Shadi Habbal
2013-Sep-15 21:39 UTC
[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's
Hello, I'm using dovecot v2.0.21. According to http://wiki2.dovecot.org/SSL/DovecotConfiguration,dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work. When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's.----------------------------------------------------------------------------Here is the my dovecot.conf:# 2.0.21: /etc/dovecot/dovecot.conf# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_master_user_separator = *auth_mechanisms = PLAIN LOGINdict { acl = mysql:/etc/dovecot/dovecot-share-folder.conf quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf}first_valid_uid = 2000last_valid_uid = 2000listen = *log_path = /var/log/dovecot.logmail_gid = 2000mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/mail_plugins = quotamail_uid = 2000managesieve_notify_capability = mailtomanagesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihavenamespace { inbox = yes location = prefix = separator = / type = private}namespace { list = children location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u prefix = Shared/%%u/ separator = / subscriptions = yes type = shared}passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql}passdb { args = /etc/dovecot/dovecot-master-users-password driver = passwd-file master = yes}plugin { acl = vfile acl_shared_dict = proxy::acl auth_socket_path = /var/run/dovecot/auth-master autocreate = INBOX autocreate2 = Sent autocreate3 = Trash autocreate4 = Drafts autocreate5 = Junk autosubscribe = INBOX autosubscribe2 = Sent autosubscribe3 = Trash autosubscribe4 = Drafts autosubscribe5 = Junk quota = dict:user::proxy::quotadict quota_rule = *:storage=1G quota_warning = storage=85%% quota-warning 85 %u quota_warning2 = storage=90%% quota-warning 90 %u quota_warning3 = storage=95%% quota-warning 95 %u sieve = /%Lh/sieve/dovecot.sieve sieve_dir = /%Lh/sieve sieve_global_dir = /var/vmail/sieve sieve_global_path = /var/vmail/sieve/dovecot.sieve}protocols = pop3 imap sieveservice auth { unix_listener /var/spool/postfix/dovecot-auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail }}service dict { unix_listener dict { group = vmail mode = 0660 user = vmail }}service imap-login { process_limit = 500 service_count = 1}service pop3-login { service_count = 1}service quota-warning { executable = script /usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail }}ssl = requiredssl_cert = </etc/pki/tls/certs/iRedMail_CA.pemssl_key = </etc/pki/tls/private/iRedMail.keyuserdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql}verbose_ssl = yesprotocol lda { auth_socket_path = /var/run/dovecot/auth-master lda_mailbox_autocreate = yes log_path = /var/log/sieve.log mail_plugins = quota sieve autocreate postmaster_address = root}protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_plugins = quota imap_quota autocreate}protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv}local_name nourcc.com { ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/nourcc.com.pem ssl_key = </etc/pki/tls/private/nourcc.com.key}local_name rockmetal-ae.com { ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/rockmetal-ae.com.pem ssl_key = </etc/pki/tls/private/rockmetal-ae.com.key}local_name alliance-sir.com { ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/alliance-sir.com.pem ssl_key = </etc/pki/tls/private/alliance-sir.com.key}----------------------------------------------------------------------------Here are my certs permissions, just in case:[root at epm certs]# ll /etc/ssl/comodo.ca.crt-rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt[root at epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem-rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem[root at epm certs]# ll /etc/pki/tls/private/nourcc.com.key-rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key----------------------------------------------------------------------------Here is my openssl test output:$ openssl s_client -connect nourcc.com:pop3sCONNECTED(00000003)depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.comverify error:num=18:self signed certificateverify return:1depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.comverify return:1.......................... blah blah blah ......................... so I'm not sure, is there a certain way for doing it that I overlooked? Thanks.
