[Postfixbuch-users] startssl und Thunderbird

Soeren Mindorf soeren at mindorf.org
Sa Sep 18 08:48:33 CEST 2010


Hallo zusammen,

ich wende mich heute mal an Euch, da ich einfach nicht weiterkomme.
Ich habe für meinen privaten Mailserver (Postfix mit courier-imap) ein
kostenloses startssl Zertifikat geholt.

Soweit so gut.
Über MS Outlook kann ich Mails empfangen und senden und mein
Zertifikat ist gültig. Doch Thunderbird will das Zertifikat
installieren. :-(

Im maillog sehe ich folgendes:

Sep 18 08:24:51 otherland imapd-ssl: couriertls: accept:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

so sieht meine imap-ssl aus:

SSLPORT=993
SSLADDRESS=-MYSERVERIP-
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
COURIERTLS=/usr/sbin/couriertls
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL at STRENGTH"
TLS_CIPHER_LIST="HIGH:MEDIUM"
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
TLS_TRUSTCERTS=/etc/courier/ca-bundle.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

der Part in Postfix:

### SSL
# tls config
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/mail.mindorf-online.de.key
smtpd_tls_cert_file = /etc/postfix/mail.mindorf-online.de.crt
smtpd-tls-CAfile = /etc/courier/ca-bundle.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
tls_random_prng_update_period = 3600s

 Und die Ausgave von "openssl s_client -connect
mail.mindorf-online.de:993 -CAfile ca-bundle.crt":

otherland:/etc/courier # openssl s_client -connect
mail.mindorf-online.de:993 -CAfile ca-bundle.crt
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 /description=258305-Q3Ms1OmnG0yalL3v/C=DE/O=Persona Not
Validated/OU=StartCom Free Certificate
Member/CN=mail.mindorf-online.de/emailAddress=postmaster at mindorf-online.de
verify return:1
---
Certificate chain
0 s:/description=258305-Q3Ms1OmnG0yalL3v/C=DE/O=Persona Not
Validated/OU=StartCom Free Certificate
Member/CN=mail.mindorf-online.de/emailAddress=postmaster at mindorf-online.de
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
---
Server certificate
...
subject=/description=258305-Q3Ms1OmnG0yalL3v/C=DE/O=Persona Not
Validated/OU=StartCom Free Certificate
Member/CN=mail.mindorf-online.de/emailAddress=postmaster at mindorf-online.de
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5457 bytes and written 465 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1C93E88E1DB0AAE7B1A2827825D3D642230BC43A37C0A7411FC61A055368D398
    Session-ID-ctx:
    Master-Key:
B4132C62B38600D761A29072C1CAFA4DB1A57573EFB2A58C9F7BBD5ED263548E085F5CFA4954774B09687188324F361E
    Key-Arg   : None
    Start Time: 1284740162
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL
ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,
Inc.  See COPYING for distribution information.


Weiß jemand von Euch zufällig warum Thunderbird nicht will?


Danke und Gruß
Sören


-- 
Soeren Mindorf
IT-Systemadministrator

Es gibt keine Flucht vor Erinnerungen auf dieser Welt. Die Geister
unserer dummen Taten verfolgen uns. Mit oder ohne Reue. -Gilbert
Parker-
There is no refuge from memory and remorse in this world. The spirits
of our foolish deeds haunt us, with or without repentance. -Gilbert
Parker-



Mehr Informationen über die Mailingliste Postfixbuch-users