No shared cipher

Sorry guys for bothering you with an “old” problem, but after googeling and trying various suggestions I found for similar issues, I am really lost and need help.

I had created a letsencrypt certificate to be used by apache2 and postfix/dovecot on the same machine.

I am experiencing no issues with webserver SSL connection, seems to run smoothly and without obvious troubles. -> cert runs fine with Apache2

I also have no issue with Roundcube locally accessing IMAP folders or receiving/sending mails by the postfix/dovecot setup. -> mailserver runs fine
(including no issues with accessing fully functional Roundcube on webserver remotely)

But … if a mail client trys to remotely access dovecot IMAP, it gets idle, cancelling connection sooner or later, and dovecot is showing this error message

imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=46.5.145.24, lip=, TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=…

I am working mainly with Thunderbird, but don’t think that this is a Thundebird issue, as other email clients from the smartphone and the tablet are also not able to connect and sync IMAP.

I have already tried …

  • switching off apparmor -> no change
  • checked postfix’s main.cf (see full version further below, selection copy&paste:)

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/huis.selfhost.eu/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/huis.selfhost.eu/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols =
smtpd_tls_protocols =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtp_use_tls = yes

  • checked dovecot’s 10-ssl.conf shows (copy&paste:)

ssl = required
ssl_protocols = TLSv1.2 TLSv1.1 TLSv1
ssl_cert = </etc/letsencrypt/live/huis.selfhost.eu/fullchain.pem
ssl_key = </etc/letsencrypt/live/huis.selfhost.eu/privkey.pem

  • limiting to TLS1.x -> no change
  • different sets of ciphers (currently ‘ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS’)
  • tried ‘ssl_prefer_server_ciphers = yes’ in 10-ssl.conf
  • tried ‘smtpd_tls_mandatory_ciphers = medium’ in main.cf
  • tried ‘smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3’ in main.cf
  • tried ‘smtpd_tls_protocols=!SSLv2 !SSLv3 !TLSv1’ in main.cf

cd /etc/letsencrypt/live/huis.selfhost.eu | openssl verify chain.pem

chain.pem: OK

openssl verify -untrusted chain.pem cert.pem

chain.pem: OK

openssl x509 -in cert.pem -noout -issuer

issuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

openssl x509 -noout -text -in /etc/letsencrypt/live/huis.selfhost.eu/fullchain.pem