Shadi Habbal
2013-Sep-15 21:45 UTC
[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's
Sorry for the mess, forgot to change the formatting to plain text. I'm using dovecot v2.0.21. According to?http://wiki2.dovecot.org/SSL/DovecotConfiguration, dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work. When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's. ---------------------------------------------------------------------------- Here is the my dovecot.conf: # 2.0.21: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final)? auth_master_user_separator = * auth_mechanisms = PLAIN LOGIN dict { ? acl = mysql:/etc/dovecot/dovecot-share-folder.conf ? quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf } first_valid_uid = 2000 last_valid_uid = 2000 listen = * log_path = /var/log/dovecot.log mail_gid = 2000 mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/ mail_plugins = quota mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { ? inbox = yes ? location =? ? prefix =? ? separator = / ? type = private } namespace { ? list = children ? location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u ? prefix = Shared/%%u/ ? separator = / ? subscriptions = yes ? type = shared } passdb { ? args = /etc/dovecot/dovecot-mysql.conf ? driver = sql } passdb { ? args = /etc/dovecot/dovecot-master-users-password ? driver = passwd-file ? master = yes } plugin { ? acl = vfile ? acl_shared_dict = proxy::acl ? auth_socket_path = /var/run/dovecot/auth-master ? autocreate = INBOX ? autocreate2 = Sent ? autocreate3 = Trash ? autocreate4 = Drafts ? autocreate5 = Junk ? autosubscribe = INBOX ? autosubscribe2 = Sent ? autosubscribe3 = Trash ? autosubscribe4 = Drafts ? autosubscribe5 = Junk ? quota = dict:user::proxy::quotadict ? quota_rule = *:storage=1G ? quota_warning = storage=85%% quota-warning 85 %u ? quota_warning2 = storage=90%% quota-warning 90 %u ? quota_warning3 = storage=95%% quota-warning 95 %u ? sieve = /%Lh/sieve/dovecot.sieve ? sieve_dir = /%Lh/sieve ? sieve_global_dir = /var/vmail/sieve ? sieve_global_path = /var/vmail/sieve/dovecot.sieve } protocols = pop3 imap sieve service auth { ? unix_listener /var/spool/postfix/dovecot-auth { ? ? group = postfix ? ? mode = 0666 ? ? user = postfix ? } ? unix_listener auth-master { ? ? group = vmail ? ? mode = 0666 ? ? user = vmail ? } ? unix_listener auth-userdb { ? ? group = vmail ? ? mode = 0660 ? ? user = vmail ? } } service dict { ? unix_listener dict { ? ? group = vmail ? ? mode = 0660 ? ? user = vmail ? } } service imap-login { ? process_limit = 500 ? service_count = 1 } service pop3-login { ? service_count = 1 } service quota-warning { ? executable = script /usr/local/bin/dovecot-quota-warning.sh ? unix_listener quota-warning { ? ? group = vmail ? ? mode = 0660 ? ? user = vmail ? } } ssl = required ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem ssl_key = </etc/pki/tls/private/iRedMail.key userdb { ? args = /etc/dovecot/dovecot-mysql.conf ? driver = sql } verbose_ssl = yes protocol lda { ? auth_socket_path = /var/run/dovecot/auth-master ? lda_mailbox_autocreate = yes ? log_path = /var/log/sieve.log ? mail_plugins = quota sieve autocreate ? postmaster_address = root } protocol imap { ? imap_client_workarounds = tb-extra-mailbox-sep ? mail_plugins = quota imap_quota autocreate } protocol pop3 { ? mail_plugins = quota ? pop3_client_workarounds = outlook-no-nuls oe-ns-eoh ? pop3_uidl_format = %08Xu%08Xv } local_name nourcc.com { ? ssl_ca = </etc/ssl/comodo.ca.crt ? ssl_cert = </etc/pki/tls/certs/nourcc.com.pem ? ssl_key = </etc/pki/tls/private/nourcc.com.key } local_name rockmetal-ae.com { ? ssl_ca = </etc/ssl/comodo.ca.crt ? ssl_cert = </etc/pki/tls/certs/rockmetal-ae.com.pem ? ssl_key = </etc/pki/tls/private/rockmetal-ae.com.key } local_name alliance-sir.com { ? ssl_ca = </etc/ssl/comodo.ca.crt ? ssl_cert = </etc/pki/tls/certs/alliance-sir.com.pem ? ssl_key = </etc/pki/tls/private/alliance-sir.com.key } ---------------------------------------------------------------------------- Here are my certs permissions, just in case: [root at epm certs]# ll /etc/ssl/comodo.ca.crt -rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt [root at epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem -rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem [root at epm certs]# ll /etc/pki/tls/private/nourcc.com.key -rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key ---------------------------------------------------------------------------- Here is my openssl test output: $ openssl s_client -connect nourcc.com:pop3s CONNECTED(00000003) depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.com verify error:num=18:self signed certificate verify return:1 depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.com verify return:1 .......................... blah blah blah ......................... so I'm not sure, is there a certain way for doing it that I overlooked? Thanks.