Bug 41018 - Using own SSL certificate for dovecot results in missing sieve script
Using own SSL certificate for dovecot results in missing sieve script
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.1
amd64 All
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
Depends on:
Blocks: 48247
  Show dependency treegraph
 
Reported: 2016-04-07 12:10 CEST by robert.evert
Modified: 2018-12-05 14:39 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted after Product Owner Review:
Ticket number: 2018112321000275
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description robert.evert 2016-04-07 12:10:06 CEST
Using an own SSL certificate as described and adopted from the wiki results in a bug in user creation.

After setting mail/dovecot/ssl/certificate and mail/dovecot/ssl/key to own files, adding a new user on command line or from UI gives the following in /var/log/univention/listener.log:


STARTTLS promotion failed: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
STARTTLS promotion failed: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
07.04.16 11:26:57.779  LISTENER    ( PROCESS ) : dovecot: Added mail account 'test@DOMAIN'.


The corresponding mailbox in /var/log/dovecot/private/DOMAIN/test is not created. This may be due to the fact, that the certificate has a different name from the hostname of the system, which is perfectly fine as the name is resolved via DNS. The first login via Horde creates all needed directories. 

A possible solution is specifying the original certificate in /etc/dovecot/conf.d/10-ssl (or better in the template) for connections to sieve from localhost:


local 127.0.1.1 { 
  protocol sieve {
    ssl_cert = </etc/univention/ssl/DOMAIN/cert.pem
    ssl_key  = </etc/univention/ssl/DOMAIN/private.key
  }
}


This solution results in these log messages:

Sieve/IMAP Password:
Sieve/IMAP Password:
07.04.16 11:39:55.048  LISTENER    ( PROCESS ) : dovecot: Added mail account 'test@DOMAIN'.

What does the user creation script do there, login via sieve and set some filters?
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2018-11-23 12:22:59 CET
(In reply to robert.evert from comment #0)
> The corresponding mailbox in /var/log/dovecot/private/DOMAIN/test is not 
> created. This may be due to the fact, that the certificate has a different 
> name from the hostname of the system, which is perfectly fine as the name is 
> resolved via DNS. The first login via Horde creates all needed directories. 

You are right. The system's FQDN is used for the sieve connection. If the FQDN does not fit to the SSL certificate, the connection will fail.

Btw: the mailbox is located at /var/spool/dovecot/private/DOMAIN/LOCALPART/.

> What does the user creation script do there, login via sieve and set some
> filters?

The listener module uploads an initial sieve script. During this action, the mailbox is automatically created by dovecot.


Daniel and I have decided that it makes more sense to customize UCS to handle third-party certificates throughout. If the Dovecot system uses a different certificate for connections from localhost, this a) causes confusion and b) can cause new errors.
I added a new UCR variable mail/dovecot/sieve/client/server for specifying the external FQDN (that matches the SSL certificate).

d6170d9933 Bug #41018: Merge branch 'sschwardt/41018/4.3/sieve-and-foreign-certificates' into 4.3-2
43f4d56806 Bug #41018: add advisory
5f18c30672 Bug #41018: add changelog entry
3018b3f1a9 Bug #41018: added UCR variable mail/dovecot/sieve/client/server

Package: univention-mail-dovecot
Version: 4.0.0-12A~4.3.0.201811231221
Branch: ucs_4.3-0
Scope: errata4.3-2
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2018-11-27 11:35:38 CET
Something seems to be wrong with letsencrypt certs.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-11-30 14:36:07 CET
(In reply to Sönke Schwardt-Krummrich from comment #2)
> Something seems to be wrong with letsencrypt certs.

The CA file for sieve-connect was not correctly configured. The correct setting is: mail/dovecot/sieve/client/cafile=/etc/ssl/certs/ca-certificates.crt

But this is not part of this bug → back to RESOLVED.
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-12-04 10:13:34 CET
49ad68c41c Bug #41018: update UCR variable descriptions

Package: univention-mail-dovecot
Version: 4.0.0-13A~4.3.0.201812041012
Branch: ucs_4.3-0
Scope: errata4.3-2
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2018-12-04 10:14:51 CET
3eea982be8 Bug #41018: update advisory
Comment 6 Daniel Tröder univentionstaff 2018-12-04 11:56:44 CET
OK: manual test with different UCSV combinations
OK: texts
Comment 7 Arvid Requate univentionstaff 2018-12-05 14:39:02 CET
<http://errata.software-univention.de/ucs/4.3/360.html>