search for: ssl_ca

...backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. #ssl_client_ca_dir = #ssl_client_ca_file = ssl_client_ca_file = /tmp/certs/ca-local.pem But that does not work! Instead I've to use ssl_ca # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) # ssl_ca = ssl_ca = </tmp/certs/ca-local....

You forgot to cc the list. ssl_ca is used only for validating client certificates. ---Aki TuomiDovecot oy -------- Original message --------From: Marc Perkel <marc at perkel.com> Date: 21/05/2018 18:25 (GMT+02:00) To: Aki Tuomi <aki.tuomi at dovecot.fi> Subject: Re: SSL error after upgrading to 2.31...

...r upgrading to 2.31 I'm getting this error. Not sure what I'm doing wrong. No (No signatures could be verified because the chain contains only one certificate and it is not self signed.) ssl = yes ssl_cert = </etc/exim/certs/ctyme.com.crt ssl_key = </etc/exim/certs/ctyme.com.key ssl_ca = </etc/exim/certs/ca.crt local mail.ctyme.com { ? protocol imap { ??? ssl_cert = </etc/exim/certs/ctyme.com.crt ??? ssl_key = </etc/exim/certs/ctyme.com.key ??? ssl_ca = </etc/exim/certs/ca.crt ? } ? protocol pop3 { ??? ssl_cert = </etc/exim/certs/ctyme.com.crt ??? ssl_ke...

> On May 31, 2017 at 6:10 PM Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> wrote: > > > * Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>: > > > So I added > > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > > > But alas: > > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > > > Gnarf! As you can see I do HAVE ssl_ca...

On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > doveconf -n? doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happen...

After upgrading from 2.2.28-1~auto+45 to 2.2.29-1~auto+25 I'm gettings this: May 31 16:44:31 mproxy dovecot: auth: Fatal: passdb imap: Cannot verify certificate without ssl_ca_dir or ssl_ca_file setting May 31 16:44:31 mproxy dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs May 31 16:44:31 mproxy dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 2 secs): user=<>, rip=141.42.206.36,...

> On June 1, 2017 at 1:42 PM Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> wrote: > > > * Aki Tuomi <aki.tuomi at dovecot.fi>: > > > > > So I added > > > > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > > > > > > > But alas: > > > > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > > > > >...

...with openssl 1.0.2o to >> dovecot 2.3.3 run with openssl 1.1.1. >> >> Currently I have both variants running with identical configs and certs >> (the only differences are due to config syntax changes in dovecot 2.3), >> so for example on both I have: >> >> ssl_ca = </etc/openssl/certs/wildcard_ca.pem >> (this file contains single intermediate certificate of my CA) >> >> ssl_cert = </etc/openssl/certs/wildcard_crt.pem >> (this contains single cerificate for my *.example.com domain) [dovecot 2.3+ does not provide intermediate CA...

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem I got a warning of course when using my second domain, mydomain2.fr. If I do the config : local_name mail.mydomai...

On 28.05.2018 13:05, Hauke Fath wrote: > On 05/28/18 11:08, Aki Tuomi wrote: >> >> >> On 28.05.2018 12:06, Hauke Fath wrote: >>> On 05/21/18 17:55, Aki Tuomi wrote: >>>> ssl_ca is used only for validating client certificates. >>> >>> But it was used (though not documented, IIRC) for validating server >>> certs, too. Since intermediate CA certs are usually valid a lot longer >>> than the server certs, having to concat the certs is awkwar...

I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL certificate authority provides a bundle containing their CA, plus intermediate CAs, which I configure using the 'ssl_ca' option. The comments in the configuration file say to only set this when you're requiring client certificates, which I'm not, but fetchmail complains with a "Server certificate verification error, Broken certificate chain" error if that setting is not set. This works fine wit...

Hi. I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to dovecot 2.3.3 run with openssl 1.1.1. Currently I have both variants running with identical configs and certs (the only differences are due to config syntax changes in dovecot 2.3), so for example on both I have: ssl_ca = </etc/openssl/certs/wildcard_ca.pem (this file contains single intermediate certificate of my CA) ssl_cert = </etc/openssl/certs/wildcard_crt.pem (this contains single cerificate for my *.example.com domain) ssl_key = # hidden, use -P to show it (and one key) No alt certs in use. Chain...

On 28.05.2018 14:30, Hauke Fath wrote: > On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote: >> I'm sure. But putting it as ssl_ca makes no sense, since it becomes >> confused what it is for. > I guess - I haven't had a need for client certs, and only ever used > ssl_ca for the server ca chain. > >> We can try restoring this as ssl_cert_chain setting in future release. > Sounds good. How about (re)...

...ory is usually /etc/ssl/certs in Debian-based systems and the file is > # /etc/pki/tls/cert.pem in RedHat-based systems. > #ssl_client_ca_dir = > #ssl_client_ca_file = > ssl_client_ca_file = /tmp/certs/ca-local.pem > > But that does not work! Instead I've to use ssl_ca > > # PEM encoded trusted certificate authority. Set this only if you intend to use > # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) > # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) > # ssl_ca = > ssl_ca =...

...ion with control over cipher(s), and cert validation on both sides (if you used cert auth, not PSK). -- K On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot wrote: > Ok then it seems again a MariaDB issue, they don't check against IP in the SAN it seems, this has nothing to do with ssl_ca setting it seems > > host=<ip> port=<port> dbname=<db> user=<user> ssl_verify_server_cert=yes ssl_cipher=TLSv1.2 ssl_ca=/etc/ssl/certs/ca-bundle.crt password=<pwd> > brings up this > *Connect failed to database (vmail): SSL connection error: SSL certific...

On 28.05.2018 12:06, Hauke Fath wrote: > On 05/21/18 17:55, Aki Tuomi wrote: >> ssl_ca is used only for validating client certificates. > > But it was used (though not documented, IIRC) for validating server > certs, too. Since intermediate CA certs are usually valid a lot longer > than the server certs, having to concat the certs is awkward, at best. > > I would ve...