SSL Fehler: sslv3 alert certificate unknown

Klaus Tachtler klaus at tachtler.net
Fr Mai 10 08:31:52 CEST 2019


Hallo Frank,

hast Du die "FullChain" Deiner Zertifikatskette im Dovecot  
eingebunden, also z.B.
Root-Zertifikat --> Intermediate Zertifikat(e) --> eigentliches Zertifikat?

z.B.

/etc/dovecot/dovecot.conf

     ssl_cert = </etc/letsencrypt/domain.tld/fullchain.pem
     ssl_key = </etc/letsencrypt/domain.tld/privkey.pem


Grüße
Klaus.

> Hallo zusammen,
>
> ich habe einen Mailserver mit Postfix und Dovecot aufgesetzt, läuft  
> soweit gut, nur mit einem Client gibt es Probleme.
> Es handelt sich um ein Android Handy mit K-9 Mail. Zyklisch  
> auftretend aus dem dovecot Logfile:
>
> May 10 06:41:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<ypG/L4GICLzAqIKr>
> May 10 06:42:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<BVVQM4GIoMLAqIKr>
> May 10 06:43:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<HxPlNoGISMnAqIKr>
> May 10 06:44:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<+4l3OoGIxM/AqIKr>
> May 10 06:45:10 imap-login: Info: Disconnected (no auth attempts in  
> 3 secs): user=<>, rip=196.52.43.131, lip=192.168.130.191, TLS  
> handshaking: Disconnected, session=<ZhxMO4GIOuzENCuD>
> May 10 06:45:55 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<xycBPoGIbtbAqIKr>
> May 10 06:46:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<EgafQYGIGN3AqIKr>
> May 10 06:47:41 imap-login: Info: Login: user=<foo at bar.de>,  
> method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24201,  
> TLS, session=<O1tNRIGINMCyDkTn>
> May 10 06:47:41 imap-login: Info: Login: user=<foo at bar.de>,  
> method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24202,  
> TLS, session=<4qNNRIGINsCyDkTn>
> May 10 06:47:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<BOAsRYGI1uPAqIKr>
> May 10 06:48:23 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<j5rSRoGIoOiyDkTn>
> May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<DrrXRoGIouiyDkTn>
> May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<fFPdRoGIpOiyDkTn>
> May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<ffbiRoGIpuiyDkTn>
> May 10 06:48:25 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<PsPqRoGIqOiyDkTn>
> May 10 06:48:25 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<d5fvRoGIquiyDkTn>
> May 10 06:48:26 imap-login: Info: Disconnected (no auth attempts in  
> 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<19/1RoGIrOiyDkTn>
> May 10 06:48:26 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<mtz7RoGIruiyDkTn>
> May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in  
> 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<G8wDR4GIsOiyDkTn>
> May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<u2kJR4GIsuiyDkTn>
> May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<wGAOR4GItOiyDkTn>
> May 10 06:48:28 imap-login: Info: Disconnected (no auth attempts in  
> 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<29gTR4GItuiyDkTn>
> May 10 06:48:28 imap-login: Info: Disconnected (no auth attempts in  
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS  
> handshaking: SSL_accept() failed: error:14094416:SSL  
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert  
> number 46, session=<RPseR4GIuOiyDkTn>
> May 10 06:48:51 imap-login: Info: Login: user=<foo at bar.de>,  
> method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24225,  
> TLS, session=<V9x8SIGImMCyDkTn>
> May 10 06:48:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<hOjJSIGIfOrAqIKr>
> May 10 06:49:56 imap-login: Info: Aborted login (no auth attempts in  
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,  
> session=<+bJQTIGIyoLAqIKr>
>
> Zertifikate werden von Let's Encrypt verwendet, andere clients  
> (Thunderbird, Outlook und K-9 Mail auf anderen Handys) funktionieren  
> einwandfrei, nur bei diesem Nutzer taucht das Problem auf und füllt  
> das Logfile.
>
> # doveconf -n
> # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.24 (124e06aa)
> # OS: Linux 4.15.18-12-pve x86_64 CentOS Linux release 7.6.1810 (Core)
> # Hostname: xxxxx.xxx.de
> disable_plaintext_auth = no
> first_valid_uid = 1000
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> log_path = /var/log/dovecot.log
> login_greeting = IMAP Cluster ready.
> mail_fsync = always
> mail_gid = 1000
> mail_home = /srv/mail/mail_storage/%d/%n
> mail_location = maildir:~
> mail_privileged_group = vpostfix
> mail_uid = 1000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope  
> encoded-character vacation subaddress comparator-i;ascii-numeric  
> relational regex imap4flags copy include variables body enotify  
> environment mailbox date index ihave duplicate mime for everypart  
> extracttext vacation-seconds
> mbox_write_locks = fcntl
> mmap_disable = yes
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = scheme=CRYPT username_format=%u /etc/dovecot/users
>   driver = passwd-file
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   sieve_before = /etc/dovecot/spam-global.sieve
>   sieve_extensions = +vacation-seconds
>   sieve_vacation_default_period = 1d
>   sieve_vacation_max_period = 30d
>   sieve_vacation_min_period = 0
> }
> postmaster_address = xxx at xxxxxx.de
> protocols = imap pop3 lmtp sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = vpostfix
>     mode = 0666
>     user = vpostfix
>   }
>   unix_listener auth-userdb {
>     group = vpostfix
>     mode = 0600
>     user = vpostfix
>   }
> }
> service imap-login {
>   process_min_avail = 1
>   service_count = 1
> }
> service managesieve-login {
>   inet_listener sieve {
>     port = 4190
>   }
> }
> ssl_cert = </etc/letsencrypt/live/xxxxxx.de/fullchain.pem
> ssl_key =  # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3
> userdb {
>   args = username_format=%u /etc/dovecot/users
>   driver = passwd-file
> }
> protocol lmtp {
>   mail_plugins = " sieve"
> }
> protocol lda {
>   mail_plugins = " sieve"
> }
> protocol imap {
>   mail_max_userip_connections = 10
> }
>
> -------------------------- ENDE doveconf --------------------------------
>
> Habe ich etwas falsch konfiguriert?
>
> lg Frank


Grüße
Klaus.



-- 

--------------------------------------------
e-Mail  : klaus at tachtler.net
Homepage: https://www.tachtler.net
DokuWiki: https://dokuwiki.tachtler.net
--------------------------------------------
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : nicht verfügbar
Dateityp    : application/pgp-keys
Dateigröße  : 3121 bytes
Beschreibung: Öffentlicher PGP-Schlüssel
URL         : <https://listen.jpberlin.de/pipermail/dovecot/attachments/20190510/17eead33/attachment-0001.skr>


Mehr Informationen über die Mailingliste Dovecot