Shadi Habbal
2013-Sep-15 21:39 UTC
[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's
Hello,
I'm using dovecot v2.0.21.
According to http://wiki2.dovecot.org/SSL/DovecotConfiguration,dovecot 2.x
supports different SSL certificate for different virtual hosts by using
"local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect
domain.com:pop3s" I get the default certificate instead of
domain.com's.----------------------------------------------------------------------------Here
is the my dovecot.conf:# 2.0.21: /etc/dovecot/dovecot.conf# OS: Linux
2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_master_user_separator = *auth_mechanisms = PLAIN LOGINdict { acl =
mysql:/etc/dovecot/dovecot-share-folder.conf quotadict =
mysql:/etc/dovecot/dovecot-used-quota.conf}first_valid_uid = 2000last_valid_uid
= 2000listen = *log_path = /var/log/dovecot.logmail_gid = 2000mail_location =
maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/mail_plugins = quotamail_uid =
2000managesieve_notify_capability = mailtomanagesieve_sieve_capability =
fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include variables
body enotify environment mailbox date ihavenamespace { inbox = yes location =
prefix = separator = / type = private}namespace { list = children location
= maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u prefix = Shared/%%u/
separator = / subscriptions = yes type = shared}passdb { args =
/etc/dovecot/dovecot-mysql.conf driver = sql}passdb { args =
/etc/dovecot/dovecot-master-users-password driver = passwd-file master =
yes}plugin { acl = vfile acl_shared_dict = proxy::acl auth_socket_path =
/var/run/dovecot/auth-master autocreate = INBOX autocreate2 = Sent
autocreate3 = Trash autocreate4 = Drafts autocreate5 = Junk autosubscribe =
INBOX autosubscribe2 = Sent autosubscribe3 = Trash autosubscribe4 = Drafts
autosubscribe5 = Junk quota = dict:user::proxy::quotadict quota_rule =
*:storage=1G quota_warning = storage=85%% quota-warning 85 %u quota_warning2 =
storage=90%% quota-warning 90 %u quota_warning3 = storage=95%% quota-warning 95
%u sieve = /%Lh/sieve/dovecot.sieve sieve_dir = /%Lh/sieve sieve_global_dir =
/var/vmail/sieve sieve_global_path = /var/vmail/sieve/dovecot.sieve}protocols =
pop3 imap sieveservice auth { unix_listener /var/spool/postfix/dovecot-auth {
group = postfix mode = 0666 user = postfix } unix_listener auth-master {
group = vmail mode = 0666 user = vmail } unix_listener auth-userdb {
group = vmail mode = 0660 user = vmail }}service dict { unix_listener
dict { group = vmail mode = 0660 user = vmail }}service imap-login {
process_limit = 500 service_count = 1}service pop3-login { service_count =
1}service quota-warning { executable = script
/usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group
= vmail mode = 0660 user = vmail }}ssl = requiredssl_cert =
</etc/pki/tls/certs/iRedMail_CA.pemssl_key =
</etc/pki/tls/private/iRedMail.keyuserdb { args =
/etc/dovecot/dovecot-mysql.conf driver = sql}verbose_ssl = yesprotocol lda {
auth_socket_path = /var/run/dovecot/auth-master lda_mailbox_autocreate = yes
log_path = /var/log/sieve.log mail_plugins = quota sieve autocreate
postmaster_address = root}protocol imap { imap_client_workarounds =
tb-extra-mailbox-sep mail_plugins = quota imap_quota autocreate}protocol pop3 {
mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv}local_name nourcc.com { ssl_ca =
</etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/nourcc.com.pem
ssl_key = </etc/pki/tls/private/nourcc.com.key}local_name rockmetal-ae.com {
ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert =
</etc/pki/tls/certs/rockmetal-ae.com.pem ssl_key =
</etc/pki/tls/private/rockmetal-ae.com.key}local_name alliance-sir.com {
ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert =
</etc/pki/tls/certs/alliance-sir.com.pem ssl_key =
</etc/pki/tls/private/alliance-sir.com.key}----------------------------------------------------------------------------Here
are my certs permissions, just in case:[root at epm certs]# ll
/etc/ssl/comodo.ca.crt-rw-r--r-- 1 root root 6668 Sep 14 21:51
/etc/ssl/comodo.ca.crt[root at epm certs]# ll
/etc/pki/tls/certs/nourcc.com.pem-rw-r--r-- 1 root root 1801 Sep 10 00:00
/etc/pki/tls/certs/nourcc.com.pem[root at epm certs]# ll
/etc/pki/tls/private/nourcc.com.key-rw------- 1 root root 1708 Sep 15 19:37
/etc/pki/tls/private/nourcc.com.key----------------------------------------------------------------------------Here
is my openssl test output:$ openssl s_client -connect
nourcc.com:pop3sCONNECTED(00000003)depth=0 C = SY, O = epm.nourcc.com, OU = IT,
CN = epm.nourcc.com, emailAddress = root at epm.nourcc.comverify
error:num=18:self signed certificateverify return:1depth=0 C = SY, O =
epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at
epm.nourcc.comverify return:1.......................... blah blah blah
.........................
so I'm not sure, is there a certain way for doing it that I overlooked?
