = ALL
output of dovecot -n:
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core) ext4
# Hostname: SERVER NAME
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
mail_location = maildir:/var/mail/mymail_storage/base/
passdb {
args = /etc/imap.v_users
driver = passwd-file
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
ssl = required
userdb {
args = /etc/imap.v_users
driver = passwd-file
}
verbose_ssl = yes
this is the error message I get by when I tried to connect with mutt:
Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
starting up for imap, pop3, lmtp (core dumps disabled)
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
ret=1: before/accept initialization [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv2/v3 read client hello A
[my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
haking: SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher,
session=
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
from /var/run/dovecot/auth-token-secret.dat
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
/etc/imap.v_users: Read 1 users in 0 secs
Re: "no shared cypher", no matter what I try
On Sat, 2018-12-08 at 11:03 +0100, Marco Fioretti wrote: > Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below. Here is my 10-ssl.conf on my CentOS box. I am using the TLS config from https://weakdh.org/sysadmin.html --- ssl = yes ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes #regenerates every week ssl_dh_parameters_length = 2048 ssl_cert = signature.asc Description: This is a digitally signed message part
Re: "no shared cypher", no matter what I try
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
Re: "no shared cypher", no matter what I try
I ran into that error message with a different application and it turned out that the server certificate was expired. -- Doug > On 8 December 2018, at 12:22, David Gardner wrote: > > Have you tried connecting with openssl c_client, with a cypher list of all? > > My suspicion is that one of the pair of programs is only > using old, weak cyphers [due to age and the other only strong ones. > > > David
Re: "no shared cypher", no matter what I try
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
Re: "no shared cypher", no matter what I try
Marco Fioretti skrev den 2018-12-08 11:03: I have had to reinstall my email server on another Linux (centos 7.6) reinstalls often helps make the same problems with precompiled distros :=) is openssl installed or what ssl api is in use ? did you create a bug report to centos mantainers ? its not a postfix/dovecot problem that ssl is not working lets encrypt is irrelevant
Re: "no shared cypher", no matter what I try
> On 08 December 2018 at 12:03 Marco Fioretti wrote:
>
>
> Greetings,
> I have had to reinstall my email server on another Linux (centos 7.6)
> VPS, with a newer version of dovecot, other software and a brand new
> letsencrypt certificate just for email withpostfix and dovecot (that
> certificate works fine with postfix). Output of dovecot --version and
> dovecot -n on the new server is below.
>
> Now, messages ARE delivered in the right IMAP mailboxes, but when I
> try to connect with Mutt from my home computer, mutt says, before
> prompting for a password:
>
> gnutls_handshake: A TLS fatal alert has been received.(Handshake failed)
>
> the corresponding output of dovecot in /var/log/maillog is below. The
> gist of it **seems** to me to be the "no shared cipher" part, but I
> may be wrong. In any case, I have already tried to search online for
> that string, and other relevant parts of the log, without success. All
> I have found is suggestions to change the values of ssl_protocols
> and/or ssl_cipher_list to some non-default value, but I have tried all
> those tips without success. Current values of those variables are
> these:
>
> grep -v ^# /etc/dovecot/conf.d/10-ssl.conf
>
> ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU
>
> any pointer to what to check or change next is VERY welcome.
>
> Thanks in advance,
> Marco
>
> #
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x10, ret=1: before/accept initialization [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert:
> where=0x4008, ret=552: fatal handshake failure [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [47.53.159.60]
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error:
> SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher
> Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected
> (disconnected before auth was ready, waited 0 secs): user=<>,
> rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept()
> failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher, session=
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token
> secret from /var/run/dovecot/auth-token-secret.dat
> Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file
> /etc/imap.v_users: Read 1 users in 0 secs
>
> #
> dovecot --version
> 2.2.36 (1f10bfa63)
>
>
> # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core) ext4
> # Hostname: MYSERVERNAME
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> mail_location = maildir:/var/mail//base/
> passdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 0
> }
> inet_listener imaps {
> port = 993
> }
> }
> ssl = required
> userdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> verbose_ssl = yes
Can you comment out ssl_cipher_list and ssl_protocols?
Is your certificate ECC certificate?
Aki
