search for: ssl_ca_fil

> On May 31, 2017 at 6:10 PM Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> wrote: > > > * Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>: > > > So I added > > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > > > But alas: > > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > > > Gnarf! As you can see I do HAVE ssl_ca in m...

> On June 1, 2017 at 1:42 PM Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> wrote: > > > * Aki Tuomi <aki.tuomi at dovecot.fi>: > > > > > So I added > > > > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > > > > > > > But alas: > > > > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > > > > > &gt...

> I am using 0.99.10.7-1 on Debian, and I'm having some trouble with SSL. I > purchased a certificate from Thawte and I can't figure out how to tell > dovecot about the CA cert. Adding ssl_ca_file to my configuration produces > "Unknown setting: ssl_ca_file" on dovecot startup. > > Postfix has a smtpd_tls_CAfile argument and that part is working fine. > > Is this a Debian-specific problem or is ssl_ca_file newer than 0.99.10.7? I guess ssl_ca_file is newer than 0.99...

In dovecot-2.0.alpha3, setting "ssl_ca_file = /path/to/file" in conf.d/ssl.conf does not work, because imap-login chroots before opening the ca_file. Perhaps this parameter could be replaced with "ssl_ca = </path/to/file" as was done with ssl_cert and ssl_key. Tue Nov 17 11:19:38 server dovecot[1143]: imap-login: Fatal:...

I am using 0.99.10.7-1 on Debian, and I'm having some trouble with SSL. I purchased a certificate from Thawte and I can't figure out how to tell dovecot about the CA cert. Adding ssl_ca_file to my configuration produces "Unknown setting: ssl_ca_file" on dovecot startup. Postfix has a smtpd_tls_CAfile argument and that part is working fine. Is this a Debian-specific problem or is ssl_ca_file newer than 0.99.10.7? -- Jacob Elder

After upgrading from 2.2.28-1~auto+45 to 2.2.29-1~auto+25 I'm gettings this: May 31 16:44:31 mproxy dovecot: auth: Fatal: passdb imap: Cannot verify certificate without ssl_ca_dir or ssl_ca_file setting May 31 16:44:31 mproxy dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs May 31 16:44:31 mproxy dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 2 secs): user=<>, rip=141.42.206.36, lip=141.42.206.11...

I am very fond of Dovecot, but it would be nice to have a more useful SSL implementation. When do you think we'll see a non-beta version that supports ssl_ca_file? I am running 0.99.11-3 from Debian testing. -- Jacob Elder

Hello, As far as I can read in the Dovecot SSL configuration wiki page, each CA cert must be followed by the related CA CRL in the client certificate verification context ("ssl_ca_file" setting). In my company we do have our own PKI and as soon as Client certificate is compromised we do revoke it and update the related CA's CRL. Does that mean that I have to issue a new "ssl_ca_file" file as soon as our issuing CA CRL is updated ? If yes, does someone has a...

* Aki Tuomi <aki.tuomi at dovecot.fi>: > > > So I added > > > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > > > > > But alas: > > > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > > > > > Gnarf! As you can...

...default): PLAIN(?,...): Client didn't present valid SSL certificate Are we doing something wrong, or is dovecot mixing up something while checking the certificates. Note that the certificates are all valid and have not expired. The <user cert> is signed by the <CA cert> and we set ssl_ca_file to the CA certificate PEM file. Ideally, we'd like to only accept login requests from users which have a valid certificate signed by our CA. Even better would be an approach such as the one taken by Postfix where you have to provide a list of valid MD5 hash sums for the users you'd like t...

