Re: SSL error

[Goetz Schultz]

Store - typo at my den (have kb-issues)

Thanks and regards

  Goetz R Schultz

>8
Quis custodiet ipsos custodes?
  /"\
  \ /  ASCII Ribbon Campaign
   X   against HTML e-mail
  / \
8<

On 09/11/2022 21:28, Ruben Safir wrote:


This got nothing to with LE or own CA. Bottom line is, you need to
add your own CA to the cert tore (ideally)



what is a cert tore?


- look in DuckDuckGo how
that works for your distri - Linux is different from BSD - for
example.

That would be my line in FreeBSD, using a single file for the CA :
$FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile
/etc/ssl/certs/my-ca.crt

The --sslcertfile part can be dumped if using the global store.

Bottom line - independent from CA.


--
Thanks and regards

   Goetz R Schultz

>8
Quis custodiet ipsos custodes?
   /"\
   \ /  ASCII Ribbon Campaign
X   against HTML e-mail
   / \
8<

>8--

  /"\
  \ /  ASCII Ribbon Campaign
   X   against HTML e-mail
  / \

   This message is transmitted on 100% recycled electrons.

>8--
Unsigned message - no responsibillity that content is not altered




>8--

 /"\
 \ /  ASCII Ribbon Campaign
  X   against HTML e-mail
 / \ 


  This message is transmitted on 100% recycled electrons.

>8--
Unsigned message - no responsibillity that content is not altered

Re: SSL error

[Joseph Tam]

Ruben Safir  wrote:

> > This got nothing to with LE or own CA. Bottom line is, you need to
> > add your own CA to the cert tore (ideally)
>
> what is a cert tore?

Someone has probably already replied to this, but it's a typo:
the OP wanted to say "store".

The certificate you created was used to sign itself ("self signed")
and thus, asserts its own validity.  If you need *other* people to
trust your SSL service, you should sign your certificate using a third
party authority (e.g. LetsEncrypt) to sign it.  Most internet users
will have these third party signing authority's certificates in their
certificate store to validate your service certificate.  If this is
for your own personal use (i.e. you don't care about trust since you
know it's your own certificate), you have to add your self-signed
certificate into *your* system's certificate authority store so that
your mail reader does not complain about an untrusted certificate.
Clear?

Joseph Tam 

Re: SSL error

[Ruben Safir]

> 
> This got nothing to with LE or own CA. Bottom line is, you need to
> add your own CA to the cert tore (ideally) 


what is a cert tore?

> - look in DuckDuckGo how
> that works for your distri - Linux is different from BSD - for
> example.
> 
> That would be my line in FreeBSD, using a single file for the CA :
> $FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile
> /etc/ssl/certs/my-ca.crt
> 
> The --sslcertfile part can be dumped if using the global store.
> 
> Bottom line - independent from CA.
> 
> 
> --
> Thanks and regards
> 
>   Goetz R Schultz
> 
> >8
> Quis custodiet ipsos custodes?
>   /"\
>   \ /  ASCII Ribbon Campaign
>X   against HTML e-mail
>   / \
> 8<
> 
> >8--
> 
>  /"\
>  \ /  ASCII Ribbon Campaign
>   X   against HTML e-mail
>  / \
> 
>   This message is transmitted on 100% recycled electrons.
> 
> >8--
> Unsigned message - no responsibillity that content is not altered

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: SSL error

[Goetz Schultz]

On 09/11/2022 18:19, Alexander Dalloz wrote:

Am 09.11.2022 um 18:30 schrieb hi@zakaria.website:

On 2022-11-09 16:59, Alexander Dalloz wrote:

Am 09.11.2022 um 15:58 schrieb Ruben Safir:

Hello

I am getting this error and I have no idea why.  openssh is upto date


You have a self-signed certificate in place. The connecting client 
cannot valide whether to trust to answering server.


