Dovecot handshake failure, on Postfix success

John WH Smith asked:

I am trying to setup a Dovecot/Postfix structure, relying on a MySQL backend. I came across a problem with SSL configuration, and it’s really tearing my hair out…

Situation

Dovecot listens on port 993 (IMAPs) and 995 (POP3s). I use the following command to test the connection :

openssl s_client -connect myserver.tld:993
openssl s_client -connect myserver.tld:995

The following error occurs :

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I’ve made the same tests forcing ssl2, ssl3 and tls1, same thing. Now, when I run the same test on port 465 (SMTPs by Postfix) :

openssl s_client -connect myserver.tld:465

I get a magical 220 myserver.tld ESMTP Postfix (Debian/GNU). Wonderful. MySQL-based authentication even works ! The problem is that Dovecot cannot initiate the SSL connection properly, when Postfix can. Both services share the same configuration, Postfix even uses Dovecot authentication.

Configuration

Dovecot configuration :

ssl = required
ssl_cert = </etc/ssl/myserver/myserver.tld.crt
ssl_key = </etc/ssl/myserver/myserver.tld.key
ssl_verify_client_cert = no
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5

Postfix main configuration :

smtpd_tls_cert_file = /etc/ssl/myserver/myserver.tld.crt
smtpd_tls_key_file = /etc/ssl/myserver/myserver.tld.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 3
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

Postfix master configuration :

smtp      inet  n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

The SSL certificate is self-signed, I generated it myself. Over SMTP, it looks just fine.

Logs

pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<ffu9UFnxZQBtvqmF>

(I get an “unknown protocol” when trying ssl2 or tls1 with the openssl s_client utility)

Anyone knows where I made the configuration mistake for Dovecot ?

My answer:


You have actually disabled SSLv2, SSLv3, and TLSv1.0 in dovecot.

ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5

This is a problem because some clients don’t yet speak TLSv1.1/TLSv1.2, your only remaining choices.

Try not disabling TLSv1.0 and see if you get any farther.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.