...g_timestamp: %Y-%m-%d %H:%M:%S protocols: imap imaps managesieve pop3s listen(default): *:143,[::]:143 listen(imap): *:143,[::]:143 listen(pop3): * listen(managesieve): * ssl_listen(default): *:993,[::]:993 ssl_listen(imap): *:993,[::]:993 ssl_listen(pop3): *:2221,[::]:2221 ssl_listen(managesieve): ssl_ca_file(default): /etc/dovecot/ca.crt ssl_ca_file(imap): /etc/dovecot/ca.crt ssl_ca_file(pop3): /etc/dovecot/ca.crt ssl_ca_file(managesieve): ssl_cert_file(default): /etc/dovecot/ufsc.br.crt ssl_cert_file(imap): /etc/dovecot/ufsc.br.crt ssl_cert_file(pop3): /etc/dovecot/ufsc.br.crt ssl_cert_file(managesie...

* Aki Tuomi <aki.tuomi at dovecot.fi>: > I meant > > passdb { > driver = imap > args = ... ssl_ca_file=/path/to/ca > } That doesn't work: passdb { driver = imap # Change the line below to reflect the IP address of your Exchange Server. args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca=</etc/ssl/certs/ca-certificates.crt ... or args = host=exchange-imap.charite.de p...

...ficates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors) My dovecot.conf is this: [root at myhome dovecot]# dovecot -n # 1.2.2: /usr/local/etc/dovecot.conf # OS: Linux 2.6.30-ARCH i686 ext4 info_log_path: /var/log/dovecot.log protocols: imaps ssl: required ssl_ca_file: /opt/certificates/dovecot/dovecot.crl ssl_cert_file: /opt/certificates/dovecot/dovecot.crt ssl_key_file: /opt/certificates/dovecot/dovecot.key ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /usr/local/var/run/dovecot/login login_executable: /usr/local/lib...

...trusted CAs (ssl_client_ca_* settings) and in version 2.3.devel Policy server HTTP error: 9002 Requested https connection, but no SSL settings given dovecot.conf does have ?ssl_client_ca_dir = /etc/ssl/certs? set. Looking around the source, http-client-settings are not given the ssl_ca_dir or ssl_ca_file setting from the config. Admittedly SSL tear up/down is little expensive per auth, but I think it maybe it should still work?

* Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>: > So I added > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt > > But alas: > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file > > Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output! &gt...

...ilserver/mail.mydomain.tld.key: error:0906A068:PEM routines:PEM_do_header:bad password read My dovecot.conf has the following set. # Uncomment these if using SSL ssl_cert_file = /etc/ssl/mailserver/mail.mydomain.tld.crt ssl_key_file = /etc/ssl/mailserver/mail.mydomain.tld.key #ssl_key_password = #ssl_ca_file = /etc/ssl/mailserver/ca/mydomain.pem #ssl_verify_client_cert = yes ssl_parameters_regenerate = 168 verbose_ssl = no I have been playing about with it all for about 3 hours now and would greatly appreciate any help ;) Regards Adam ---------------------------------------------------------------...

When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...) Regards, BTJ -- ----------------------------------------------------------------------------------------------- Bj?rn T Johansen btj at havleik.no

...ile, but the client (Mail.app) complains: Mail was unable to verify the identity of this server, which has a certificate issued to "imap.nccom.com". The error was: There is no root certificate for this server. So I tried downloading Go Daddy's root certificate and pointing ssl_ca_file to that file, but that didn't help. So I tried pointing ssl_ca_file to the intermediate certificate sent to me by Go Daddy, but that breaks things to the point where I never even get the above message; just nothing happens at all. I'm not sure what to try next and am happy to entertain a...

Hello, I'm setting up Dovecot with client certificates and everything is working fine as long as the client only has one certificate in his store. If he has more than one, the wrong one might be sent to the server. The root of the problem is that Dovecot does not send out a list of valid CA names in the TLS handshake. If I connect using openssl s_client I get: "No client

Hello list, The dovecot version is 1.2.6 running on Solaris x86 11 (nv-b91). The relevant configuration lines are: passdb ldap { # LDAP database (doc/wiki/AuthDatabase.LDAP.txt.) args = /pfx/etc/dovecot/dovecot-ldap.conf } The file dovecot-ldap.conf is correct and LDAP authentication is working well. We would like to make it possible for users with a X.509 client certificate to log in