POP3 access via GMail state SSL cert is expired?

I am trying to get pop3 working again. I've done the postfix/dovecot/mysql setup on my Ubuntu server, and ran the step to generate a new SSL key. Then, when trying to add the new account to GMail, I am selecting port 995 and have tried both checking in the box that says to always use SSL and tried without checking it in. When checked in, it says the server returned the certificate is expired. Do I need to wait some time for the new ssl cert to "take effect"? If it matters, I also only just added the MX record for mail.teamslow.com.

13 Replies

You own mydomain.com, cool! (Please don't redact if you want help..)

Fixed, was just under the impression that did not matter. I checked mail.log and see it received a test email to the newly created user (travis@teamslow.com) and check the dovecot-deliver.log and see it was delivered, and if I check the mail directory and see both test emails I sent, so the mechanics of it are working, just cannot get the login from gmail to work. I do have various other lines in mail.log that appear to be from the attempted logins but all look like failed attempts:

port 110, no ssl (cant use lantext)

Feb 18 16:13:48 traviselijah dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=74.125.82.36, lip=74.207.231.246

port 110, use SSL (general ssl error)

Feb 18 16:13:58 traviselijah dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.212.166, lip=74.207.231.246

Port 995, no ssl (conn timeout)

Feb 18 16:14:34 traviselijah dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.212.166, lip=74.207.231.246, TLS handshaking: Disconnected

Port 995, use SSL (SSL cert expired)

Feb 18 16:14:44 traviselijah dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.212.26, lip=74.207.231.246, TLS: Disconnected

There shouldn't be any waiting time needed, as the SSL certificate (the public version of it) is served by Dovecot to those who connect to your server on port 995. But here's probably a stupid question: After changing the SSL certificate, did you update the path to the certificate file (if it changed) and restart Dovecot?

Well, since I followed the same instructions as the Library doc, I should have created the key in the same directory, but I'll have to double check that later. Off hand, do you know if it was dovecot.conf where the path is stored?

Is your SSL cert signed by a valid CA that google recognises?

(You can't use a self signed cert with gmail like that)

Did you restart dovecot afterwards? It's serving out a stale cert

% openssl s_client -connect mail.teamslow.com:pop3s
CONNECTED(00000003)
depth=0 /O=Dovecot mail server/OU=traviselijah.com/CN=traviselijah.com/emailAddress=root@legionofjeepers.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Dovecot mail server/OU=traviselijah.com/CN=traviselijah.com/emailAddress=root@legionofjeepers.com
verify error:num=10:certificate has expired
notAfter=Nov 23 22:50:56 2011 GMT
verify return:1
depth=0 /O=Dovecot mail server/OU=traviselijah.com/CN=traviselijah.com/emailAddress=root@legionofjeepers.com
notAfter=Nov 23 22:50:56 2011 GMT

Odd, I restarted dovecot and have the same date in your read out. I need to make sure I have the new key in the right path.

Great, now I cannot get the command Stephen posted to respond

> % openssl s_client -connect mail.teamslow.com:pop3s
bash: line 0: fg: no job control

Is this why?

> telnet localhost pop3
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
Connection closed by foreign host

OK, so kyhwana is correct as far as GMail is concerned, so just tried setting it up in Outlook. Outlook seems to have no problems with A: self signed certificates; and B: expired certificates. But that still seems to be the problem, even after re-creating the key, and making sure /etc/postfix/main.cf has the correct path to those certs, and restarting dovecot/postfix/saslauthd, it is still showing the old certificate for some reason…

@telijah:

Great, now I cannot get the command Stephen posted to respond

> % openssl s_client -connect mail.teamslow.com:pop3s
bash: line 0: fg: no job control


Remove the "%" sign… that's the prompt!

Oh, yes I forgot to mention I figured that goof up out. I did it properly before by not copying the %, but then this morning had a brain fart. Anyways, moving on, As mentioned, I can now retrieve mail with Outlook and other pop3 apps, but now I cannot send mail… I am sure I just need to figure out the correct combo of outgoing settings, but am giving it a break right now.

So, I fear I have screwed things up even worse. While going through all of this, I went ahead and upgraded from Ubuntu 11.x to 12.04. All the while, I was telling it to keep my current config files. I learned that somewhere through the upgrade process, dovecot was also upgrade from 1.x to 2.whatever-it-is-now. So I was seeing a lot of problems getting the dovecot service started. Re-did it's config and it starts now, and it appears postfix is starting as well. However, if I send an email to the one email address I have started up (travis@teamslow.com) from my personal gmail account, it is getting bounced back due to the following:

<travis@teamslow.com>: Command died with status 127: "procmail -a
    "$EXTENSION"". Command output: sh: 1: procmail: not found

Final-Recipient: rfc822; travis@teamslow.com
Original-Recipient: rfc822;travis@teamslow.com
Action: failed
Status: 5.3.0
Diagnostic-Code: x-unix; sh: 1: procmail: not found</travis@teamslow.com>

Should I post this as a new thread as a new problem, or can anyone help me? I was not sure as I am now having problems at the point before my issues in the OP…

Edit: I may have spoke too soon, I did apt-get install procmail and it did install it, so I sent another test email and I have not gotten it returned yet…

Well, with me monkeying around so much, I only have one tniy web site hosted and that person is moving to another host soon, so when that site goes, I am gonna scrap this linode and start from scratch. Thanks everyone.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct