StartSSL cert doesn't work with Dovecot/OpenSMTPD

Question

I've an issue with my StartSSL certificate. When I try to use it to activate SSL encryption on Dovecot, I get the following error in my log when a client attempt a connection to the imap server :

dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
dovecot: master: Error: service(imap-login): command startup failed, throttling for 16 secs

However, I've followed this tutorial : SSL how to: install ssl on Dovecot IMAP serer | ErlyCoder and my private key (without passphrase) and the certificate are present where they must be, so I don't understand why it doesn't work

In my dovecot.conf file :

ssl_key =   /home/mail/ssl/****.key
ssl_cert =  /home/mail/ssl/****.pem

The certificate file contains in this order :

• My certificate
• The sub.class1.server.ca.pem content from StartSSL
• The ca.pem content from StartSSL

OS : Debian 8

Thanks

Answer 1

per that document that you provided, try to put just private key & certificate into .pem and use same for file ssl_cert and ssl_key.

following from my own system:

[root@j /usr/local/etc/dovecot/conf.d]# grep ^ssl_ 10-ssl.conf 
ssl_cert = </usr/local/etc/dovecot/alexus.biz.pem
ssl_key = </usr/local/etc/dovecot/alexus.biz.pem
[root@j /usr/local/etc/dovecot/conf.d]# grep ^- /usr/local/etc/dovecot/alexus.biz.pem 
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[root@j /usr/local/etc/dovecot/conf.d]# 

Answer 2

I finally found how to make my StartSSL certificate works with Dovecot and OpenSMTPD (5.4.2p1) :

For Dovecot, you need to concatenate the key and the certificate into a pem file - thanks @Alexus - and add these lines into your dovecot configuration file :

# blablabla
ssl = required
ssl_key =   </home/mail/ssl/dovecot.pem # Key
ssl_cert =  </home/mail/ssl/dovecot.pem # Certificate
ssl_ca =    </home/mail/ssl/ca-bundle.pem # Server Certificate Bundle with CRLs
# blablabla

See http://wiki.dovecot.org/SSL/DovecotConfiguration for more information. The ca-bundle.pem comes from StartSSL

For OpenSMTPD, it's been a long time before I understand that it works perfectly :

I used Thunderbird to test connection to Dovecot & OpenSMTPD, however a "bug" affects Thunderbird and makes me think that OpenSMTPD had a misconfiguration :

https://github.com/OpenSMTPD/OpenSMTPD/issues/451

To use Thunderbird with OpenSMTPD, you must select STARTTLS for authentication to your smtp server, else you'll have this error when you're trying to connect :

Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: New session 8b475ba3c3415a4d from host 37-161-XX-XX.coucou-networks.fr [37.161.XX.XX]
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: Bad input on session 8b475ba3c3415a4d: 500 5.5.1 Invalid command: Pipelining not supported
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: Closing session 8b475ba3c3415a4d

My smtpd.conf :

pki <hostname> key         "/home/mail/ssl/opensmtpd.key"
pki <hostname> certificate "/home/mail/ssl/opensmtpd.crt"
pki <hostname> ca          "/home/mail/ssl/ca-bundle.pem"

listen on eth0 port 25 hostname <hostname> tls pki <hostname>
listen on eth0 port 587 hostname <hostname> tls-require pki <hostname> auth mask-source

PS : Key and Cert are in differents files for OpenSMTPD, not in a .pem like Dovecot