Thanks.
Shadi Habbal
2013-Sep-15 21:45 UTC
[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's
Sorry for the mess, forgot to change the formatting to plain text.
I'm using dovecot v2.0.21.
According to?http://wiki2.dovecot.org/SSL/DovecotConfiguration,
dovecot 2.x supports different SSL certificate for different virtual hosts by
using "local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect
domain.com:pop3s" I get the default certificate instead of
domain.com's.
----------------------------------------------------------------------------
Here is the my dovecot.conf:
# 2.0.21: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final)?
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
dict {
? acl = mysql:/etc/dovecot/dovecot-share-folder.conf
? quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = *
log_path = /var/log/dovecot.log
mail_gid = 2000
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_plugins = quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
namespace {
? inbox = yes
? location =?
? prefix =?
? separator = /
? type = private
}
namespace {
? list = children
? location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
? prefix = Shared/%%u/
? separator = /
? subscriptions = yes
? type = shared
}
passdb {
? args = /etc/dovecot/dovecot-mysql.conf
? driver = sql
}
passdb {
? args = /etc/dovecot/dovecot-master-users-password
? driver = passwd-file
? master = yes
}
plugin {
? acl = vfile
? acl_shared_dict = proxy::acl
? auth_socket_path = /var/run/dovecot/auth-master
? autocreate = INBOX
? autocreate2 = Sent
? autocreate3 = Trash
? autocreate4 = Drafts
? autocreate5 = Junk
? autosubscribe = INBOX
? autosubscribe2 = Sent
? autosubscribe3 = Trash
? autosubscribe4 = Drafts
? autosubscribe5 = Junk
? quota = dict:user::proxy::quotadict
? quota_rule = *:storage=1G
? quota_warning = storage=85%% quota-warning 85 %u
? quota_warning2 = storage=90%% quota-warning 90 %u
? quota_warning3 = storage=95%% quota-warning 95 %u
? sieve = /%Lh/sieve/dovecot.sieve
? sieve_dir = /%Lh/sieve
? sieve_global_dir = /var/vmail/sieve
? sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = pop3 imap sieve
service auth {
? unix_listener /var/spool/postfix/dovecot-auth {
? ? group = postfix
? ? mode = 0666
? ? user = postfix
? }
? unix_listener auth-master {
? ? group = vmail
? ? mode = 0666
? ? user = vmail
? }
? unix_listener auth-userdb {
? ? group = vmail
? ? mode = 0660
? ? user = vmail
? }
}
service dict {
? unix_listener dict {
? ? group = vmail
? ? mode = 0660
? ? user = vmail
? }
}
service imap-login {
? process_limit = 500
? service_count = 1
}
service pop3-login {
? service_count = 1
}
service quota-warning {
? executable = script /usr/local/bin/dovecot-quota-warning.sh
? unix_listener quota-warning {
? ? group = vmail
? ? mode = 0660
? ? user = vmail
? }
}
ssl = required
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key
userdb {
? args = /etc/dovecot/dovecot-mysql.conf
? driver = sql
}
verbose_ssl = yes
protocol lda {
? auth_socket_path = /var/run/dovecot/auth-master
? lda_mailbox_autocreate = yes
? log_path = /var/log/sieve.log
? mail_plugins = quota sieve autocreate
? postmaster_address = root
}
protocol imap {
? imap_client_workarounds = tb-extra-mailbox-sep
? mail_plugins = quota imap_quota autocreate
}
protocol pop3 {
? mail_plugins = quota
? pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
? pop3_uidl_format = %08Xu%08Xv
}
local_name nourcc.com {
? ssl_ca = </etc/ssl/comodo.ca.crt
? ssl_cert = </etc/pki/tls/certs/nourcc.com.pem
? ssl_key = </etc/pki/tls/private/nourcc.com.key
}
local_name rockmetal-ae.com {
? ssl_ca = </etc/ssl/comodo.ca.crt
? ssl_cert = </etc/pki/tls/certs/rockmetal-ae.com.pem
? ssl_key = </etc/pki/tls/private/rockmetal-ae.com.key
}
local_name alliance-sir.com {
? ssl_ca = </etc/ssl/comodo.ca.crt
? ssl_cert = </etc/pki/tls/certs/alliance-sir.com.pem
? ssl_key = </etc/pki/tls/private/alliance-sir.com.key
}
----------------------------------------------------------------------------
Here are my certs permissions, just in case:
[root at epm certs]# ll /etc/ssl/comodo.ca.crt
-rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt
[root at epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem
-rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem
[root at epm certs]# ll /etc/pki/tls/private/nourcc.com.key
-rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key
----------------------------------------------------------------------------
Here is my openssl test output:
$ openssl s_client -connect nourcc.com:pop3s
CONNECTED(00000003)
depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress =
root at epm.nourcc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress =
root at epm.nourcc.com
verify return:1
.......................... blah blah blah .........................
so I'm not sure, is there a certain way for doing it that I overlooked?
Thanks.