Robert Kudyba
2019-Mar-28 19:52 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificateCan this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used?> Are you using haproxy or something in front of dovecot?No. Just Squirrelmail webmail with sendmail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190328/4eb8eaf8/attachment.html>
Aki Tuomi
2019-Mar-28 20:02 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote: </div> <div> <br> </div> <div> <br> </div> <div> <blockquote type="cite"> <div class=""> <div class=""> Set </div> <div class=""> <br class=""> </div> <div class=""> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate </div> </div> </blockquote> <div> <br class=""> </div> <div> Can this be the Lets Encrypt cert that we already have? In other words we have: </div> <div> <div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> <span class="" style="font-variant-ligatures: no-common-ligatures;">ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</span> </div> <div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> <span class="" style="font-variant-ligatures: no-common-ligatures;">ssl_key = </etc/pki/dovecot/private/dovecot.pem</span> </div> </div> <div> <br class=""> </div> <div> Can those be used? </div> </div> </blockquote> <div> <br> </div> <div> Set it to *CA* cert. You can also use </div> <div> <br> </div> <div> ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos) </div> <div> <br> </div> <div> or </div> <div> <br> </div> <div> ssl_client_ca_dir=/etc/ssl/certs (on debian based) </div> <blockquote type="cite"> <div> <blockquote type="cite"> <div class=""> <div class=""> Are you using haproxy or something in front of dovecot? </div> </div> </blockquote> <br class=""> </div> <div> No. Just Squirrelmail webmail with sendmail. </div> <br class=""> </blockquote> <div> Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ? </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Aki Tuomi
2019-Mar-28 20:07 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br> </div> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote: </div> <div> <br> </div> <div> <br> </div> <div> <blockquote type="cite"> <div class=""> <div class=""> Set </div> <div class=""> <br class=""> </div> <div class=""> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate </div> </div> </blockquote> <div> <br class=""> </div> <div> Can this be the Lets Encrypt cert that we already have? In other words we have: </div> <div> <div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""> <span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</span> </div> <div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""> <span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_key = </etc/pki/dovecot/private/dovecot.pem</span> </div> </div> <div> <br class=""> </div> <div> Can those be used? </div> </div> </blockquote> <div> <br> </div> <div> Set it to *CA* cert. You can also use </div> <div> <br> </div> <div> ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos) </div> <div> <br> </div> <div> or </div> <div> <br> </div> <div> ssl_client_ca_dir=/etc/ssl/certs (on debian based) </div> <blockquote type="cite"> <div> <blockquote type="cite"> <div class=""> <div class=""> Are you using haproxy or something in front of dovecot? </div> </div> </blockquote> <br class=""> </div> <div> No. Just Squirrelmail webmail with sendmail. </div> <br class=""> </blockquote> <div> Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ? </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </blockquote> <div> Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with </div> <div> <br> </div> <div> `doveconf auth_policy_request_attributes` </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Possibly Parallel Threads
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed