dovecot - Sep 2015 - Dovecot proxy ignores trusted root certificate store

Dovecot v2.2.18
OS: FreeBSD 10.1/amd64

Dovecot in proxy mode ignores the root certificate store and can't verify 
the backend's SSL certificate.

I've pointed ssl_client_ca_file to my root certificate store, but I 
suspect ssl_client_ca_file is only used in imapc context.  It seems to be 
ignored in proxy context.

doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

In my password_query I return host set to the backend's IP address, 
starttls='yes', proxy='y'.

The backend's certificate chain is correct and it verifies successfully 
with "openssl s_client -connect x.x.x.x:110 -starttls pop3 -CAfile 
/usr/local/share/certs/ca-root-nss.crt".

But the Dovecot proxy fails to verify the intermediate certificate it 
receives from the backend.  The inode atime of ca-root-nss.crt is never 
updated, either at Dovecot start or when it connects to the backend, so 
Dovecot (via the openssl library) never reads the file.

Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: unable to get 
local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated 
SSL/CN=GeoTrust DV SSL CA - G4
Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: certificate not 
trusted: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL 
CA - G4
Sep 20 19:59:48 dovecot: pop3-login: Error: proxy: Received invalid SSL 
certificate from x.x.x.x:110: unable to get local issuer certificate: 
/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4: 
user=<xxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, 
session=<lz9YjzYgIADYyWAp>

On Monday 21 September 2015 01:53:53 Alex Bulan wrote:
> Dovecot v2.2.18
> OS: FreeBSD 10.1/amd64
> 
> Dovecot in proxy mode ignores the root certificate store and can't
verify
> the backend's SSL certificate.
> 
> I've pointed ssl_client_ca_file to my root certificate store, but I
> suspect ssl_client_ca_file is only used in imapc context.  It seems to be
> ignored in proxy context.
> 
> doveconf -n ssl_client_ca_file:
> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
I think the correct syntax is :




ssl_ca = < /etc/ssl/certs/cacert.pem
For all kind of ssl_xyz files




Mihai Badici[1] 

--------
[1] http://mihai.badici.ro

Hi
> I've pointed ssl_client_ca_file to my root certificate store, but I
> suspect ssl_client_ca_file is only used in imapc context.  It seems to
> be ignored in proxy context.
> 
> doveconf -n ssl_client_ca_file:
> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
You are missing the "<" before the file path

Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt

See http://wiki2.dovecot.org/SSL/DovecotConfiguration

Regards
Christian

The result is the same with or without "<" before the file path. 
With "<"
the inode atime is updated at Dovecot startup, so the file is at least 
opened, but Dovecot still can't verify the cert.

The only place in the Wiki that shows an example of ssl_client_ca_file is 
on this page, and there's no "<" in front of the file path:

http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid, so 
you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)



On Mon, 21 Sep 2015, Christian Kivalo wrote:
> Hi
>
>> I've pointed ssl_client_ca_file to my root certificate store, but I
>> suspect ssl_client_ca_file is only used in imapc context.  It seems to
>> be ignored in proxy context.
>> 
>> doveconf -n ssl_client_ca_file:
>> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
>
> You are missing the "<" before the file path
>
> Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
>
> See http://wiki2.dovecot.org/SSL/DovecotConfiguration
>
> Regards
> Christian
>