# Dovecot (doveadm, ssl, sync) - error



## IPTRACE (Nov 21, 2017)

Hello!

I've got a problem to run syncing between both dovecot services on the separate servers.
The error indicates to the problem with SSL configuration. I don't suppose it's a Dovecot bug.


```
dovecot: doveadm(10.0.1.15): Error: doveadm client disconnected before handshake: SSL_accept() failed: error:140260FC:SSL routines:ACCEPT_SR_CLNT_HELLO:unknown protocol
```

Had someone the similar issue?


```
mail_plugins = $mail_plugins notify replication

service replicator {
  process_min_avail = 1
}

service aggregator {
  fifo_listener replication-notify-fifo {
    user = dovecot
  }
  unix_listener replication-notify {
    user = dovecot
  }
}

service replicator {
  unix_listener replicator-doveadm {
    mode = 0600
  }
}

replication_max_conns = 10

service doveadm {
  inet_listener {
    port = 12347
        ssl = yes
  }
}

ssl = required
ssl_cert = </usr/local/etc/dovecot/ssl/my.crt
ssl_key = </usr/local/etc/dovecot/ssl/my.key
ssl_client_ca_file = </usr/local/etc/dovecot/ssl/ca.pem
ssl_client_ca_dir = /usr/local/etc/dovecot/ssl
```


----------



## SirDice (Nov 22, 2017)

Which version of Dovecot do you have installed?


----------



## IPTRACE (Nov 22, 2017)

Both, I mean the newest dovecot-2.2.33.2_2 and the older one dovecot-2.2.32.1_1 (or similar).
Every single service had/has the same version, so I've tested with old-old and newest-newest.


```
doveadm(10.0.1.15): Error: doveadm client disconnected before handshake: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
```
I get above error when I set 
	
	



```
ssl_protocols = SSLv3 TLSv1 TLSv1.1
```
But when I comment the whole line I get the following.

```
dovecot: doveadm(10.0.1.15): Error: doveadm client disconnected before handshake: SSL_accept() failed: error:140260FC:SSL routines:ACCEPT_SR_CLNT_HELLO:unknown protocol
```


----------



## SirDice (Nov 23, 2017)

Are you doing anything special with regards to SSL? I mean did you switch to LibreSSL, or the port's OpenSSL, or using the base OpenSSL? I noticed you can get some weird results if you mix everything up (some ports depending on LibreSSL and others on the base OpenSSL).


----------



## IPTRACE (Nov 23, 2017)

Good point of view. One of my servers had LibreSSL and the second one used base OpenSSL.
So, I've deinstalled LibreSSL and installed Dovecot without dependency of this libraries. I use ports to install that software.
I've restarted both services and errors the same...

On both servers are installed OpenSSL to version `OpenSSL 1.0.2k-freebsd  26 Jan 2017`.

```
:/usr/ports/mail/dovecot % cat Makefile | grep SSL
CPPFLAGS+=      -I${LOCALBASE}/include -I${OPENSSLINC}
LDFLAGS+=       -L${LOCALBASE}/lib -L${OPENSSLLIB}
```
I mean the following error on both services.

```
dovecot: doveadm(10.0.1.15): Error: doveadm client disconnected before handshake: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
```
dovecot.conf

```
ssl = required
ssl_protocols = SSLv3 TLSv1 TLSv1.1 TLSv1.2
ssl_cert = </usr/local/etc/dovecot/ssl/cert.crt
ssl_key = </usr/local/etc/dovecot/ssl/cert.key
ssl_client_ca_file = </usr/local/etc/dovecot/ssl/ca.pem
ssl_client_ca_dir = /usr/local/etc/dovecot/ssl
```
By the way. Directly using openssl command to connect from one server to other and vice versa is passed without any errors.


----------

