Problem with Dovecot 2.4.2 & debian 13
sebastian at debianfan.de
sebastian at debianfan.de
Di Jan 6 21:14:59 CET 2026
I got some info from Klaus - thank you.
I tried to check by using openssl:
There is one curious thing:
If i use the correct login & password - the following happened.
Possibly is there an error at the ssl ?
The certificate is from letsencrypt.
# openssl s_client -crlf -connect localhost:993
Connecting to ::1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E8
verify return:1
depth=0 CN=mail.meinserver.de
verify return:1
---
Certificate chain
0 s:CN=mail.meinserver.de
i:C=US, O=Let's Encrypt, CN=E8
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Dec 2 22:48:29 2025 GMT; NotAfter: Mar 2 22:48:28
2026 GMT
1 s:C=US, O=Let's Encrypt, CN=E8
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59
2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MII9BAMDMDIx
bla
bla
bla
bla
bla
GodoBQf==
-----END CERTIFICATE-----
subject=CN=mail.meinserver.de
issuer=C=US, O=Let's Encrypt, CN=E8
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 3552 bytes and written 1613 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
9FBE3CA427D651D0E56E983B084A9ED99141049F800A32FEEDA67CAEC4CFEFB5
Session-ID-ctx:
Resumption PSK:
89E92DBE92DBE92DBECBDE33GFHD92DBE92DBE92DBE92DBE92DBE92DBE92DBA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - dd ea 1d 06 83 98 74 09-01 f3 a6 85 35 52 3b 91
......t.....5R;.
bla
bla
bla
00c0 - 14 69 b0 7e 80 3e f6 75-d0 7a 86 93 d0 13 0e ee
.i.~.>.u.z......
Start Time: 1767729991
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
DE35510E88B2D51A8F5903471C312397730AF1054AF2BAA14E51431BB264FCE2
Session-ID-ctx:
Resumption PSK:
4F15568E497052B8048C8001A9A0FD0C9542011A5E46EB7A2B8CCDAB54F60D5BDA7A148CD7DB66E85CF1D187C88A743F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - dd ea 1d 06 83 98 74 09-01 f3 a6 85 35 52 3b 91
......t.....5R;.
bla
bla
bla
00c0 - 14 69 b0 7e 80 3e f6 75-d0 7a 86 93 d0 13 0e ee
.i.~.>.u.z......
Start Time: 1767729991
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 LOGIN-REFERRALS ID ENABLE IDLE SASL-IR
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
? login sebastian at meinserver.de meinpasswort
? OK Logged in, but initialization failed.
* BYE Internal error occurred. Refer to server log for more information.
closed
root at mail:# tail -f /var/log/dovecot-debug.log
Jan 06 21:06:31 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
read finished: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:06:31 imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS
write session ticket: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:06:31 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write session ticket: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:06:31 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write session ticket: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:06:31 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully: user=<>, rip=::1, lip=::1, TLS
handshaking, session=<9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:06:42
imap(sebastian at meinserver.de)<1046><9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>:
Debug: Loading modules from directory: /usr/lib/dovecot/modules
Jan 06 21:06:42
imap(sebastian at meinserver.de)<1046><9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>:
Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Jan 06 21:06:42
imap(sebastian at meinserver.de)<1046><9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>:
Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
Jan 06 21:06:42
imap(sebastian at meinserver.de)<1046><9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>:
Debug: Module loaded: /usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so
Jan 06 21:06:42 imap-login: Debug: SSL alert: close notify:
user=<sebastian at meinserver.de>, method=PLAIN, rip=::1, lip=::1,
mpid=1046, TLS, session=<9iQ3tr1HWNIAAAAAAAAAAAAAAAAAAAAB>
^C
************************************************
If i use a wrong passwort - this happens:
# openssl s_client -crlf -connect localhost:993
Connecting to ::1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E8
verify return:1
depth=0 CN=mail.meinserver.de
verify return:1
---
Certificate chain
0 s:CN=mail.meinserver.de
i:C=US, O=Let's Encrypt, CN=E8
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Dec 2 22:48:29 2025 GMT; NotAfter: Mar 2 22:48:28
2026 GMT
1 s:C=US, O=Let's Encrypt, CN=E8
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59
2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyTCCA0+gAwIBAgISBtRiYoAazh/ytgBSLP20Jnn7MAoGCCqGSM49BAMDMDIx
bla
bla
bla
GodoBQffmIXxwDpfhA==
-----END CERTIFICATE-----
subject=CN=mail.meinserver.de
issuer=C=US, O=Let's Encrypt, CN=E8
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 3552 bytes and written 1613 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: BD5240541E4B03D26612C9180B01BF302BF44299B411E1328CC86E
Session-ID-ctx:
Resumption PSK: FD6537E7BCC3BCE65EE42B1B5B87F99BD7265
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ae db 2a ac 2c 2a 1b f7-6f 57 7e f1 39 8e 67 1b
..*.,*..oW~.9.g.