Alexander


Try to run the following against the client certificate full chain and 
cert file:-


  ope nssl verify -CAfile fullchain.pem cert.pem

if it did throw an error then try verifying with an updated CA 
certificates bundle directly from OS using the following which  works 
with me in RHEL7:-


y um reinstall ca-certificatesupdate-ca-trust

Or if already installed.

update-ca-trust.

Given you are using a self signed certificate, I guess, you will have 
to append manually the CA certificate, which you've used to sign the 
self signed client certificate in CA bundle PEM file i.e. 
tls-ca-bundle.pem. Also, you will have to reference the CA file in 
dovecot using the following:-


ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ssl_verify_client_cert = yes

Good luck.

Zakaria.


That's pointless as the certificate hasn't been issued by Let's Encrypt.

Alexander



This got nothing to with LE or own CA. Bottom line is, you need to add 
your own CA to the cert tore (ideally) - look in DuckDuckGo how that 
works for your distri - Linux is different from BSD - for example.


That would be my line in FreeBSD, using a single file for the CA :
$FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile 
/etc/ssl/certs/my-ca.crt


The --sslcertfile part can be dumped if using the global store.

Bottom line - independent from CA.


--
Thanks and regards

  Goetz R Schultz

>8
Quis custodiet ipsos custodes?
  /"\
  \ /  ASCII Ribbon Campaign
   X   against HTML e-mail
  / \
8<

>8--

 /"\
 \ /  ASCII Ribbon Campaign
  X   against HTML e-mail
 / \ 


  This message is transmitted on 100% recycled electrons.

>8--
Unsigned message - no responsibillity that content is not altered

Re: SSL error

[Alexander Dalloz]

Am 09.11.2022 um 18:30 schrieb hi@zakaria.website:

On 2022-11-09 16:59, Alexander Dalloz wrote:

Am 09.11.2022 um 15:58 schrieb Ruben Safir:

Hello

I am getting this error and I have no idea why.  openssh is upto date


You have a self-signed certificate in place. The connecting client 
cannot valide whether to trust to answering server.


Alexander


Try to run the following against the client certificate full chain and 
cert file:-


  ope nssl verify -CAfile fullchain.pem cert.pem

if it did throw an error then try verifying with an updated CA 
certificates bundle directly from OS using the following which  works 
with me in RHEL7:-


y um reinstall ca-certificatesupdate-ca-trust

Or if already installed.

update-ca-trust.

Given you are using a self signed certificate, I guess, you will have to 
append manually the CA certificate, which you've used to sign the self 
signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. 
Also, you will have to reference the CA file in dovecot using the 
following:-


ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ssl_verify_client_cert = yes

Good luck.

Zakaria.


That's pointless as the certificate hasn't been issued by Let's Encrypt.

Alexander

Re: SSL error

[hi]

On 2022-11-09 16:59, Alexander Dalloz wrote:

Am 09.11.2022 um 15:58 schrieb Ruben Safir:

Hello

I am getting this error and I have no idea why.  openssh is upto date


You have a self-signed certificate in place. The connecting client 
cannot valide whether to trust to answering server.


Alexander


Try to run the following against the client certificate full chain and 
cert file:-


 ope nssl verify -CAfile fullchain.pem cert.pem

if it did throw an error then try verifying with an updated CA 
certificates bundle directly from OS using the following which  works 
with me in RHEL7:-


y um reinstall ca-certificatesupdate-ca-trust

Or if already installed.

update-ca-trust.

Given you are using a self signed certificate, I guess, you will have to 
append manually the CA certificate, which you've used to sign the self 
signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. 
Also, you will have to reference the CA file in dovecot using the 
following:-


ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ssl_verify_client_cert = yes

Good luck.

Zakaria.

Re: SSL error

[Alexander Dalloz]

Am 09.11.2022 um 15:58 schrieb Ruben Safir:

Hello

I am getting this error and I have no idea why.  openssh is upto date


You have a self-signed certificate in place. The connecting client 
cannot valide whether to trust to answering server.


Alexander

Re: SSL Error

[Aki Tuomi]

openssl s_client -connect mail.example.com:143 -starttls imap

would probably work much better.

Aki

> On 15/05/2020 20:10 Brandon Roa  wrote:
> 
>  
> Oops, on second glance I don't think that error is actually directly 
> related to what I was doing.
> 
> I had been testing to see if the certificate chain was installed 
> properly by running
> 
> openssl s_client -connect mail.example.com:143
> 
> But there was no certificate reported in stdout. I thought that error 
> was related to my test command, but I realize now it's not. I'm still 
> confused, though, because I followed all the steps for installing 
> configuring SSL (https://wiki.dovecot.org/SSL/DovecotConfiguration) and 
> it just doesn't seem to have worked.
> 
> On 5/14/2020 9:38 PM, Aki Tuomi wrote:
> >> On 15/05/2020 02:36 Brandon Roa  wrote:
> >>
> >>   
> >> I just installed a certificate on my mail server to Postfix and Dovecot.
> >> The certificate is functional on Postfix, but for some reason I keep
> >> getting this error. Any suggestions on how to fix it?
> >>
> >> mail dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL
> >> routines:ssl3_get_client_hello:wrong version number
> >>
> >>
> >> Here is my configuration:
> >>
> >> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
> >> # Pigeonhole version 0.4.13 (7b14904)
> >> # OS: Linux 4.4.0-45-generic x86_64 Ubuntu 16.04.6 LTS ext4
> > This is very dated version of dovecot, you might want to consider using 
> > e.g. https://repo.dovecot.org for new version. This is not necessarely the 
> > cause here.
> >
> > For the SSL error, can you describe more on what are you doing when you get 
> > the error? It looks a lot like trying plaintext connection to SSL port.
> >
> > Aki

Re: SSL Error

[Brandon Roa]

Oops, on second glance I don't think that error is actually directly 
related to what I was doing.


I had been testing to see if the certificate chain was installed 
properly by running


openssl s_client -connect mail.example.com:143

But there was no certificate reported in stdout. I thought that error 
was related to my test command, but I realize now it's not. I'm still 
confused, though, because I followed all the steps for installing 
configuring SSL (https://wiki.dovecot.org/SSL/DovecotConfiguration) and 
it just doesn't seem to have worked.


On 5/14/2020 9:38 PM, Aki Tuomi wrote:

On 15/05/2020 02:36 Brandon Roa  wrote:

  
I just installed a certificate on my mail server to Postfix and Dovecot.

The certificate is functional on Postfix, but for some reason I keep
getting this error. Any suggestions on how to fix it?

mail dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version number


Here is my configuration:

# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-45-generic x86_64 Ubuntu 16.04.6 LTS ext4

This is very dated version of dovecot, you might want to consider using e.g. 
https://repo.dovecot.org for new version. This is not necessarely the cause 
here.

For the SSL error, can you describe more on what are you doing when you get the 
error? It looks a lot like trying plaintext connection to SSL port.

Aki

Re: SSL Error

[Aki Tuomi]

> On 15/05/2020 02:36 Brandon Roa  wrote:
> 
>  
> I just installed a certificate on my mail server to Postfix and Dovecot. 
> The certificate is functional on Postfix, but for some reason I keep 
> getting this error. Any suggestions on how to fix it?
> 
> mail dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL 
> routines:ssl3_get_client_hello:wrong version number
> 
> 
> Here is my configuration:
> 
> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.13 (7b14904)
> # OS: Linux 4.4.0-45-generic x86_64 Ubuntu 16.04.6 LTS ext4

This is very dated version of dovecot, you might want to consider using e.g. 
https://repo.dovecot.org for new version. This is not necessarely the cause 
here.

For the SSL error, can you describe more on what are you doing when you get the 
error? It looks a lot like trying plaintext connection to SSL port.

