On August 16, 2021 3:03:22 AM GMT+02:00, silvan at datavenia.nl
wrote:>Hello,
>
>
>
>I?ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it
working in Postfix, but this example for Dovecot:
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support
doesn?t seem to work for me.
>
>
>
>I?m using LetsEncrypt certificates. They work without a problem with the
regular ssl_cert and ssl_key settings like this:
>
>
>
>ssl_cert =
</docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
>
>ssl_key =
</docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
>
>
>
>? but as soon as I put them in local_name blocks like this:
>
>
>
>local_name datavenia.nl {
>
> ssl_cert =
</docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
>
> ssl_key =
</docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
>
>}
>
>
>
>local_name verovia.nl {
>
> ssl_cert =
</docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
>
> ssl_key =
</docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem
>
>}
>
>
>
>and restart dovecot I get the following error:
>
>
>
>dovecot: imap-login: Error: Failed to initialize SSL server context:
Can't load SSL certificate (ssl_cert setting): The certificate is empty:
user=<>, rip=213.127.63.224, lip=142.93.135.7,
session=<wKjTIaLJtSXVfz/g>
>
You still need a default ssl_cert outside the local ... block.
This is noted in the section about different certs for different IPs just before
the section about SNI
-> Note
-> You will still need a top-level default ssl_key and ssl_cert as well, or
you will receive errors.
That default cert ia used as fallback for clients that don't do SNI.
>
>I have verified that the certificate paths are correct, the files have
content. I?ve already checked permissions (chmodded 777 to debug), as well as
the that these are actually symlinks (updated the config to point to the real
files) but nothing so far seems to change anything. I have also recreated my
dh.pem (4096).
>
>
>
>I?m hoping anyone has any idea where I might be going wrong.
>
>
>
>Kind regards,
>
>Silvan
>
>
>
>Output of dovecot -n:
>
>
>
># 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
>
># Pigeonhole version 0.5.13 (cdd19fe3)
>
># OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4
>
># Hostname: azrael00
>
>auth_mechanisms = plain login
>
>mail_location = maildir:/var/mail/vhosts/%d/%n
>
>mail_privileged_group = mail
>
>namespace inbox {
>
> inbox = yes
>
> location >
> mailbox Drafts {
>
> special_use = \Drafts
>
> }
>
> mailbox Junk {
>
> special_use = \Junk
>
> }
>
> mailbox Sent {
>
> special_use = \Sent
>
> }
>
> mailbox "Sent Messages" {
>
> special_use = \Sent
>
> }
>
> mailbox Trash {
>
> special_use = \Trash
>
> }
>
> prefix >
>}
>
>passdb {
>
> args = /etc/dovecot/dovecot-sql.conf.ext
>
> driver = sql
>
>}
>
>postmaster_address = postmaster at datavenia.nl <mailto:postmaster at
datavenia.nl>
>
>protocols = imap lmtp
>
>service auth-worker {
>
> user = vmail
>
>}
>
>service auth {
>
> unix_listener /var/spool/postfix/private/auth {
>
> group = postfix
>
> mode = 0666
>
> user = postfix
>
> }
>
> unix_listener auth-userdb {
>
> mode = 0666
>
> user = vmail
>
> }
>
> user = dovecot
>
>}
>
>service imap-login {
>
> inet_listener imap {
>
> port = 0
>
> }
>
>}
>
>service lmtp {
>
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>
> group = postfix
>
> mode = 0600
>
> user = postfix
>
> }
>
>}
>
>ssl = required
>
>ssl_dh = # hidden, use -P to show it
>
>userdb {
>
> args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
>
> driver = static
>
>}
>
>local_name datavenia.nl {
>
> ssl_cert =
</docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
>
> ssl_key = # hidden, use -P to show it
>
>}
>
>local_name verovia.nl {
>
> ssl_cert =
</docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
>
> ssl_key = # hidden, use -P to show it
>
>}
>
--
Christian Kivalo