Timo Sirainen <tss at iki.fi> wrote:> On 24.3.2013, at 23.07, Michael Grimm <trashcan at odo.in-berlin.de>
wrote:
>
>> First of all I did need to extend http://wiki2.dovecot.org/Replication
to get dsync over tcp running without ssl:
> ..
>> | dovecot: doveadm(test): Error: doveadm_password not set, can't
authenticate to remote server
>
> Updated http://master.wiki2.dovecot.org/Replication with it.
My point has been, that I needed to add ...
| local 1.2.3.4 {
| doveadm_password = secret
| }
... besides ...
| service doveadm {
| inet_listener {
| address = 1.2.3.4
| port = 12345
| }
| }
... which I cannot find at http://master.wiki2.dovecot.org/Replication if I am
not mistaken.
>> 1. Question: may one include "secret" from a file?
>
> name = </path/file works for all settings.
Thanks, applied and working.
>> Now, I did try to add ssl by activating "ssl = yes" in
'service doveadm' (see above) and adding ...
>>
>> | # used by replicator/dsync over tcp
>> | #
>> | ssl_client_ca_dir = /<path-to>/ssl/certs
>>
>> ... and ...
>>
>> | mail_replica = tcps:SERVER-A.TLD
>>
>> But, this didn't work (logfile at remote server):
>>
>> | dovecot: doveadm(test): Invalid certificate: self signed certificate:
/OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmaster at OTHER-NAME.TLD
>> | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL
certificate
>> | dovecot: doveadm(test): Error: sync: Disconnected from remote
>>
>> The OTHER-NAME.TLD is served by my additional settings used by my MUAs:
>>
>> | ssl_cert = </<path-to>/ssl/certs/OTHER-NAME.TLD.pem
>> | ssl_key = </<path-to>/ssl/private/OTHER-NAME.TLD.pem
>>
>> I did supply SERVER-A.TLD certs and private certificates at both
servers as well, but dovecot seems to use those of OTHER-NAME.TLD for
replicator/dsync instead :-(
>
> The SERVER-A.TLD needs to have a certificate that is signed by one of the
CAs in ssl_client_ca_dir. ssl_cert/key settings are irrelevant here. You
can't use a self-signed cert, unless you put it into the CA dir (I don't
know how exactly that works).
I did get tcps running in the meantime following:
1. http://www.zytrax.com/tech/survival/ssl.html ("Method 3" plus
"Multi-Server Certificates")
2. postfix' documentation at
http://www.postfix.org/TLS_README.html#server_cert_key (here I had to reverse
order, meaning CA first)
3. pointing ssl_cert, ssl_key to relevant files in /<path-to>/ssl/ca/certs
and /<path-to>/ssl/ca/private, respectively
4. ssl_client_ca_dir = /<path-to>/ssl/ca/certs
Question: Why is it neccessary to use ssl_cert/key settings from my CA although
you state:> ssl_cert/key settings are irrelevant here.
Besides dovecot is synchronising as expected, I do get a lot of logfile entries
like ...
| dovecot: dsync-local(test): Warning: I/O leak: 0x10b8cf20 (line 341, fd 14)
... and in addition if "verbose_ssl = yes" is set:
| dsync-remote(test): Warning: SSL alert: where=0x4004, ret=256: warning close
notify
Hmm, I do have to admit that I do not understand SSL/TLS/CA/...!
Thus, I am uncertain whether to ignore those warnings or if my setup is broken
in the first place?
All hints are highly appreciated,
Michael