Dovecot
Dovecot“無法載入 SSL 證書”
我花了很多時間試圖讓 Dovecot 工作。嘗試連接時,它不斷拋出以下消息:
May 15 02:55:20 yoshi128k dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default May 15 02:55:20 yoshi128k dovecot: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs)這是 doveconf -n 的輸出:
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25: 'imaps' protocol is no longer necessary, remove it doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25: 'pop3s' protocol is no longer necessary, remove it # OS: Linux 4.19.0-16-amd64 x86_64 Debian 10.9 ext4 # Hostname: yoshi128k.mooo.com auth_mechanisms = plain login disable_plaintext_auth = no mail_location = maildir:/var/mail/vhosts/%d/%n/ mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } postmaster_address = postmaster at yoshi128k.tk protocols = imap pop3 lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = postfix mode = 0660 user = postfix } user = dovecot } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl_cert = </etc/ssl/certs/dovecot.crt ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_key_password = # hidden, use -P to show it ssl_min_protocol = SSLv3 userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = static }我確實有 10-ssl.conf 指向我的證書文件,所以我不太確定發生了什麼。
編輯:這是 OpenSSL 的 s_client 的輸出:
root@yoshi128k:/etc/postfix# openssl s_client -connect mail.yoshi128k.tk:143 -starttls imap CONNECTED(00000003) 139987247760512:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 345 bytes and written 345 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
顯然,問題一直是 openssl.cnf 中的無效條目