On Tue, 13 Jun 2006, M. Fioretti wrote:
I have a remote server with dovecot 1.0-0_12.beta8 on Centos 4.3. IMAP works just fine: I can read email from both Squirrelmail via web and Kmail.
Now I have created an ssl certificate on the server, and I'm trying to retrieve email via pop3s from my home PC (running suse, if this matters)
When I launch fetchmail here at home I get the error below. Is it caused by dovecot, or something else on the server, like some error I could have made when generating and copying certificates?
marco@polaris:~> fetchmail -vv fetchmail: 6.3.2 querying my.vps.fqdn.name (protocol POP3) at Tue 13 Jun 2006 05:22:50 PM CEST: +poll started fetchmail: Issuer Organization: SomeOrganization fetchmail: Issuer CommonName: localhost.localdomain fetchmail: Server CommonName: localhost.localdomain fetchmail: Server CommonName mismatch: localhost.localdomain != my.vps.fqdn.name fetchmail: my.vps.fqdn.name key fingerprint: 20:93:B4:D8:CB:75:AD:72:F6:00:A8:DC:CE:F2:53:6E fetchmail: my.vps.fqdn.name fingerprints do not match! 23942:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify +failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from remoteuser@my.vps.fqdn.name
On your IMAP server, check out your certificate's thoughts about itself:
openssl x509 -noout -subject -in /path/to/cert.pem
I'm guessing that it'll report its common name (CN) as "localhost.domain." SSL clients typically want the remote cert's CN to match the hostname they're polling to avoid one server impersonating another.
You'll probably want to build a new cert, specifying the CN as the public hostname of your IMAP server, e.g.,
openssl req \ -x509 -nodes -days 365 \ -subj '/C=IT/L=Roma/CN=my.vps.fqdn.name' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem