S S
Linux Server Hardware
5 years on-site HW support 1 year linux support £1,532. Linux rack mounted server

Linux support on-site, on-line and in the cloud.

0793 572 8612
Home | Business | Client | Contact | Enterprise | Public Sector | SOHO | Training | T&C's
Annual support contracts:
Systems administration and monitoring
from £24 per month.
Includes access to a secure 24 hour on-line issue tracker.

Search



Linux / UNIX support

All Linux/UNIX distributions supported including Apple OS X, FreeBSD, Open UNIX, Solaris, UnixWare and AIX.

Current clients using Debian, RedHat, CentOS Slackware, Apple OS X and UnixWare.

Systems integration with all versions of Microsoft Windows and Apple OS X.

Linux Support Notes

Linux Applications & Tools


Support notes & ramblings

note pad rambler icon

City Linux Location

City Linux is based just outside Nottingham in the East Midlands.

Through City Linux I am able to provide rapid on-site support in Beeston, Chesterfield, Derby, Grantham, Ilkeston, Leicester, Lichfield, Lincoln, Long Eaton, Loughborough, Leicester, Mansfield, Market Harborough, Milton Keynes, Newark, Newport Pagnell, Oldham, Retford, Ripley, Sheffield, Sutton Ashfield and Stoke on Trent.

I can support Linux servers remotely and in the cloud anywhere in the world, including 1&1 servers in Germany and the USA.

Related sites.

  Valid XHTML 1.0!   Valid CSS!

Systems Administration Notes.

Configuring Dovecot to use Let’s Encrypt Certificates withSSL/TLS.
1. What the help pages tell you.
2. What they don’t tell you.

Configuring Dovecot to use Let’s Encrypt Certificates withSSL/TLS.

1. What the help pages tell you.

This one baffled me for hours. The Dovecot documentation and almost every johnny come lately website in the world tells you that all you need to do is edit /etc/dovecot/conf.d/10-ssl.conf to ensure that SSL/TLS support is turned on and that the ssl certificate and ssl private key files can be found i.e.

ssl = yes
ssl_cert = </etc/letsencrypt/live/<imap.domain.tld>/fullchain.pem
ssl_key = </etc/letsencrypt/live/<imap.domain.tld>/privkey.pem

Setting ssl to yes rather than require will allow login without SSL if unavailable on the client.

You can allow plain text authentication as this will occur within the encrypted link by editing 10-auth.conf. i.e.

disable_plaintext_auth = no

2. What they don’t tell you.

You can test your configuration from the command line using openssl. What you will find is that although SSL appears to be available, no certificate is sent and you never get the chance to enter into the IMAP dialogue. E.g.

openssl s_client -connect <imap.example.tld>:993 -servername <imap.example.tld>

This will return something like:

CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 330 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1598733295
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

The problem seems to be that although it’right there in fullchain.pem Dovecot doesn’t seem to recognise it. Specifying ca file in 10-ssl.conf seems to rectify the problem.

ssl = yes
ssl_cert = </etc/letsencrypt/live/<imap.domain.tld>/fullchain.pem
ssl_key = </etc/letsencrypt/live/<imap.domain.tld>/privkey.pem
ssl_ca = </etc/letsencrypt/live/<imap.domain.tld>/fullchain.pem

Running the openssl test from the command line now will download the certificate.

