LE certificate don't work with courier-imapd-ssl


#1

Hey!

I requested an LE certificate for using with a mailserver (courier-imapd-ssl).
For postfix it works like a charm, but courier doesn’t fit with.

If i switch the certificates, i can’t login to courier anymore, while courier is reporting an error:

imapd-ssl: Could not negotiate a supported cipher suite.

Debug doesn’t show any useful information at all. :-/

I didn’t switch any other settings except the certificate files.

Config from courier-imapd-ssl:

TLS_TRUSTCERTS=/etc/ssl/newcerts/addtrust_comodo_bundle.crt
#TLS_TRUSTCERTS=/etc/letsencrypt/live/ambiente.one/fullchain.pem

TLS_CERTFILE=/etc/ssl/newcerts/mail.ambiente.one_courier.crt
#TLS_CERTFILE=/etc/letsencrypt/live/ambiente.one/cert.pem

Somebody has an idea!?

Kind regards
Alex


#2

Oh fuck, dude, you have just given us the private key of your Comodo certificate. Revoke it immediately.


#3

Aha, and now?

I don’t know how to merge courier-imapd-ssl with Let’s Encrypt because just the certs seems to be the error.

So i need to share this shit or not? -.-

BTW: Where i share the privkey? Its within the bundle?


#4

On your site you have uploaded the private key of your mail server. Now all connections to it can be intercepted without being noticed.

It’s in mail.ambiente.one_courier.crt


#5

Anyway, let’s start to fix the Let’s Encrypt ones?


#6

I think your TLS_CERTFILE should contain both certificate and private key. Based on your unlucky experience.


#7

Indeed… It should be there, unfortunately. On your server. Not online :stuck_out_tongue:

Stupid implementation of Courier-IMAP if I might say. What’s the frikkin’ trouble of adding one… ONE… extra configuration variable. Makes life a lot easier.


#8

@selecadm:
Awesome - works like a charme. Shame on my head. Thanks!
I’ll revoke the Comodo one right now. :wink:

@Osiris:
True!
At least i didn’t found any information about on web that i need to merge these two files. Hmpf!

Seems to be fixed now - thanks guys! :+1:


#9

Yeah, they don’t even document it themselves

All courier imap TLS how-to’s do mention it though… Otherwise it won’t work obviously, as you’ve found out :wink:

I myself ditched Courier-IMAP and started using Dovecot… Works very nicely and is documented very well. But that’s offtopic :smile:


#10

Hahahaha, i searched portage (Gentoo) right now to find an alternative. They provide “Cyrus”, looks something newer?! :smiley:

For sure, maybe sometimes you should switch from the giant to the dwarf. :wink:


#11

[offtopic]

I have no clue what’s newer and even if that’s more important. According to Wikipedia, Dovecot released their latest stable release this october, while Cyrus IMAP 2.5 (their latest stable) was released in March… Quite the difference, although it doesn’t say anything ofcourse. Perhaps Dovecot didn’t release anything for a year before that… Perhaps a lot. :smile:

Dovecot is in Portage too btw :wink: I’m running Gentoo too :smile:


#12

Cool :smile:

Any way to chat a bit outsite from LE?

Maybe i can switch easily from courier to dovecot.

Right now i need to merge the automated renewed certs from LE with a cronjob in order to work with courier.
That’s a bit… … .

I already emerged :wink: