Hi,

I've set up Postfix/Dovecot on my linode. I am now able to receive mail and send it, both from within my linode and from my gmail account, but I cannot log in with Thunderbird on my home PC. The Dovecot configuration tutorials are confusing me (I'm a n00b at setting up any sort of server)

The mail.log file for the most recent attempt (a few minutes before I posted this) reads:

Sep  5 03:29:11 localhost dovecot: imap-login: Aborted login (no auth attempts): rip=x.x.x.x, lip=x.x.x.x
Sep  5 03:29:11 localhost dovecot: imap-login: Aborted login (no auth attempts): rip=x.x.x.x, lip=x.x.x.x
Sep  5 03:29:11 localhost dovecot: imap-login: Disconnected (no auth attempts): rip=x.x.x.x, lip=x.x.x.x, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sep  5 03:29:13 localhost dovecot: imap-login: Aborted login (no auth attempts): rip=x.x.x.x, lip=x.x.x.x, TLS

(I've obfuscated the IP addresses)

I'm guessing this means there is some sort of SSL feature I need to configure, as Thunderbird is at least in some sort of contact with Dovecot?

Can anyone please point me in the right direction? Are there any more logs I should post?

Thanks.

Did you set up ssl_cert_file and ssl_key_file options properly in dovecot.conf?

Also keep in mind that the cert file might have to be compound, ie. your cert + intermediate + CA. And the key file must be without password protection.

I'm not sure. I copied and pasted the contents of the dovecot.conf file as listed here http://library.linode.com/email/postfix/dovecot-mysql-ubuntu-10.04-lucid#sph_configure-dovecot - as far as I can tell that is telling dovecot to find the certificate at /etc/ssl/certs/dovecot.pem

I've checked in /etc/ssl/certs/ and the dovecot.pem certificate exists. The key file mentioned in the above link also exists.

I've been trying to use the guide at https://help.ubuntu.com/community/Dovecot#Accessing_from_Outside but because there are conflicts between what is in that, and what I copied and pasted from the linode guide, I'm not sure what I need to do.

Could the problem merely be that I need to create a user on my linode with the same username as the username in my email address? The only user I have currently set up in linode is 'root'.

EDIT: RE your second paragraph, do you mean I need to tell the cert file to look for several certificates? I have to find/download an intermediate certificate and CA certificate and place them in the SSL folder on my linode?

Where did you get the dovecot.pem from? You need a cert tailored for your own domain, either self signed (at which Thunderbird will complain, but you can store permanent exception) or purchase one. If you do the latter, then yes you will probably have to cat your cert with your CA's intermediate and ca certs, and keep the key without password.

As for users, if you use PAM for authentication then you'll need a non-root user. The "user = root" config directive is for the user of the dovecot process, not the authenticated user(s). You adjust passdb and userdb sections of dovecot.conf.

AFAIK, distros include a fairly documented and commented dovecot.conf so I suggest you start with that one and adjust accordingly.

OK, I removed the password from the key file (using the instructions at http://chrisschuld.com/2008/08/removing-the-password-on-an-apache-ssl-certificate/. After I did this, Thunderbird was recognising the server.

I still had a problem logging in. This was because I ignored the part of http://library.linode.com/email/postfix/dovecot-mysql-ubuntu-10.04-lucid#sph_setting-up-domains-and-users that told me:



I was ignoring it because it was confusing being asked for the password for "david@djackmanson.com@hostname.example.com". But once I entered all that it let me in and I am now reading my mail in Thunderbird.

Thanks very much for your help and suggestions.

EDIT: For future reference, the dovecot.pem files were created by dovecot after I installed it by following the instructions in the guide I've linked to above. I checked the contents of the certificates using http://www.sslshopper.com/certificate-decoder.html and confirmed that they were showing the Fully Qualified Domain Name of my server.