Aki

Re: SSL error after upgrading to 2.31

[Hauke Fath]

On 05/30/18 10:41, A. Schulze wrote:
In the third case an administrator has to provide files with 
certificates. And these files are required (by best practice)


Do you have any pointers to support such a strong statement?


to include any chain-certificates excluding the self signed root.


Our upstream CA surely does not ship the signed certs that way. It 
could, and that would support your statement - but it doesn't.


There is no reason to only provide a certificate via ssl_cert = 

and an new/other place to provide intermediates.


Yes, there is. It saves manipulating the signed server cert, and mirrors 
the fact that the intermediate CA certs have a longer lifetime than the 
server cert.


Cheerio,
hauke

--
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: SSL error after upgrading to 2.31

[A. Schulze]

Aki Tuomi:


There is already ssl_client_ca, for verifying clients. ssl_ca verifies
certs when dovecot is connecting somewhere.



For clarification:

there is a third use case an admin may need intermediate certificates:
And that's where dovecot act as server providing imap/pop3/lmtp/sieve  
via TLS or STARTTLS


that's different semantic:
ssl_client_ca and ssl_ca provide lists of CAs, dovecot should trust
while in the third case an administrator has to define exactly one list
of intermediate CAs used as chain to a root. Mixing them is wrong.

In the third case an administrator has to provide files with  
certificates. And these files
are required (by best practice) to include any chain-certificates  
excluding the self signed root.


There is no reason to only provide a certificate via ssl_cert =  /path/to/file"
No need for other options...

Andreas

Re: SSL error after upgrading to 2.31

[Hauke Fath]

On Mon, 28 May 2018 15:03:29 +0300, Aki Tuomi wrote:
>> Sounds good. How about (re)naming them ssl-{client,server}_ca?
> 
> There is already ssl_client_ca, for verifying clients. ssl_ca verifies
> certs when dovecot is connecting somewhere.

So there's three? I had no idea...

Cheerio,
hauke

-- 
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in emailInstitut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: SSL error after upgrading to 2.31

[Aki Tuomi]

On 28.05.2018 14:30, Hauke Fath wrote:
> On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote:
>> I'm sure. But putting it as ssl_ca makes no sense, since it becomes
>> confused what it is for.
> I guess - I haven't had a need for client certs, and only ever used 
> ssl_ca for the server ca chain.
>
>> We can try restoring this as ssl_cert_chain setting in future release.
> Sounds good. How about (re)naming them ssl-{client,server}_ca?
>
> Cheerio,
> Hauke
>

There is already ssl_client_ca, for verifying clients. ssl_ca verifies
certs when dovecot is connecting somewhere.

Aki

Re: SSL error after upgrading to 2.31

[Hauke Fath]

On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote:
> I'm sure. But putting it as ssl_ca makes no sense, since it becomes
> confused what it is for.

I guess - I haven't had a need for client certs, and only ever used 
ssl_ca for the server ca chain.

> We can try restoring this as ssl_cert_chain setting in future release.

Sounds good. How about (re)naming them ssl-{client,server}_ca?

Cheerio,
Hauke

-- 
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in emailInstitut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: SSL error after upgrading to 2.31

[Aki Tuomi]

On 28.05.2018 13:05, Hauke Fath wrote:
> On 05/28/18 11:08, Aki Tuomi wrote:
>>
>>
>> On 28.05.2018 12:06, Hauke Fath wrote:
>>> On 05/21/18 17:55, Aki Tuomi wrote:
 ssl_ca is used only for validating client certificates.
>>>
>>> But it was used (though not documented, IIRC) for validating server
>>> certs, too. Since intermediate CA certs are usually valid a lot longer
>>> than the server certs, having to concat the certs is awkward, at best.
>>
>> As far as I know, it has never been working as replacement for adding
>> the chain to cert file.
>
> Well, you know your code better than I.  ;)
>
> But it has worked for us here pre-2.3 (see
> 
> ff., and confirmed by
> ).
>
> And from an admin POV, it makes a lot of sense to keep the
> intermediate cert chain separate from the server cert.
>
> Cheerio,
> hauke
>
I'm sure. But putting it as ssl_ca makes no sense, since it becomes
confused what it is for.

