Thunderbird does not connect to Postfix/Dovecot. Webmail works
Thunderbird does not connect to Postfix/Dovecot.
My webmail interface works with login ([email protected] + password),
incoming (SSL/TLS, Port 993) and outgoing messages (STARTTLS, Port 587).
I did a bit debugging and got to know that it must be a certificate error.
Does anyone here know how to fix it, please?
This is my mail.log with SSL debugging:
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=560: fatal unknown CA [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=192.x.x.x, lip=85.x.x.x, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<NDYo2aEUWQAfBhbN>
This is my Dovecot ssl-config file (/etc/dovecot/conf.d/10-ssl.conf):
# Log SSL problems
verbose_ssl = yes
ssl = required
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
ssl_protocols = !SSLv3 !SSLv2
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+
SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+
CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:
!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:
AES256-SHA:CAMELLIA128-SHA:AES128-SHA
ssl_prefer_server_ciphers = yes
The SSL cert for Dovecot is setup for localhost.
As I tried to integrate my root ca and domain cert into the dovecot cert, the problem remains:
dovecot.pem cert = dovecot cert content + domain cert content + root ca cert content (exactly in this order from top to bottom)
dovecot.pem key = dovecot cert key + domain cert key + root ca cert key (exactly in this order from top to bottom)
Answer
Thunderbird is expecting dovecot to supply it with the certs it needs to verify the connection (intermediary certs or the self-signed CA cert). Check out "Chained SSL certificates" in http://wiki2.dovecot.org/SSL/DovecotConfiguration.
You can fix this by adding intermediary certs to your SSL cert file (/etc/ssl/certs/imap.pem or wherever your ssl_cert) is pointing. If you obtained your SSL certificate from a vendor, they should have instructions on how to obtain the intermediary certs.