StartSSL cert doesn't work with Dovecot/OpenSMTPD
Solution 1
I finally found how to make my StartSSL certificate works with Dovecot and OpenSMTPD (5.4.2p1) :
For Dovecot, you need to concatenate the key and the certificate into a pem file - thanks @Alexus - and add these lines into your dovecot configuration file :
# blablabla
ssl = required
ssl_key = </home/mail/ssl/dovecot.pem # Key
ssl_cert = </home/mail/ssl/dovecot.pem # Certificate
ssl_ca = </home/mail/ssl/ca-bundle.pem # Server Certificate Bundle with CRLs
# blablabla
See http://wiki.dovecot.org/SSL/DovecotConfiguration for more information.
The ca-bundle.pem comes from StartSSL
For OpenSMTPD, it's been a long time before I understand that it works perfectly :
I used Thunderbird to test connection to Dovecot & OpenSMTPD, however a "bug" affects Thunderbird and makes me think that OpenSMTPD had a misconfiguration :
https://github.com/OpenSMTPD/OpenSMTPD/issues/451
To use Thunderbird with OpenSMTPD, you must select STARTTLS for authentication to your smtp server, else you'll have this error when you're trying to connect :
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: New session 8b475ba3c3415a4d from host 37-161-XX-XX.coucou-networks.fr [37.161.XX.XX]
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: Bad input on session 8b475ba3c3415a4d: 500 5.5.1 Invalid command: Pipelining not supported
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: Closing session 8b475ba3c3415a4d
My smtpd.conf :
pki <hostname> key "/home/mail/ssl/opensmtpd.key"
pki <hostname> certificate "/home/mail/ssl/opensmtpd.crt"
pki <hostname> ca "/home/mail/ssl/ca-bundle.pem"
listen on eth0 port 25 hostname <hostname> tls pki <hostname>
listen on eth0 port 587 hostname <hostname> tls-require pki <hostname> auth mask-source
PS : Key and Cert are in differents files for OpenSMTPD, not in a .pem like Dovecot
Solution 2
per that document that you provided, try to put just private key & certificate into .pem and use same for file ssl_cert and ssl_key.
following from my own system:
[root@j /usr/local/etc/dovecot/conf.d]# grep ^ssl_ 10-ssl.conf
ssl_cert = </usr/local/etc/dovecot/alexus.biz.pem
ssl_key = </usr/local/etc/dovecot/alexus.biz.pem
[root@j /usr/local/etc/dovecot/conf.d]# grep ^- /usr/local/etc/dovecot/alexus.biz.pem
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[root@j /usr/local/etc/dovecot/conf.d]#
Related videos on Youtube
18 : 24
06 : 30
01 : 05
06 : 14
01 : 19 : 48
11 : 56
37 : 03
Benjamin CHAINTREUIL
Updated on September 18, 2022Comments
-
Benjamin CHAINTREUIL over 1 year
I've an issue with my StartSSL certificate. When I try to use it to activate SSL encryption on Dovecot, I get the following error in my log when a client attempt a connection to the imap server :
dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY dovecot: master: Error: service(imap-login): command startup failed, throttling for 16 secsHowever, I've followed this tutorial : SSL how to: install ssl on Dovecot IMAP serer | ErlyCoder and my private key (without passphrase) and the certificate are present where they must be, so I don't understand why it doesn't work
In my dovecot.conf file :
ssl_key = /home/mail/ssl/****.key ssl_cert = /home/mail/ssl/****.pemThe certificate file contains in this order :
- My certificate
- The sub.class1.server.ca.pem content from StartSSL
- The ca.pem content from StartSSL
OS : Debian 8
Thanks
-
Benjamin CHAINTREUIL over 8 yearsYeaah, it works, but just for Dovecot :( I've modified my dovecot.conf file like you said (and adding "<" before files paths) I just put an another line to complete my configuration (ssl_ca) with the file from StartSSL - startssl.com/certs/ca-bundle.pem OpenSMTPD isn't compatible with .pem files, how can I do to configure it ?