We can try restoring this as ssl_cert_chain setting in future release.

Aki

Re: SSL error after upgrading to 2.31

[Hauke Fath]

On 05/28/18 11:08, Aki Tuomi wrote:



On 28.05.2018 12:06, Hauke Fath wrote:

On 05/21/18 17:55, Aki Tuomi wrote:

ssl_ca is used only for validating client certificates.


But it was used (though not documented, IIRC) for validating server
certs, too. Since intermediate CA certs are usually valid a lot longer
than the server certs, having to concat the certs is awkward, at best.


As far as I know, it has never been working as replacement for adding
the chain to cert file.


Well, you know your code better than I.  ;)

But it has worked for us here pre-2.3 (see 
 
ff., and confirmed by 
).


And from an admin POV, it makes a lot of sense to keep the intermediate 
cert chain separate from the server cert.


Cheerio,
hauke

--
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: SSL error after upgrading to 2.31

[Aki Tuomi]

On 28.05.2018 12:06, Hauke Fath wrote:
> On 05/21/18 17:55, Aki Tuomi wrote:
>> ssl_ca is used only for validating client certificates.
>
> But it was used (though not documented, IIRC) for validating server
> certs, too. Since intermediate CA certs are usually valid a lot longer
> than the server certs, having to concat the certs is awkward, at best.
>
> I would very much like to see the pre-2.3 behaviour of "ssl_ca" restored.
>
> Cheerio,
> hauke
>

As far as I know, it has never been working as replacement for adding
the chain to cert file.

Aki

Re: SSL error after upgrading to 2.31

[Hauke Fath]

On 05/21/18 17:55, Aki Tuomi wrote:

ssl_ca is used only for validating client certificates.


But it was used (though not documented, IIRC) for validating server 
certs, too. Since intermediate CA certs are usually valid a lot longer 
than the server certs, having to concat the certs is awkward, at best.


I would very much like to see the pre-2.3 behaviour of "ssl_ca" restored.

Cheerio,
hauke

--
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: SSL error after upgrading to 2.31

[Aki Tuomi]

You forgot to cc the list.
ssl_ca is used only for validating client certificates.
---Aki TuomiDovecot oy
 Original message From: Marc Perkel <m...@perkel.com> Date: 
21/05/2018  18:25  (GMT+02:00) To: Aki Tuomi <aki.tu...@dovecot.fi> Subject: 
Re: SSL error after upgrading to 2.31 





On 05/21/2018 07:54 AM, Aki Tuomi
  wrote:



  
  Does ssl_cert file contain intermediates?
  

  
  

  
  

  



No - but the ssl_ca does.




  

---
Aki Tuomi
Dovecot oy
  
  

  
  
 Original message 
From: Marc Perkel <m...@perkel.com> 
Date: 21/05/2018 16:32 (GMT+02:00) 
To: dovecot@dovecot.org 
Subject: SSL error after upgrading to 2.31 



  
  After upgrading to 2.31 I'm getting
this error. Not sure what I'm doing wrong.



No (No signatures could be verified because the chain contains
only one certificate and it is not self signed.)

  

  

  ssl = yes

  

  ssl_cert = 

Re: SSL error after upgrading to 2.31

[Aki Tuomi]

Does ssl_cert file contain intermediates?


---Aki TuomiDovecot oy
 Original message From: Marc Perkel  Date: 
21/05/2018  16:32  (GMT+02:00) To: dovecot@dovecot.org Subject: SSL error after 
upgrading to 2.31 

After upgrading to 2.31 I'm getting this
  error. Not sure what I'm doing wrong.

