> On June 1, 2017 at 1:42 PM Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> wrote: > > > * Aki Tuomi <aki.tuomi at dovecot.fi>: > > > > > So I added > > > > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > > > > > > > But alas: > > > > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > > > > > > > Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output! > > > > > > > > ssl_ca = </etc/ssl/certs/ca-certificates.crt > > > > > > > > So what gives? > > > > > > It seems to be similar to: > > > https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html > > > > > > "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)" > > > > > > -- > > > Ralf Hildebrandt > > > Gesch?ftsbereich IT | Abteilung Netzwerk > > > Charit? - Universit?tsmedizin Berlin > > > Campus Benjamin Franklin > > > Hindenburgdamm 30 | D-12203 Berlin > > > Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 > > > ralf.hildebrandt at charite.de | https://www.charite.de > > > > > > > Hi. > > > > passdb imap was changed to verify remote SSL cert by default (yeah, it > > kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir > > setting in args. Or you can disable this behaviour with > > allow_invalid_cert. > > I did specify "ssl_ca_file", but then dovecot said "ssl_ca_file has been replaced by ssl_ca = <file" -- so I used that and it wouldn't work > either! > > -- > Ralf HildebrandtI ment passdb { driver = imap args = ... ssl_ca_file=/path/to/ca } Aki
* Aki Tuomi <aki.tuomi at dovecot.fi>:> I meant > > passdb { > driver = imap > args = ... ssl_ca_file=/path/to/ca > }That doesn't work: passdb { driver = imap # Change the line below to reflect the IP address of your Exchange Server. args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca=</etc/ssl/certs/ca-certificates.crt ... or args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt both give me: Jun 2 17:38:19 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca_file Jun 2 17:38:29 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | https://www.charite.de
* Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:> * Aki Tuomi <aki.tuomi at dovecot.fi>: > > > I meant > > > > passdb { > > driver = imap > > args = ... ssl_ca_file=/path/to/ca > > } > > That doesn't work: > > passdb { > driver = imap > # Change the line below to reflect the IP address of your Exchange Server. > args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca=</etc/ssl/certs/ca-certificates.crt > ... > > or > args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt > > both give me: > > Jun 2 17:38:19 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca_file > > Jun 2 17:38:29 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_caWorking now with 2.2.30-1~auto+1: args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | https://www.charite.de