openssl s_client -connect <imap.example.tld>:993 -servername <imap.example.tld>

This will now return something like this:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = imap.example.tld
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=imap.example.net
   i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
 1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgISBILZ4Iob6DfBHW+b5pAw899kMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MjkwOTI5MzlaFw0y
MDExMjcwOTI5MzlaMBsxGTAXBgNVBAMTEGltYXAuZnVsZm9yZC5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQPa7mYMJkupXbyRxsLUJRZo23/txn
22SoG0jhw3efaPMo+qly7dwmmZ0PFVGyI6sephEmpA1D4zBx6m3JbJ96A3Mcpy+m
D5LDYWvzAVZESAS6hhWb4iowbzsU/+X4OVK8KXjG9GokRc0ejsS4/LLeq7sTSm2d
L8ZRTpmWMZMNpx6PVyWiL3ks0mv2Wyp26c7zFM9LLy+5iZfoCSF4TdKxF5r7muXJ
Yv64wqNw8uvbN4Z1slakhUQoIF0LqUscMABxNfE8cs471XyH+jXD7BUZNwK9fKXO
G/0JOOK75PDS/qo9KrNP/CjBB/WhAWEdzAcOko8NfWKwGHdMXwMTcOMDAgMBAAGj
ggJlMIICYTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKIuHVO+uo0xVHeePNs24rsz
oqiNMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGwYDVR0RBBQwEoIQaW1hcC5mdWxmb3JkLm5ldDBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AF6nc/nf
VsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABdDnD/hEAAAQDAEcwRQIhAPdf
pmpSmMP7bLcPSpZIlo08PwpzDQIOrvHb3vj6h0Z/AiBhrqt66JohYw6DW5ylFEUF
ZWeoEqmYL5qlhH6JLcK4SgB2AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp
06IcAAABdDnD/kYAAAQDAEcwRQIhALi2+NccN4r9ZdKh8W+y0gR3GbdSwYObcqKU
kVCThiQBAiAOOE9MOyj6Zukp/tOh9V41HihOhAD8gPFeCBWTxXC16TANBgkqhkiG
9w0BAQsFAAOCAQEACf8adpJVXE/SJiPH7X5SAlRnbS0n3cYocwGRoF3oxdLbCSqo
nuea5CqKYaHlmCowisqKgAUJV7RnUCofil41rVuN1aLvzT5M4yMcI3FHLtd+tFhj
hOHnxtes2p/KQnvp+BCHPW1M8FPDMxaml3BnXpoGnwvhDeONGhbJJcPODEtZLp7B
5loLGFk5chcW/xNFRrNXA++AMrwHagPq1FYYoNz6oEULXIcghUKIauh/Sq6WZ+RV
ZVK9vZiDdsSr1UmX5ZuDvR09kZp6/VXylbzIlgc2P/6hBfoDZc5NkciYWkNnhcdn
a2EAU/RxxGXR7OFs5tR8njv9XQWPne6I6DNczA==
-----END CERTIFICATE-----
subject=/CN=imap.example.tld
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3228 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6828869060C625E351EB70E7CA6EA9B533A4BCF5BBBAA3940AFAC27695A7EF32
    Session-ID-ctx:
    Master-Key: 34B63AD7EC659FE1AE1C9109789CEB7740C0A9B2224C4C8DDC6538E97992CCF96AA152D7E8839647218F70870D89CADD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 11 0e a7 ff 5f 7c 63 22-78 de 24 1d 29 cc f6 ba   ...._|c"x.$.)...
    0010 - a7 03 14 ec 63 97 e6 44-87 4e 7c 43 a6 49 45 e1   ....c..D.N|C.IE.
    0020 - 84 3f 2c d9 a9 45 b6 24-fe 61 9d 68 c5 3c fe 6a   .?,..E.$.a.h.<.j
    0030 - fc 68 c1 c5 21 b9 49 d7-a6 2c 47 fa 02 a8 0e 68   .h..!.I..,G....h
    0040 - 47 7e f8 66 65 24 06 4a-16 09 9b ac 39 4b 8e ca   G~.fe$.J....9K..
    0050 - 1e bf 8e 47 5f 4b 50 b6-8d c6 4d 37 04 29 70 f6   ...G_KP...M7.)p.
    0060 - 29 83 eb 4b 6a 41 1a a9-20 9f 10 19 45 34 eb 85   )..KjA.. ...E4..
    0070 - 49 ee 4b b0 7c 0b 69 ed-24 0f b9 d5 b0 07 df 04   I.K.|.i.$.......
    0080 - 8f 30 49 2f 03 32 c3 a8-c1 32 48 b1 98 5b 2b 67   .0I/.2...2H..[+g
    0090 - 80 a2 79 f1 90 52 8b 45-e2 e8 e8 72 62 22 f0 6e   ..y..R.E...rb".n
    00a0 - 12 ef 5f ae 97 fc 03 26-3a 47 c6 75 eb 4f 33 90   .._....&:G.u.O3.


    Start Time: 1598734284
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

So now we know SSL is working on port 993 but what we probably want to be reassured on is that its working on port 143 with STARTTLS.

The command for this is:

openssl s_client -connect <imap.example.tld>:143 -starttls imap -servername
<imap.example.tld>

We now get an output similar to that above showing the downloaded certificate followed by the IMAP prompt from port 143 where TLS has been started. You can if you wish go further and login e.g.

a login <username> <password>
* CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY LITERAL+ NOTIFY SPECIAL-USE
a OK Logged in

Easy once you know how innit.
29 Aug 2020.

Clifford W Fulford

Clifford W Fulford. IT consultant
I have been designing, building and administering IT systems for some of the worlds top companies for over 30 years. Using LINUX I can provide customers with the strength and stability of UNIX systems at a fraction of the cost.

Twitter feed.

Tweets by CityLinux

Clients past and present.

Copyright © 2003-2018 Clifford W Fulford.
Fulford Consulting Ltd. Regd. Co. 4250037 in England & Wales. Regd. office 162, Edward Rd. Nottingham NG2 5GF, England, UK.
Related sites; Amharic Interpreter | Arabic Interpreter | Tigrinya Interpreter | Joan Mary Fulford | Linux Training | Flare Support | Fulford Consulting Ltd. Fulford Portal West Bridgford Wiki

The layout and associated style sheets for this page are taken from the World Wide Web Consortium and used here under the W3C software licence.