Andy Smith
2011-Apr-06 09:18 UTC
[Dovecot] Dovecot 2.0 config bug with SSL certificate per protocol?
Hi,
yesterday I upgraded Dovecot from 1.2 to 2.0.11. I'd seen that there was
a config file converter to make the upgrade smooth so was expecting it to
be pretty quick and easy. In the end I spent a long time trying to get it
working as it just wouldn't listen on the ssl ports, imaps and pop3s. I am
using per portocol SSL certificates, as I was in version 1.2. The part of
my config is as follows (as generated by doveconf):
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
mail_plugins = fts fts_squat
ssl = yes
ssl_cert = </usr/local/etc/ssl.crt/imap.crt
ssl_key = </usr/local/etc/ssl.key/imap.key
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
ssl = yes
ssl_cert = </usr/local/etc/ssl.crt/pop3.crt
ssl_key = </usr/local/etc/ssl.key/pop3.key
}
But when I started dovecot it was only listening on the non SSL ports for
IMAP and POP3. I went through many things, adding in a service imap-login
section with the SSL port set via inet_listener and spent ages googling
for how to get it to work. In the end it turns out it was that the global
ssl setting was set to "no", but I hadn't enabled this previously
as this
requires that there are global SSL certificates, which I don't have; I
have specific certs for IMAP and for POP3. Also this isn't how dovecot 1.2
worked, there I specificed the protocols (pop3, pop3s, imap, imaps) and
specificed the protocol certs and it worked.
Anyway, I ended up just specifiing my pop3 certs as the global certs, this
is then redefined in the pop3 protcol section etc. The config seems to
work, but to me all this doesn't seem logical and doesn't work like in
dovecot 1.2.
Maybe this is something that can be cleaned up in the next version?
thanks Andy.
Timo Sirainen
2011-Apr-08 13:43 UTC
[Dovecot] Dovecot 2.0 config bug with SSL certificate per protocol?
On Wed, 2011-04-06 at 11:18 +0200, Andy Smith wrote:> protocol pop3 { > pop3_client_workarounds = outlook-no-nuls oe-ns-eoh > pop3_uidl_format = %08Xu%08Xv > ssl = yes > ssl_cert = </usr/local/etc/ssl.crt/pop3.crt > ssl_key = </usr/local/etc/ssl.key/pop3.key > } > > Anyway, I ended up just specifiing my pop3 certs as the global certs, this > is then redefined in the pop3 protcol section etc. The config seems to > work, but to me all this doesn't seem logical and doesn't work like in > dovecot 1.2.It's too much trouble to make per-protocol ssl setting work, but it now logs a warning about it: config: Warning: SSL is disabled because global ssl=no, ignoring ssl=yes for subsection (naming the subsection would also be extra work..)