Dovecot can't connect to openldap over starttls

[info@gwarband.de]

Hello,

can anybody say something about my problem?
The mails in the bottom are from my discuss with the dovecot maillist.

Thanks,
Tobias

-------- Originalnachricht --------
Betreff: Re: Dovecot can't connect to openldap over starttls
Datum: 2017-03-18 14:22
Absender: info@gwarband.de
Empfänger: Tomas Habarta <lists+dovecot@tocc.cz>
Kopie: dovecot@dovecot.org

The serverlog of openldap with loglevel "any":
https://gwarband.de/openldap/openldap-connect.log
Note: openldap waits 1 Minute before he says "TLS negotiation failure" 
after the connect.
and dovecot says direct "Connect error"

I've also delete the TLSCipherSuite from openldap.

Tobias

Am 2017-03-18 14:01, schrieb Tomas Habarta:
> Increase log level on server side as well to see what the server 
> says...
> You may remove anything in TLSCipherSuite for the purpose of testing 
> too.
> Hopefully anyone knowing OpenLDAP internals could help you analyse it
> more deeply.
> Tomas
> On 03/18/2017 01:31 PM, info@gwarband.de wrote:
> > I've replicate the settings from ldapsearch to dovecot but no 
> > success.
> > To the certificate:
> > Yes it's a *.crt file but I have linked the *.pem file to it and 
> > dovecot
> > has read access to that file.
> > I have enabled the debugging in dovecot and have uploaded the output:
> > https://gwarband.de/openldap/dovecot-connect.log
> > And the other site with ldapsearch:
> > https://gwarband.de/openldap/ldapsearch-connect.log
> > I'm pretty sure that there is a problem with the sslhandshaking 
> > between
> > openldap and dovecot, but I can't find the source of the problem.
> > One of the steps in the sslhandshaking is not success but in the
> > debugging output I can't find any line with a hit to it.
> > Tobias
> > Am 2017-03-18 12:30, schrieb Tomas Habarta:
> > > Well, if ldapsearch works, try to replicate its settings for dovecot
> > > client.
> > > It's not obvious what settings ldapsearch uses, have a look at 
> > > default
> > > client settings in /etc/openldap/ldap.conf, there may be something 
> > > set a
> > > slightly different way.
> > > Also double check permissions for files used by dovecot, I mean 
> > > mainly
> > > the file listed for tls_ca_cert_file as dovecot may not have an 
> > > access
> > > for reading...
> > > I cannot see anything downright bad, just posted CA cert (which is 
> > > ok,
> > > tested) is *.crt and your config mentions *.pem but I consider it's 
> > > the
> > > same file.
> > > Finally, I would recommend to enable debug option for dovecot's 
> > > client
> > >     debug_level = -1 (which logs all available) in your 
> > > dovecot-ldap.conf
> > > to see what the library reports and work further on that.
> > > You can compare with output from ldapsearch by adding -d-1 switch to 
> > > it.
> > > Hard to tell more at the moment.
> > >
> > > Tomas
> > > On 03/18/2017 09:41 AM, info@gwarband.de wrote:
> > > > Hello,
> > > > I have also installed LE certs.
> > > > But nothing helps, I have double-checking all certs.
> > > > ldapsearch with -ZZ works see:
> > > > https://gwarband.de/openldap/ldapsearch.log
> > > > I have also uploaded the TLSCACertificateFile, maybe I have a 
> > > > failure in
> > > > the merge of the two fiels:
> > > > https://gwarband.de/openldap/LetsEncrypt.crt
> > > > And also I have uploaded my complete openldap configuration:
> > > > https://gwarband.de/openldap/openldap.conf
> > > > All other components can work and communicate with my openldap 
> > > > server.
> > > > The components are postfix, openxchange, apache (phpldapadmin).
> > > > My installated software is:
> > > > Debian 8
> > > > OpenLDAP 2.4.40
> > > > Dovecot 2.2.13
> > > > I hope you can find the issue.
> > > > Thanks,
> > > > Tobias
> > > > Am 2017-03-17 22:48, schrieb Tomas Habarta:
> > > > > Hi,
> > > > > been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over 
> > > > > the
> > > > > unix socket on the same machine, but tried over inet with STARTTLS 
> > > > > and
> > > > > it's working ok...
> > > > > I would suggest double-checking key/certs setup on OpenLDAP side; 
> > > > > for
> > > > > the test I have used LE certs, utilizing following cn=config
> > > > > attributes:
> > > > > olcTLSCertificateKeyFile    contains private key
> > > > > olcTLSCertificateFile        contains certificate
> > > > > olcTLSCACertificateFile        contains both certs (DST Root CA X3
> > > > >                 and Let's Encrypt Authority X3)
> > > > > and used the same CA file in Dovecot's tls_ca_cert_file
> > > > > Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or 
> > > > > ... ?
> > > > >
> > > > >
> > > > > Hope that helps, good luck ;)
> > > > > Tomas
> > > > >
> > > > > On 03/17/2017 04:27 PM, info@gwarband.de wrote:
> > > > > > Hello guys,
> > > > > > actually I'm trying to configure dovecot to access openldap for
> > > > > > passwordcheck.
> > > > > > My openldap is only allow access over "secure ldap".
> > > > > > The dovecot can communicate with the openldap server but there is
> > > > > > maybe
> > > > > > a failure in the sslhandshake.
> > > > > > Additional information you can find in the logs or in the dump 
> > > > > > below.
> > > > > > Also I have my ldap config from dovecot in the links below.
> > > > > > I have already created an bug reporting in the system of openldap 
> > > > > > but
> > > > > > the answer was to get support from her.
> > > > > > All datalinks:
> > > > > > https://gwarband.de/openldap/dovecot.log
> > > > > > https://gwarband.de/openldap/dovecot-ldap.conf
> > > > > > https://gwarband.de/openldap/openldap.log
> > > > > > https://gwarband.de/openldap/trace.dump
> > > > > > The bugreportinglink from openldap:
> > > > > > http://www.openldap.org/its/index.cgi/Incoming?id=8615
> > > > > > I hope you can help me.
> > > > > > Regards.
> > > > > > Tobias Warband