SSL Fehler: sslv3 alert certificate unknown
Klaus Tachtler
klaus at tachtler.net
Fr Mai 10 08:31:52 CEST 2019
Hallo Frank,
hast Du die "FullChain" Deiner Zertifikatskette im Dovecot
eingebunden, also z.B.
Root-Zertifikat --> Intermediate Zertifikat(e) --> eigentliches Zertifikat?
z.B.
/etc/dovecot/dovecot.conf
ssl_cert = </etc/letsencrypt/domain.tld/fullchain.pem
ssl_key = </etc/letsencrypt/domain.tld/privkey.pem
Grüße
Klaus.
> Hallo zusammen,
>
> ich habe einen Mailserver mit Postfix und Dovecot aufgesetzt, läuft
> soweit gut, nur mit einem Client gibt es Probleme.
> Es handelt sich um ein Android Handy mit K-9 Mail. Zyklisch
> auftretend aus dem dovecot Logfile:
>
> May 10 06:41:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<ypG/L4GICLzAqIKr>
> May 10 06:42:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<BVVQM4GIoMLAqIKr>
> May 10 06:43:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<HxPlNoGISMnAqIKr>
> May 10 06:44:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<+4l3OoGIxM/AqIKr>
> May 10 06:45:10 imap-login: Info: Disconnected (no auth attempts in
> 3 secs): user=<>, rip=196.52.43.131, lip=192.168.130.191, TLS
> handshaking: Disconnected, session=<ZhxMO4GIOuzENCuD>
> May 10 06:45:55 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<xycBPoGIbtbAqIKr>
> May 10 06:46:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<EgafQYGIGN3AqIKr>
> May 10 06:47:41 imap-login: Info: Login: user=<foo at bar.de>,
> method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24201,
> TLS, session=<O1tNRIGINMCyDkTn>
> May 10 06:47:41 imap-login: Info: Login: user=<foo at bar.de>,
> method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24202,
> TLS, session=<4qNNRIGINsCyDkTn>
> May 10 06:47:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<BOAsRYGI1uPAqIKr>
> May 10 06:48:23 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<j5rSRoGIoOiyDkTn>
> May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<DrrXRoGIouiyDkTn>
> May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<fFPdRoGIpOiyDkTn>
> May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<ffbiRoGIpuiyDkTn>
> May 10 06:48:25 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<PsPqRoGIqOiyDkTn>
> May 10 06:48:25 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<d5fvRoGIquiyDkTn>
> May 10 06:48:26 imap-login: Info: Disconnected (no auth attempts in
> 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<19/1RoGIrOiyDkTn>
> May 10 06:48:26 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<mtz7RoGIruiyDkTn>
> May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in
> 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<G8wDR4GIsOiyDkTn>
> May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<u2kJR4GIsuiyDkTn>
> May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<wGAOR4GItOiyDkTn>
> May 10 06:48:28 imap-login: Info: Disconnected (no auth attempts in
> 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<29gTR4GItuiyDkTn>
> May 10 06:48:28 imap-login: Info: Disconnected (no auth attempts in
> 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS
> handshaking: SSL_accept() failed: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert
> number 46, session=<RPseR4GIuOiyDkTn>
> May 10 06:48:51 imap-login: Info: Login: user=<foo at bar.de>,
> method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24225,
> TLS, session=<V9x8SIGImMCyDkTn>
> May 10 06:48:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<hOjJSIGIfOrAqIKr>
> May 10 06:49:56 imap-login: Info: Aborted login (no auth attempts in
> 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191,
> session=<+bJQTIGIyoLAqIKr>
>
> Zertifikate werden von Let's Encrypt verwendet, andere clients
> (Thunderbird, Outlook und K-9 Mail auf anderen Handys) funktionieren
> einwandfrei, nur bei diesem Nutzer taucht das Problem auf und füllt
> das Logfile.
>
> # doveconf -n
> # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.24 (124e06aa)
> # OS: Linux 4.15.18-12-pve x86_64 CentOS Linux release 7.6.1810 (Core)
> # Hostname: xxxxx.xxx.de
> disable_plaintext_auth = no
> first_valid_uid = 1000
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> log_path = /var/log/dovecot.log
> login_greeting = IMAP Cluster ready.
> mail_fsync = always
> mail_gid = 1000
> mail_home = /srv/mail/mail_storage/%d/%n
> mail_location = maildir:~
> mail_privileged_group = vpostfix
> mail_uid = 1000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime for everypart
> extracttext vacation-seconds
> mbox_write_locks = fcntl
> mmap_disable = yes
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Spam {
> auto = subscribe
> special_use = \Junk
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = scheme=CRYPT username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> plugin {
> sieve = file:~/sieve;active=~/.dovecot.sieve
> sieve_before = /etc/dovecot/spam-global.sieve
> sieve_extensions = +vacation-seconds
> sieve_vacation_default_period = 1d
> sieve_vacation_max_period = 30d
> sieve_vacation_min_period = 0
> }
> postmaster_address = xxx at xxxxxx.de
> protocols = imap pop3 lmtp sieve
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = vpostfix
> mode = 0666
> user = vpostfix
> }
> unix_listener auth-userdb {
> group = vpostfix
> mode = 0600
> user = vpostfix
> }
> }
> service imap-login {
> process_min_avail = 1
> service_count = 1
> }
> service managesieve-login {
> inet_listener sieve {
> port = 4190
> }
> }
> ssl_cert = </etc/letsencrypt/live/xxxxxx.de/fullchain.pem
> ssl_key = # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3
> userdb {
> args = username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> protocol lmtp {
> mail_plugins = " sieve"
> }
> protocol lda {
> mail_plugins = " sieve"
> }
> protocol imap {
> mail_max_userip_connections = 10
> }
>
> -------------------------- ENDE doveconf --------------------------------
>
> Habe ich etwas falsch konfiguriert?
>
> lg Frank
Grüße
Klaus.
--
--------------------------------------------
e-Mail : klaus at tachtler.net
Homepage: https://www.tachtler.net
DokuWiki: https://dokuwiki.tachtler.net
--------------------------------------------
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : nicht verfügbar
Dateityp : application/pgp-keys
Dateigröße : 3121 bytes
Beschreibung: Öffentlicher PGP-Schlüssel
URL : <https://listen.jpberlin.de/pipermail/dovecot/attachments/20190510/17eead33/attachment-0001.skr>
Mehr Informationen über die Mailingliste Dovecot