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:45:02:06:a3:52:89:ff:b6:f0:3b:8c:f2:e1:0a:2e:f8:a8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Validity
Not Before: Jun 20 21:46:14 2019 GMT
Not After : Sep 18 21:46:14 2019 GMT
Subject: CN = huis.selfhost.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e4:b2:63:a3:37:18:d4:25:ef:27:a8:df:7c:fe:
e5:d2:af:1a:dd:1d:72:8e:9d:ea:ce:d5:5a:ad:c6:
6d:c4:22:05:08:ae:87:c4:7a:88:02:58:62:94:e3:
f0:e4:94:2e:ac:78:0d:49:aa:6a:02:09:08:8a:8e:
34:e4:f1:1b:7d:d7:84:b2:a1:f0:5c:16:73:01:08:
d3:6a:a1:a0:41:f8:b0:de:02:be:57:38:98:bf:6f:
eb:62:bd:d3:e9:83:64:5a:0c:c9:ba:b7:90:d5:f4:
9f:3a:31:13:05:ce:3d:15:10:75:40:bb:be:0e:0c:
fb:d0:86:2e:89:08:b6:c2:b2:34:eb:6f:fa:ae:83:
c2:e5:98:e8:ef:bf:08:d5:50:83:86:bc:95:ed:96:
22:3a:00:6b:6a:1d:6f:8a:e5:de:be:78:ab:f5:dd:
79:d5:9e:d4:9c:e0:a1:be:0b:68:8f:85:e9:55:e8:
56:71:15:98:3a:17:fa:c0:0f:cb:24:28:9a:29:e0:
e7:70:12:74:23:20:1f:34:b3:64:a5:20:94:fe:14:
65:a0:05:0e:17:21:fa:6e:50:3f:0b:c4:b9:0b:80:
05:ea:ee:b2:df:23:81:40:fb:fc:84:3e:e7:f3:a4:
a2:12:32:11:b9:e2:05:1e:37:5f:c6:1c:09:27:13:
e1:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
54:0D:3A:C0:62:7C:69:F5:AF:73:AC:BA:30:B6:31:96:61:09:3E:D6
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:huis.selfhost.eu
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : Jun 20 22:46:14.222 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F9:D6:5F:54:0A:58:F5:73:10:33:94:
13:9E:24:9B:0F:3C:51:23:34:CF:01:C3:EC:59:32:87:
B2:0B:FB:BD:23:02:21:00:AE:FE:78:DB:53:84:8C:30:
B2:BF:CD:2D:7B:CB:FB:4F:C8:37:39:98:AC:0F:AF:28:
74:75:81:E2:0C:62:87:90
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : Jun 20 22:46:14.204 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:AD:CA:D1:E9:64:7A:D7:5A:67:72:44:
82:99:D4:41:D3:E4:FF:CE:35:CA:30:2B:B1:EC:D3:D5:
B1:21:7D:F2:08:02:20:2D:24:A7:A0:49:41:9E:70:51:
20:4D:B9:22:12:E6:69:AC:0D:CE:60:57:B1:A7:BA:60:
CC:F8:95:31:A1:CC:74
Signature Algorithm: sha256WithRSAEncryption
15:74:c4:93:1d:a5:8d:21:ca:8b:58:07:c9:04:db:a9:6b:88:
2a:42:58:a2:8a:61:c2:02:e9:dc:c6:c9:b6:e0:80:f1:87:81:
29:17:49:16:6d:8e:30:36:51:4f:22:ba:ed:ae:64:7a:2d:fd:
99:7b:13:10:bc:b4:8e:26:8a:e9:bd:43:00:3b:b0:64:d6:69:
8c:33:8c:0e:77:68:d3:0c:48:2c:26:bf:20:8e:b6:93:34:ce:
b4:6c:71:64:b1:f9:9a:49:8e:7a:58:6c:d8:33:40:ae:a0:e2:
00:a2:f9:20:1e:c7:30:cd:b7:20:1a:ca:b1:37:46:99:ad:ed:
8c:55:4b:04:5c:6f:c2:24:7f:1d:97:e6:d6:c3:9e:a7:5d:17:
bc:3f:09:51:05:eb:2d:cd:53:dd:4e:3d:7e:84:16:01:66:06:
e5:97:41:4b:0f:d7:2e:78:13:ad:8f:c4:d8:2c:6a:df:eb:3f:
be:c5:7a:25:35:3f:b8:5a:22:58:54:ea:e6:a2:e8:0c:b0:06:
bc:af:30:d8:5c:6f:2b:c7:57:3b:e2:01:82:43:80:30:48:53:
31:12:4b:6d:50:bd:4c:8c:17:76:45:fd:a9:ea:d3:26:f8:f4:
9f:c3:96:87:e9:d2:ce:4d:91:81:cf:af:7b:0b:28:bb:b3:d4:
5b:6f:c5:2d

My domain is:
huis.selfhost.eu

I ran this command:
IMAP sync request by external email client, mainly Thunderbird but also others, from PC, tablet and smartphone

It produced this output:

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
Selfhost.de

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

‘certbot-auto --version’ gives an error message:

Creating virtual environment…
Traceback (most recent call last):
File “”, line 27, in
File “”, line 19, in create_venv
File “/usr/lib/python2.7/subprocess.py”, line 185, in check_call
retcode = call(*popenargs, **kwargs)
File “/usr/lib/python2.7/subprocess.py”, line 172, in call
return Popen(*popenargs, **kwargs).wait()
File “/usr/lib/python2.7/subprocess.py”, line 394, in init
errread, errwrite)
File “/usr/lib/python2.7/subprocess.py”, line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