  

  No (No signatures could be verified because the chain contains
  only one certificate and it is not self signed.)





ssl = yes



ssl_cert = 

Re: SSL error

[arnaud gaboury]

On Thu, Oct 13, 2016 at 10:30 AM Christian Kivalo 
wrote:

>
>
>
>
> On 2016-10-13 10:12, arnaud gaboury wrote:
>
> > On Thu, Oct 13, 2016 at 8:48 AM Christian Kivalo 
>
> > wrote:
>
> >
>
> >>
>
> >>
>
> >>
>
> >>
>
> >> Am 13. Oktober 2016 08:41:06 MESZ, schrieb arnaud gaboury <
>
> >> arnaud.gabo...@gmail.com>:
>
> >>
>
> >> >I run dovecot + postfix as my email server. Everything is working as
>
> >>
>
> >> >expected, but I see an error in the dovecot logs:
>
> >>
>
> >> >
>
> >>
>
> >> >lmtp(7331): Error: SSL context initialization failed, disabling SSL:
>
> >>
>
> >> >ENGINE_init(dynamic) failed
>
> >>
>
> >> >
>
> >>
>
> >> >Dovecot is running and emails are OK. I wonder why this error and how I
>
> >>
>
> >> >can
>
> >>
>
> >> >fix it? I see it is a SSL issue but no idea in which direction to look.
>
> >>
>
> >> >Thank you for help
>
> >>
>
> >> Please post the complete log lines and the output of dovecot -n
>
> >>
>
> >>
>
> > $ journalctl --unit=dovecot
>
> > Oct 13 08:20:20 thetradinghall.com systemd[1]: Started Dovecot
>
> > IMAP/POP3
>
> > email server.
>
> > Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7331): Error:
>
> > SSL
>
> > context initialization failed, disabling SSL: ENGINE_init(dynamic)
>
> > failed
>
> > Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7337): Error:
>
> > SSL
>
> > context initialization failed, disabling SSL: ENGINE_init(dynamic)
>
> > failed
>
> > Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7338): Error:
>
> > SSL
>
> > context initialization failed, disabling SSL: ENGINE_init(dynamic)
>
> > failed
>
> > 
>
> >
>
> >
>
> > $ dovecot -n
>
> > # 2.2.25 (7be1766): /etc/dovecot/dovecot.conf
>
> > # OS: Linux 4.7.4-1-hortensia_docker x86_64 Fedora release 24 (Twenty
>
> > Four)
>
> > auth_cache_size = 10 M
>
> > auth_debug = yes
>
> > auth_debug_passwords = yes
>
> > auth_mechanisms = plain login
>
> > auth_verbose = yes
>
> > auth_verbose_passwords = plain
>
> > doveadm_socket_path = /run/dovecot/doveadm-server
>
> > imap_id_log = *
>
> > info_log_path = /storage/log/dovecot/dovecot-info.log
>
> > mail_debug = yes
>
> > mail_gid = 5000
>
> > mail_location = maildir:~:LAYOUT=fs
>
> > mail_server_admin = mailto:ad...@thetradinghall.com
>
> > mail_uid = 5000
>
> > mailbox_list_index = yes
>
> > maildir_very_dirty_syncs = yes
>
> > namespace inbox {
>
> >   inbox = yes
>
> >   location =
>
> >   mailbox Archive {
>
> > auto = create
>
> > special_use = \Archive
>
> >   }
>
> >   mailbox Drafts {
>
> > auto = create
>
> > special_use = \Drafts
>
> >   }
>
> >   mailbox Junk {
>
> > auto = create
>
> > special_use = \Junk
>
> >   }
>
> >   mailbox Sent {
>
> > auto = create
>
> > special_use = \Sent
>
> >   }
>
> >   prefix =
>
> >   separator = /
>
> >   type = private
>
> > }
>
> > passdb {
>
> >   args = /etc/dovecot/dovecot-sql.conf.ext
>
> >   driver = sql
>
> > }
>
> > protocols = imap lmtp
>
> > service auth-worker {
>
> >   user = vmail
>
> > }
>
> > service auth {
>
> >   unix_listener /var/spool/postfix/private/auth {
>
> > group = postfix
>
> > mode = 0666
>
> > user = postfix
>
> >   }
>
> >   unix_listener auth-userdb {
>
> > group = postfix
>
> > mode = 0600
>
> > user = postfix
>
> >   }
>
> >   user = root
>
> > }
>
> > service imap-login {
>
> >   inet_listener imaps {
>
> > port = 993
>
> > ssl = yes
>
> >   }
>
> > }
>
> > service lmtp {
>
> >   process_min_avail = 10
>
> >   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>
> > group = postfix
>
> > mode = 0600
>
> > user = postfix
>
> >   }
>
> > }
>
> > ssl = required
>
> > ssl_cert = 
> > ssl_crypto_device = dynamic
>
>   ^^ does it work when you comment/remove this setting?
>
>
>
> from my 10-ssl.conf
>
> # SSL crypto device to use, for valid values run "openssl engine"
>
> #ssl_crypto_device =
>
>
>
> by default ssl_crypto_device is not set.
>