bla
bla
bla
00c0 - b3 a5 22 cd 0d 0d 74 35-10 f5 4e db 73 f0 3e 57
.."...t5..N.s.>W
Start Time: 1767730315
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
7C1B20AE8E8BA7E261473A7C93F3DB259E9EDA85F41F1E359598E4754D002CC6
Session-ID-ctx:
Resumption PSK:
25C4E0DFED01406E5D5B22C41DF9CEFEAD73046E34F7E83D79D6694ACDB3BA5378E53A947C3C1CFFE65C2902A47F1848
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ae db 2a ac 2c 2a 1b f7-6f 57 7e f1 39 8e 67 1b
..*.,*..oW~.9.g.
bla
bla
bla
00c0 - b3 a5 22 cd 0d 0d 74 35-10 f5 4e db 73 f0 3e 57
.."...t5..N.s.>W
Start Time: 1767730315
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 LOGIN-REFERRALS ID ENABLE IDLE SASL-IR
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
? login sebastian at meinserver.de falschespasswort
? NO [AUTHENTICATIONFAILED] Authentication failed.
* BAD Error in IMAP command received by server.
* BAD Error in IMAP command received by server.
* BYE Too many invalid IMAP commands.
closed
# tail -f /var/log/dovecot-debug.log
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x10, ret=1: before SSL
initialization: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: before SSL
initialization: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL
initialization: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: before SSL
initialization: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
read client hello: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write server hello: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write change cipher spec: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3
write encrypted extensions: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write certificate: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3
write server certificate verify: user=<>, rip=::1, lip=::1, TLS
handshaking, session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write finished: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3
early data: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3
early data: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3
early data: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3
early data: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3
early data: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
read finished: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS
write session ticket: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write session ticket: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS
write session ticket: user=<>, rip=::1, lip=::1, TLS handshaking,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:11:55 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully: user=<>, rip=::1, lip=::1, TLS
handshaking, session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Jan 06 21:12:20 imap-login: Debug: SSL alert: close notify:
user=<sebastian at meinserver.de>, method=PLAIN, rip=::1, lip=::1, TSL,
session=<p+SCyb1H6MwAAAAAAAAAAAAAAAAAAAAB>
Am 04.01.2026 um 05:18 schrieb Klaus Tachtler via Dovecot:
> Hi Sebastian,
>
> try in /etc/dovecot/conf.d/10-logging.conf or wherever your settings are:
>
> log_debug = category=auth OR category=ssl
>
> as syntax, tham you have both category auth OR ssl inside the log (DO
> NOT use AND)!
>
> See: https://doc.dovecot.org/2.4.2/core/config/events/
> filter.html#global-filter-syntax
>
> Global Filter Syntax
>
> Settings such as log_debug use the common filtering language. For example:
>
> log_debug = (event=http_request_finished AND category=imap) OR \
> (event=imap_command_finished AND user=testuser)
>
>
> Greetings
> Klaus.
>
>> I have disabled apparmor - same log entry.
>>
>> How do i enable logging ?
>>
>> I put:
>>
>> *****
>>
>> mail_debug = yes
>> auth_verbose = yes
>> log_debug = category=ssl
>> log_debug = category=auth
>> log_debug = category=mail
>> log_debug = category=imap
>>
>> debug_log_path = /var/log/dovecot-debug.log
>>
>> *****
>>
>> at the beginning of the config-file - but the dovecot-debug.log is empty.
>>
>>
>> Am 02.01.26 um 22:26 schrieb Christian Boltz:
>>> Hello,
>>>
>>> Am Donnerstag, 1. Januar 2026, 21:38 schrieb sebastian--- via Dovecot:
>>>> i build a new debian 13 system and tried to use dovcecot 2.4.2 with
>>>> postfix & mysql.
>>> Very wild guess: Debian has AppArmor enabled by default, and Dovecot 2.4
>>> needs some additional permissions in the AppArmor profiles (and explodes
>>> without these permissions).
>>>
>>> I'd recommend to check for DENIED lines in your /var/log/audit/audit.log
>>>
>>> Assuming you find such DENIED lines for Dovecot:
>>> You can grab the latest Dovecot profiles from
>>> https://gitlab.com/apparmor/apparmor/-/tree/apparmor-4.1/profiles/
>>> apparmor.d
>>> and copy them to /etc/apparmor.d/ to get Dovecot working. Note that
>>> you'll also need to update abstractions/dovecot-common.
>>>
>>> If you stilll get DENIED log lines with the latest profiles, please tell
>>> me ;-)
>>>
>>> The better (but slower) fix would be an updated AppArmor package in
>>> Debian. Feel free to request that via the Debian bugtracker.
>>>
>>>
>>> Gruß
>>>
>>> Christian Boltz
>>>
>>> PS: random signature, unrelated to the Dovecot profiles ;-)
>
>
> ----- Ende der Nachricht von sebastian--- via Dovecot
> <dovecot at listen.jpberlin.de> -----
>
>
>
Mehr Informationen über die Mailingliste Dovecot