Robert Kudyba
2019-Mar-28 19:52 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificateCan this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used?> Are you using haproxy or something in front of dovecot?No. Just Squirrelmail webmail with sendmail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190328/4eb8eaf8/attachment.html>
Aki Tuomi
2019-Mar-28 20:02 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<blockquote type="cite">
<div class="">
<div class="">
Set
</div>
<div class="">
<br class="">
</div>
<div class="">
ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
</div>
</div>
</blockquote>
<div>
<br class="">
</div>
<div>
Can this be the Lets Encrypt cert that we already have? In other words we
have:
</div>
<div>
<div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-variant-ligatures:
no-common-ligatures;">ssl_cert =
</etc/pki/dovecot/certs/dovecot.pem</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-variant-ligatures:
no-common-ligatures;">ssl_key =
</etc/pki/dovecot/private/dovecot.pem</span>
</div>
</div>
<div>
<br class="">
</div>
<div>
Can those be used?
</div>
</div>
</blockquote>
<div>
<br>
</div>
<div>
Set it to *CA* cert. You can also use
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)
</div>
<div>
<br>
</div>
<div>
or
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_dir=/etc/ssl/certs (on debian based)
</div>
<blockquote type="cite">
<div>
<blockquote type="cite">
<div class="">
<div class="">
Are you using haproxy or something in front of dovecot?
</div>
</div>
</blockquote>
<br class="">
</div>
<div>
No. Just Squirrelmail webmail with sendmail.
</div>
<br class="">
</blockquote>
<div>
Maybe squirrelmail supports forwarding original client ip with ID command.
Otherwise dovecot cannot know it. Or you could configure squirrelmail to use
weakforced ?
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
Aki Tuomi
2019-Mar-28 20:07 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<blockquote type="cite">
<div class="">
<div class="">
Set
</div>
<div class="">
<br class="">
</div>
<div class="">
ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
</div>
</div>
</blockquote>
<div>
<br class="">
</div>
<div>
Can this be the Lets Encrypt cert that we already have? In other words we
have:
</div>
<div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;"
class="">ssl_cert =
</etc/pki/dovecot/certs/dovecot.pem</span>
</div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;"
class="">ssl_key =
</etc/pki/dovecot/private/dovecot.pem</span>
</div>
</div>
<div>
<br class="">
</div>
<div>
Can those be used?
</div>
</div>
</blockquote>
<div>
<br>
</div>
<div>
Set it to *CA* cert. You can also use
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)
</div>
<div>
<br>
</div>
<div>
or
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_dir=/etc/ssl/certs (on debian based)
</div>
<blockquote type="cite">
<div>
<blockquote type="cite">
<div class="">
<div class="">
Are you using haproxy or something in front of dovecot?
</div>
</div>
</blockquote>
<br class="">
</div>
<div>
No. Just Squirrelmail webmail with sendmail.
</div>
<br class="">
</blockquote>
<div>
Maybe squirrelmail supports forwarding original client ip with ID command.
Otherwise dovecot cannot know it. Or you could configure squirrelmail to use
weakforced ?
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</blockquote>
<div>
Also check that auth_policy_request_attributes use %{rip} and not
%{real_rip}. You can see this with
</div>
<div>
<br>
</div>
<div>
`doveconf auth_policy_request_attributes`
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
Reasonably Related Threads
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed