IMAP Voicemail Self-Signed Certificate Failure

Asterisk Asterisk Support
1

I’ve been playing with this and searching for hours with no luck. Any pointers are greatly appreciated – Chris

I’ve successfully installed Dovecot with a self-signed certificate and connected to it both on my lan and from the outside using IMAP with SSL from MS-Outlook and my Blackberry (my iPod touch is somewhat less cooperative).

However, I’m unable to get it asterisk to comply, and see the following log:

[Jul 27 11:29:03] ERROR[5763]: app_voicemail.c:2787 mm_log: IMAP Error: Certificate failure for mail.ve3nrt.net: self signed certificate: /C=CA/ST=Ontario/L=Aurora/O=VE3NRT/CN=mail.mydomain.net [Jul 27 11:29:03] ERROR[5763]: app_voicemail.c:2533 init_mailstream: Can't connect to imap server {mail.mydomain.net:993/imap/ssl/user=chris}INBOX [Jul 27 11:29:03] ERROR[5763]: app_voicemail.c:2066 __messagecount: Houston we have a problem - IMAP mailstream is NULL

Here’s a goodly part of my voicemail.conf

[code][general]
format=wav49
imapserver=mail.mydomain.net
imapport=993
imapflags=ssl
imapgreetings=no
expungonhangup=yes
pollmailboxes=yes
pollfreq=30

serveremail=asterisk@mydomain.net
attach=yes
maxmsg=9999
maxsecs=600
minsecs=3
maxgreet=60
skipms=3000
maxsilence=2
silencethreshold=128
maxlogins=3
moveheard=yes
forward_urgent_auto=no
userscontext=local-mailbox
pbxskip=yes
fromstring=Asterisk

[local-mailbox]
301 => 123456 ,Chris Sullivan ,chris@mydomain.net ,imapuser=chris|imappassword=mypassword|ssl|nonvalidate-cert
[/code]

Update: I’ve also been able to connect to the dovecot server and login with the following:

Another update: It works fine without the certificate. If I use port 143 and cleartext passwords I have no problems. This I suppose will have to do for now and I’m operating behind the firewall but I’d still like to get the encrypted version going.

2

My answer probably comes a bit late, but as I stumbled over the same problem and eventually got it solved after many tries, here is my solution.

The trick is “simply” to add this to voicemail.conf:

Note the “/” separator!

3

Self signed certificate means you don’t have a root certificate for the certificate chain in your certificate store, so no-one is vouching for the authenticity of server. If you don’t mind giving your secrets to a man-in-the-middle, this may not be a problem. Otherwise you need to obtain the relevant root certificate (or only certificate, if that is self signed) by means that don’t require SSL for trust and install it locally.

4

This is simply peddling CA business :wink:
A self signed certificate can be entered into the trusted certificate store and connections will be trusted.
Would you trust a certificate signed by CNNIC ? lwn.net/Articles/372264/

5

Maybe some context will help to understand the point of this: asterisk as well as dovecot (the imap server) are on the same dedicated server, which I own.
So as long as I do trust myself, I don’t care about my certificates being validated :smiley:

6

[quote=“thor”]This is simply peddling CA business :wink:
A self signed certificate can be entered into the trusted certificate store and connections will be trusted.[/quote]

I said put the root certificate of the chain into the certificate store. If it is self signed, it is the root certificate. The point is that you should not trust any certificate with an unknown signer except after verifying by means other than the SSL connection.

7

You don’t need encryption.

Incidentally, although I don’t think it is widely accessible, SSL allows certificate free key negotation.

8

For your kind information Microsoft is going to stop cryptographic key less than 1024 bits. If your certificate belongs to local vendor and does not follow the common certificate policy rules, it will suffer from this new rule.