Hi all. Usually for in-house use and SSL I would just generate a self-signed certificate because most clients either ignore it or only ask the first time the account is configured. In terms of offering the service to our customers is there any value of getting someone like thawte or instantssl to sign a certificate for imaps/pop3s/smtp? Also, is there a configuration directive for dovecot to add the issuers ca bundle similar to apache's SSLCACertificateFile? And thanks for writing such a kick-arse imap server. It blows courier out of the water! --- James Tyson Director, Giant Robot Ltd http://www.giantrobot.co.nz/
IIRC Outlook will complain every time if the cert isn't signed by one of Windows' recognised CAs. All the *nix MUAs I've tried have been fine after the first attempt. Zach. On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson <james at giantrobot.co.nz> wrote:> In terms of offering the service to our customers is there any value > of getting someone like thawte or instantssl to sign a certificate for > imaps/pop3s/smtp?-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20031118/f75073da/attachment-0001.bin>
I don't see it in the source. Try the patch attached. Dovecot seems to run OK, but it hasn't been tested with a real key/cert/CA setup. On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson <james at giantrobot.co.nz> wrote:> Also, is there a configuration directive for dovecot to add the > issuers ca bundle similar to apache's SSLCACertificateFile?-------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-0.99.10.2-ca.diff Type: text/x-diff Size: 3177 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20031118/b6801185/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20031118/b6801185/attachment-0003.bin>
Zach, Add your root certificate to windows root cas... See http://www.kazar.net/faq.html (mostly french, but screen short are english). /Xavier Le 18 nov. 03, ? 03:14, Zach Bagnall a ?crit :> IIRC Outlook will complain every time if the cert isn't signed by one > of > Windows' recognised CAs. All the *nix MUAs I've tried have been fine > after the first attempt. > > Zach. > > On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson > <james at giantrobot.co.nz> > wrote: >> In terms of offering the service to our customers is there any value >> of getting someone like thawte or instantssl to sign a certificate for >> imaps/pop3s/smtp?
Zach Bagnall wrote:> On Thu, 20 Nov 2003 18:28:51 +0200, Timo Sirainen <tss at iki.fi> wrote: > >>What exactly does this patch do? Gives client a list of accepted CAs, >>but it doesn't look like it actually requires client to provide a >>valid certificate? > > > On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson <james at giantrobot.co.nz> > wrote: > >>Also, is there a configuration directive for dovecot to add the >>issuers ca bundle similar to apache's SSLCACertificateFile? > > > I'm no SSL expert, but I took the requested feature to be a way to "make > additional certificates available in order to complete a certificate > chain".I had trouble with an instantssl cert, and found that what I needed to do was to also include all the certs up the chain in the .pem file, in a certain order, to keep the client from complaining about an invalid certificate. The first certificate in the pem file should be the the server certificate, followed by its chain starting from the root certificate down. Works for me without the need for patches (though something like SSLCACertificateFile would be nice). Matt