Postfix main.cf:

myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP
biff = no

append_dot_mydomain = no

readme_directory = no

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/huis.selfhost.eu/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/huis.selfhost.eu/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols =
smtpd_tls_protocols =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client unconfirmed.dsbl.org,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client cbl.abuseat.org,
permit
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client unconfirmed.dsbl.org,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client cbl.abuseat.org,
reject_unauth_pipelining,
permit

myhostname = huis.selfhost.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = huis.selfhost.eu, localhost.selfhost.eu, localhost, $myhostname, localhost.$mydomain
mynetworks = 127.0.0.0/8
inet_interfaces = all
inet_protocols = all

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = [mail.selfhost.de]

smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
soft_bounce = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

message_size_limit = 104857600
compatibility_level = 2

Hi @scitari

checked your dovecot via OpenSsl:

G:\OpenSSL-Win64\bin>openssl s_client -crlf -connect huis.selfhost.eu:993
CONNECTED(000001E0)
24584:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

The handshake doesn't work

SSL alert number 40

Searching that error there is a Github thread - sslv3 Alert Handshake Failure (alert number 40) · Issue #7147 · openssl/openssl · GitHub

Looks like your configuration is incomplete because SNI informations are missing.

Rechecked your config:

Looks like you need something like

https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support

local_name imap.example.org {
  ssl_cert = </etc/ssl/certs/imap.example.org.crt
  ssl_key = </etc/ssl/private/imap.example.org.key
}
local_name imap.example2.org {
  ssl_cert = </etc/ssl/certs/imap.example2.org.crt
  ssl_key = </etc/ssl/private/imap.example2.org.key
}

so your server can find the correct certificate.

1 Like

Same thing happened to me when I updated openssl.
For my setup, this fixed it.

in /etc/dovecot/conf.d/10-ssl.conf
ssl_key = </etc/letsencrypt/live/w5gfe.org/privkey.pem
ssl_cert = </etc/letsencrypt/live/w5gfe.org/fullchain.pem

ssl_protocols = !TLSv1 !SSLv2 !SSLv3

ssl_cipher_list = ALL:!CHACHA20:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!P
SK:!RC4:!ADH:!LOW@STRENGTH

1 Like

Hi Buffalo,

Applied, restarted Dovecot, and unfortunately still fails with same error message.

But has been wort a try, thanks a lot
Chris

Hi Jürgen,

OK, that is something new, I didn’t have on my plate so far.

So, shall I add something like …
local_name imap.huis-selfhost.eu {
ssl_cert = </etc/letsencrypt/live/huis.selfhost.eu/fullchain.pem
ssl_key = </etc/letsencrypt/live/huis.selfhost.eu/privkey.pem
}
to ‘10-ssl.conf’?

I need to admit, that I am not sure if something like ‘imap.huis-selfhost.eu’ is internally properly resolved. Typically I always used ‘huis.selfhost.eu’ also as mailserver name.

Some background, I forgot to mention. The server has worked before, with the setup I have in place, on a previous Ubuntu version; except I had another “home-made” certificate in place. This server was now updated to the latest OS version, including updates of openssl etc., and including the swith to letsencrypt.

Best
Chris

1 Like

You know what … your suggestions at least activated my creativity again!

And I realized that running good old 'dovecot -n´should also be worth a try again and again.

And by doing that it showed me some issues with conflicting settings in different .conf files which might originate from changes in how settings are applied in previous and latest versions from Dovecot.

Will check and clean that first, and keep you posted on if this might cause the issue.

Chris

1 Like

Not imap, if you don't use that. Your own server name - huis.selfhost.eu.

I'm not so firm with dovecot. But the OpenSsl error says, there is a wrong handshake. One part may be the SNI part.

1 Like

Guys, it works! With Thunderbird as well as with my Smartphone client.

You have no imagination how happy I am. Thanks a lot!

What I did …

  1. I cleaned all Dovecot .conf files for duplicated or conflicting settings
  2. I applied the suggested changes by Buffalo

I also applied the addition as suggested by Jürgen. But was neither necessary nor did harm, so I commented it out for now.

Don’t forget to check validity with ‘dovecot -n’ and restart Dovecot.

Thanks a lot guys,
you made not only my day but my quarter

Chris

3 Likes

Thanks sharing that command. Happy to read that it works :+1:

1 Like

Good to hear! 73 de Bill W5GFE

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.