Dovecot SSL: "unknown state"

Question

Two weeks ago I set up a Mailserver using Dovecot and Postfix. It's a server for a organization with about 5000 mails per day. Everything works fine, but today I enabled verbose_ssl in /etc/dovecot/conf.d/10-logging.conf and I get this error messages for nearly every IMAP-Login:

Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 30 00:13:32 mail dovecot: auth: Debug: auth client connected (pid=20442)
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [94.220.159.232]
Aug 30 00:13:32 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [94.220.159.232]

I found only one question on stackoverflow with similar log entries, but the answer there is to include all intermediate certificates, which I already did.

My /etc/dovecot/conf.d/10-ssl.conf (comments removed):

ssl = required
ssl_cert = </etc/ssl/certs/my-domain.de
ssl_key = </etc/ssl/private/my-domain.de
ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes

Does anyone know, what these unknown state entries in mail.log really mean?

score 3 · Accepted Answer · answered Aug 30 '15 at 04:15

These are not error messages but debug messages and are clearly marked as these. Unless you need verbose_ssl to debug a problem you should just switch it off.

More background: it is showing every state it is going through when doing an SSL handshake. To display the description of the state it is using the function SSL_state_string_long from OpenSSL. This function does not have a string description for every possible state and returns 'unknown state' if it does not have a more specific description. Again, nothing to worry about.

Thanks for the explanation! I already thought that this aren't errors but I wanted to know, what this messages mean - so thank you very much! — Andreas Krischer, Aug 30 '15 at 17:00

Dovecot SSL: "unknown state"

1 Answers1