Hallo zusammen,
nach dem Upgrade von 18.04 auf 20.4 habe ich beim Abruf via fetchmail nachfolgende Fehlermeldung im mail-log:
1 | dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=127.0.0.1, lip=127.0.1.1, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 |
Ein
openssl s_client -CApath /etc/ssl/certs -connect mail.xxx.de:imaps
wirft mir folgende Meldung aus:
1 2 3 4 5 6 7 8 9 10 | CONNECTED(00000003) depth=0 CN = mail.xxx.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mail.xxx.de verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = mail.xxx.de verify return:1 ... |
Ein
c_rehash
brachte keine Besserung. /etc/ssl/certs bzw. /usr/lib/ssl/ sind vorhanden bzw. per Symlink verknüpft.
Auch eine komplette Neuinstallation von
openssl
bzw.
ca-certicates
brachte keine Besserung.
Die Erweiterung der 10-ssl.conf (abwechselnd) mit den Werten
1 2 | ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/letsencrypt/cacert.pem |
löste das Problem nicht.
Der Abruf via Thunderbird klappt wunderbar. Nur fetchmail und ein in Conky eingesetztes Script zum Mailabruf per Python funktionieren nicht.
Die Config von 10-ssl.conf sieht aktuell wie folgt aus:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/letsencrypt/live/mail.xxx.de/cert.pem ssl_key = </etc/letsencrypt/live/mail.xxx.de/privkey.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = </etc/ssl/certs/ca-bundle.crt ssl_ca = </etc/letsencrypt/live/mail.xxx.de/fullchain.pem ssl_client_ca_dir = /etc/ssl/certs # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. #ssl_client_ca_dir = #ssl_client_ca_file = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # DH parameters length to use. #ssl_dh_parameters_length = 2048 ssl_dh = </etc/dovecot/dh.pem # SSL protocols to use #ssl_protocols = !SSLv2 #ssl_min_protocol = !SSLv2 !SSLv3 ssl_min_protocol = TLSv1.2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # no_compression - Disable compression. #ssl_options = |
Wie man anhand der Auskommentierungen sieht, habe ich bereits einiges versucht.
Vor dem Upgrade auf 20.04 lief alles problemlos durch.
Hat hier eventuell jeman dineen Tipp?
Herzlichen Dank, mike175de