opensslでの接続は『Dovecotの設定をミスっている』と出た。
では同様に設定したApacheはどうなんだろう。
なので早速やってみた。
|
1 |
openssl s_client -connect www.k-in.co.jp:443 -servername www.k-in.co.jp>response.text |
この結果。(response.txtの中身)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
CONNECTED(00000005) --- Certificate chain 0 s:CN=www.k-in.co.jp i:C=JP, ST=Tokyo, L=Shibuya-ku, O=Nijimo K.K., CN=FujiSSL SHA2 Domain Secure Site CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 11 00:00:00 2024 GMT; NotAfter: Dec 12 23:59:59 2025 GMT 1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT 3 s:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1 v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGGDCCBQCgAwIBAgIQTLcNvRy5yRx9VfhCj0E2WjANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEzARBgNVBAcTClNoaWJ1eWEt a3UxFDASBgNVBAoTC05pamltbyBLLksuMSswKQYDVQQDEyJGdWppU1NMIFNIQTIg RG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MTExMTAwMDAwMFoXDTI1MTIxMjIz NTk1OVowGTEXMBUGA1UEAxMOd3d3LmstaW4uY28uanAwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC6rWS4/wQrvkyFDCyNZK3rOO83aefHo+sMkErpFQDv D5FVcZuAdjGLDpw32jR6Q3YbC6wR/anebfHm6foGo8JZ3mfN/d+O3+Rhs+FxUse1 ScJiS41AW7zXXjReJAi5OvsO9DMaC+APDQE4O3YREKUJfPEFeuDd+a5w4qSGuLIH MVauXSHMZ93jJiQSVfl/gBCfRZO7gfkoOjtYe1ut6vLedJPka0HtFoXxuMXBjbQG aQOv3lykOOrHVjvBvX1nvQeEn+7cj3Gi5jpcdp1qvRit+0lPxqBeQxymOAVQHIY/ Qpj90SCkKt4LQexPfVPw4mwfpERAZ+ZC6zbvzX/pLRavAgMBAAGjggL+MIIC+jAf BgNVHSMEGDAWgBTmIkBPpFCpei2TOVGvsp1zNvPBsDAdBgNVHQ4EFgQUFnDnozL8 GdGCc9DCn1YyGAk6IuIwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGy MQECAkUwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYG Z4EMAQIBMIGHBggrBgEFBQcBAQR7MHkwSwYIKwYBBQUHMAKGP2h0dHA6Ly9uaWpp bW8uY3J0LnNlY3RpZ28uY29tL0Z1amlTU0xTSEEyRG9tYWluU2VjdXJlU2l0ZUNB LmNydDAqBggrBgEFBQcwAYYeaHR0cDovL25pamltby5vY3NwLnNlY3RpZ28uY29t MCUGA1UdEQQeMByCDnd3dy5rLWluLmNvLmpwggprLWluLmNvLmpwMIIBfQYKKwYB BAHWeQIEAgSCAW0EggFpAWcAdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgos rLvIKgAAAZMZ4/fRAAAEAwBHMEUCIQDq3AYZpvHGtr99a9Np/xDpkNm2pX2DEcYj KgqpgyHG5AIgfnP7Sgbrykw8t2U+9mzMED1KM2mjtd1PIzpRjnllKJ0AdQDM+w9q hXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwNsAAAAZMZ4/eeAAAEAwBGMEQCIEWT fUalCZUXqhh4v6hpLctmHYKmCBkjrYP5bweofc4hAiAvVKq+OVmodboOReomfE13 N4MxX2tpxjgRZ74uaKYMiwB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvl hiY6AAABkxnj93AAAAQDAEcwRQIhANdvVzXJhfq+U0jBixgHJASBKcfMJUeoM+JN vt23SNgEAiAEly/Cdt06QJHrq9c+y7yu8YF6PLfl9HEhBek5RBJogzANBgkqhkiG 9w0BAQsFAAOCAQEAqM0Z7MwB9pc9QhEwI097Lg55LMU975LuXNMxH4XadYbo4SnU Dse3htQHXdyrI2NnkEk/HkEoY817Csl5lWGjk/jpS1NPw7P3GJWA4RhCfKcdCz6d tAB2QFD+/7kvWvznsK4O/vceMp/H7To9CbPe4RmbJEes5ABDhQt1/UT0kdf9VuuR NiqN2vQ7SQ/wGs1AYlQvUsZkqlDFaKvM9fDQAWSBR1ANUL6Jnnlv8GkMckS9/507 TQbfWKbbMxBhp/HZgp3s2cgKP/4mqqg7BmWM2BpyIEnjP5WPCNuRge0kYe+WYJ66 4/x15HFO6AfxfEU0ZFm2Hue/NvXqg8cnoHe6qA== -----END CERTIFICATE----- subject=CN=www.k-in.co.jp issuer=C=JP, ST=Tokyo, L=Shibuya-ku, O=Nijimo K.K., CN=FujiSSL SHA2 Domain Secure Site CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 6189 bytes and written 412 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- |
只、errorとしてか、こんなのはコンソールに出ている。
|
1 2 3 4 5 6 7 8 9 |
Connecting to 192.168.0.35 depth=0 CN=www.k-in.co.jp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=www.k-in.co.jp verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=www.k-in.co.jp verify return:1 |
これって、Dovecotの結果と同じじゃない?
|
1 2 3 4 5 6 7 8 9 10 |
Connecting to 192.168.0.35 depth=0 CN=mail.k-in.co.jp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=mail.k-in.co.jp verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=mail.k-in.co.jp verify return:1 . OK Pre-login capabilities listed, post-login capabilities have more. |
ちょっと違うか。
最終行に. OK Pre-login capabilities listed, post-login capabilities have more.とある。
訳して(当然Google様)みると『. OK ログイン前の機能がリストされています。ログイン後の機能にはさらに多くの機能があります。』だそうだ。
OKなので、正しいのだろうか?
そう云や、遣っている意味も結果もよう知らんわ……。(^_^;;
WebARENAお客さまサポートのDovecotの設定にdovecot-openssl.cnfを用意しろと書いてある。
ウチのetc/dovecotにはそんなものは無かった。
find /opt/local -name dovecot-openssl.cnfで検索したら、docの下に有ったのでコピーしてみた。
その後、opensslで接続してみた結果が此れ。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
CONNECTED(00000005) --- Certificate chain 0 s:CN=mail.k-in.co.jp i:C=JP, ST=Tokyo, L=Shibuya-ku, O=Nijimo K.K., CN=FujiSSL SHA2 Domain Secure Site CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 13 00:00:00 2024 GMT; NotAfter: Dec 14 23:59:59 2025 GMT 1 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT 2 s:C=JP, ST=Tokyo, L=Shibuya-ku, O=Nijimo K.K., CN=FujiSSL SHA2 Domain Secure Site CA i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: May 15 00:00:00 2019 GMT; NotAfter: May 14 23:59:59 2029 GMT 3 s:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1 v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGETCCBPmgAwIBAgIQCca73n8qxWSYjijRmc6W/TANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEzARBgNVBAcTClNoaWJ1eWEt a3UxFDASBgNVBAoTC05pamltbyBLLksuMSswKQYDVQQDEyJGdWppU1NMIFNIQTIg RG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MTExMzAwMDAwMFoXDTI1MTIxNDIz NTk1OVowGjEYMBYGA1UEAxMPbWFpbC5rLWluLmNvLmpwMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA7mErt+xJhJxKSpwrUqF2giFN+5vM0S9sNSWqqOG1 C86av+h04I9JfniVa1L3QxNEtN23ot6L90RCXikRlpV+ERo/VOZWzW56vSHdAUUU wPwy+4A44UJmkv25wJNCjgc311s9E3TB+VSI3P3CrUjXDH4cds6Ch3HynjmSV2MX fK2co3dVueWbHVRW7KmeFMj+p8COR3SRax0hS0KMJjVk8EHcenVdv2lpSaO5+M76 UiJFgUTD3JH97K8KliYOpML2H+xhpwYUFE+C3pjhe4IBPxRqGBYs8gOJKseaiXO+ 21H0UP2WaS76tEn2Kq79IHP6glCphRsmSNj2dY163GwdxwIDAQABo4IC9jCCAvIw HwYDVR0jBBgwFoAU5iJAT6RQqXotkzlRr7KdczbzwbAwHQYDVR0OBBYEFFnYVn30 uzoNfmxAuTAOmWSXBv9CMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQB sjEBAgJFMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgG BmeBDAECATCBhwYIKwYBBQUHAQEEezB5MEsGCCsGAQUFBzAChj9odHRwOi8vbmlq aW1vLmNydC5zZWN0aWdvLmNvbS9GdWppU1NMU0hBMkRvbWFpblNlY3VyZVNpdGVD QS5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9uaWppbW8ub2NzcC5zZWN0aWdvLmNv bTAaBgNVHREEEzARgg9tYWlsLmstaW4uY28uanAwggGABgorBgEEAdZ5AgQCBIIB cASCAWwBagB3AN3cyjSV1+EWBeeVMvrHn/g9HFDf2wA6FBJ2Ciysu8gqAAABkyMp +zQAAAQDAEgwRgIhAPm7QNpI5fJKZcIPgV+1ZcTU5rRAJhMd/ZO/Mz/pBsWVAiEA +R4Ryc39DZv1/VzKpB3rcmEGBLg9KV/irNuYM+Vqt8wAdgDM+w9qhXEJZf6Vm1PO 6bJ8IumFXA2XjbapflTA/kwNsAAAAZMjKfr6AAAEAwBHMEUCIQDOF2uQCPl2DloH wwYAvDjalC0tsIvJJJbGFTjn/D/amgIgJkwbpNbNN3WLYtw3HZmby2WMDp2vobNU YDR8SNukIn8AdwAS8U40vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAAAZMj KfrJAAAEAwBIMEYCIQCwrdwxcba4JSKMeCyd5m9ugt+7N+x6oDVbyPcr0IPkMQIh AL/6uhLvGCWFO8Q0wypIs6HDd+JUGkrMn5zbG1aRtQjYMA0GCSqGSIb3DQEBCwUA A4IBAQApHWLWohT6Fg7JG7DCndHrIAwTwrHIkOi5OoG1Qx2WoVJwZ3kr3j3/mT85 hodkMOMrppVuCfS4ZbNGvHlEr+Ea3QYTDC61Ocqw3c4qZPFra+jMW4nALF9fIFm4 X0AV5sSVh4Fx528u9BEIjsBL++6oqqx+H4p08IHiFRGaXyq998NehFYRh1vAEF3z WxoN2db1OrkDpuc0+mMp61petMx3hGZtHfUtCCk0IWPzAI5y+MtdHHP/LeehGn28 91BfhDFr5iftlyj0VIrlAIymQw62mErQXm9xr4KFd3fHtiSZm2aaVcox16DfKYGq FLSNIUk2ZnKEz/nhAhbybbhG3781 -----END CERTIFICATE----- subject=CN=mail.k-in.co.jp issuer=C=JP, ST=Tokyo, L=Shibuya-ku, O=Nijimo K.K., CN=FujiSSL SHA2 Domain Secure Site CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 6477 bytes and written 439 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- |
えっ、此れだけ?
grep -R dovecot-openssl.conf dovecot/*してみたら、dovecot/conf.d/10-ssl.confにこう書かれていた。
|
1 2 3 4 |
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf |
当然の如く、Googleさんに翻訳を頼む。
『PEM でエンコードされた X.509 SSL/TLS 証明書と秘密鍵。これらはルート権限を落とす前に開かれるので、キー ファイルはルート以外のユーザーからは読み取れないようにしてください。同梱の doc/mkcert.sh を使用すると、簡単に自己署名証明書を生成できます。dovecot-openssl.cnf のドメインを更新するようにしてください。』
否、何処にもincludeするような指定無かったじゃん。
インストールした時も入って居なかったじゃん。
基本書き換え不要らしいし。
酷いよ。
まぁ、PostfixからDovecotに認証要求したのが受け取れないと云う問題は残っている。
smtpdがコケて再起動しているものなぁ。
まだ先は長い。