the line was uncommented, so I commented it. Now .-)


 ● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor
preset: disabled)
   Active: active (running) since Thu 2016-10-13 10:46:27 CEST; 6s ago
 Docs: man:dovecot(1)
   http://wiki2.dovecot.org/
  Process: 9793 ExecStop=/usr/bin/doveadm stop (code=exited,
status=0/SUCCESS)
  Process: 9806 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
  Process: 9804 ExecStartPre=/usr/libexec/dovecot/prestartscript
(code=exited, status=0/SUCCESS)
 Main PID: 9807 (dovecot)
   CGroup: /machine.slice/systemd-nspawn@poppy.service
/system.slice/dovecot.service
   ├─9807 /usr/sbin/dovecot
   ├─9808 dovecot/lmtp
   ├─9809 dovecot/anvil
   ├─9810 dovecot/log
   ├─9811 dovecot/ssl-params
   ├─9812 dovecot/lmtp
   ├─9813 dovecot/lmtp
   ├─9814 dovecot/lmtp

Re: SSL error

[Christian Kivalo]

On 2016-10-13 10:12, arnaud gaboury wrote:
On Thu, Oct 13, 2016 at 8:48 AM Christian Kivalo  
wrote:







Am 13. Oktober 2016 08:41:06 MESZ, schrieb arnaud gaboury <
arnaud.gabo...@gmail.com>:

>I run dovecot + postfix as my email server. Everything is working as

>expected, but I see an error in the dovecot logs:

>

>lmtp(7331): Error: SSL context initialization failed, disabling SSL:

>ENGINE_init(dynamic) failed

>

>Dovecot is running and emails are OK. I wonder why this error and how I

>can

>fix it? I see it is a SSL issue but no idea in which direction to look.

>Thank you for help

Please post the complete log lines and the output of dovecot -n



$ journalctl --unit=dovecot
Oct 13 08:20:20 thetradinghall.com systemd[1]: Started Dovecot 
IMAP/POP3

email server.
Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7331): Error: 
SSL
context initialization failed, disabling SSL: ENGINE_init(dynamic) 
failed
Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7337): Error: 
SSL
context initialization failed, disabling SSL: ENGINE_init(dynamic) 
failed
Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7338): Error: 
SSL
context initialization failed, disabling SSL: ENGINE_init(dynamic) 
failed




$ dovecot -n
# 2.2.25 (7be1766): /etc/dovecot/dovecot.conf
# OS: Linux 4.7.4-1-hortensia_docker x86_64 Fedora release 24 (Twenty 
Four)

auth_cache_size = 10 M
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
doveadm_socket_path = /run/dovecot/doveadm-server
imap_id_log = *
info_log_path = /storage/log/dovecot/dovecot-info.log
mail_debug = yes
mail_gid = 5000
mail_location = maildir:~:LAYOUT=fs
mail_server_admin = mailto:ad...@thetradinghall.com
mail_uid = 5000
mailbox_list_index = yes
maildir_very_dirty_syncs = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
auto = create
special_use = \Archive
  }
  mailbox Drafts {
auto = create
special_use = \Drafts
  }
  mailbox Junk {
auto = create
special_use = \Junk
  }
  mailbox Sent {
auto = create
special_use = \Sent
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap lmtp
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = postfix
mode = 0600
user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service lmtp {
  process_min_avail = 10
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = required
ssl_cert = 
 ^^ does it work when you comment/remove this setting?

from my 10-ssl.conf
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

by default ssl_crypto_device is not set.


ssl_key = 
--
 Christian Kivalo

Re: SSL error

[arnaud gaboury]

On Thu, Oct 13, 2016 at 8:48 AM Christian Kivalo  wrote:

>
>
>
>
> Am 13. Oktober 2016 08:41:06 MESZ, schrieb arnaud gaboury <
> arnaud.gabo...@gmail.com>:
>
> >I run dovecot + postfix as my email server. Everything is working as
>
> >expected, but I see an error in the dovecot logs:
>
> >
>
> >lmtp(7331): Error: SSL context initialization failed, disabling SSL:
>
> >ENGINE_init(dynamic) failed
>
> >
>
> >Dovecot is running and emails are OK. I wonder why this error and how I
>
> >can
>
> >fix it? I see it is a SSL issue but no idea in which direction to look.
>
> >Thank you for help
>
> Please post the complete log lines and the output of dovecot -n
>
>
$ journalctl --unit=dovecot
Oct 13 08:20:20 thetradinghall.com systemd[1]: Started Dovecot IMAP/POP3
email server.
Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7331): Error: SSL
context initialization failed, disabling SSL: ENGINE_init(dynamic) failed
Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7337): Error: SSL
context initialization failed, disabling SSL: ENGINE_init(dynamic) failed
Oct 13 08:20:20 thetradinghall.com dovecot[7333]: lmtp(7338): Error: SSL
context initialization failed, disabling SSL: ENGINE_init(dynamic) failed



$ dovecot -n
# 2.2.25 (7be1766): /etc/dovecot/dovecot.conf
# OS: Linux 4.7.4-1-hortensia_docker x86_64 Fedora release 24 (Twenty Four)
auth_cache_size = 10 M
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
doveadm_socket_path = /run/dovecot/doveadm-server
imap_id_log = *
info_log_path = /storage/log/dovecot/dovecot-info.log
mail_debug = yes
mail_gid = 5000
mail_location = maildir:~:LAYOUT=fs
mail_server_admin = mailto:ad...@thetradinghall.com
mail_uid = 5000
mailbox_list_index = yes
maildir_very_dirty_syncs = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
auto = create
special_use = \Archive
  }
  mailbox Drafts {
auto = create
special_use = \Drafts
  }
  mailbox Junk {
auto = create
special_use = \Junk
  }
  mailbox Sent {
auto = create
special_use = \Sent
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap lmtp
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = postfix
mode = 0600
user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service lmtp {
  process_min_avail = 10
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = required
ssl_cert = 
>
>  --
>
> Christian Kivalo
>
>

Re: SSL error

[Christian Kivalo]

Am 13. Oktober 2016 08:41:06 MESZ, schrieb arnaud gaboury 
:
>I run dovecot + postfix as my email server. Everything is working as
>expected, but I see an error in the dovecot logs:
>
>lmtp(7331): Error: SSL context initialization failed, disabling SSL:
>ENGINE_init(dynamic) failed
>
>Dovecot is running and emails are OK. I wonder why this error and how I
>can
>fix it? I see it is a SSL issue but no idea in which direction to look.
>Thank you for help
Please post the complete log lines and the output of dovecot -n

 --
Christian Kivalo