search for: ssl_client_ca

...a). > > The ssl config on my both server: > > ssl_protocols = !SSLv2 !SSLv3 > ssl = required > verbose_ssl = no > ssl_key = </etc/ssl/private/private.key > ssl_cert = </etc/ssl/certs/key.crt > ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem I think it should be ssl_client_ca_file = </etc/ssl/certs/GandiStandardSSLCA2.pem for you. > > This config is working for my email client and my email web > interface ... > > Are they on the right order ? > > mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd > > There...

Dear Thierry, (I'm omitting the remainder of your post because the below has a separate root cause from what has been assumed.) >[...] > This morning logs: > > Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >[...] Did I

Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. On 2017-02-03 17:00, Thierry wrote: > Hi, > > I have removed the '<' : > > ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem > > But now: > > doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > doveadm: Error: Corrupted SSL parameters file in state_d...

...2, vous ?criviez : > >> Please keep responses in list. rm -f >> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > >> On 2017-02-03 17:00, Thierry wrote: >>> Hi, >>> >>> I have removed the '<' : >>> >>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>> >>> But now: >>> >>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>> doveadm:...

...n't had a need for client certs, and only ever used > ssl_ca for the server ca chain. > >> We can try restoring this as ssl_cert_chain setting in future release. > Sounds good. How about (re)naming them ssl-{client,server}_ca? > > Cheerio, > Hauke > There is already ssl_client_ca, for verifying clients. ssl_ca verifies certs when dovecot is connecting somewhere. Aki

...Please keep responses in list. rm -f >>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. >> >>> On 2017-02-03 17:00, Thierry wrote: >>>> Hi, >>>> >>>> I have removed the '<' : >>>> >>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>>> >>>> But now: >>>> >>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL &...

...3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 My error message from server1 (main server): Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't v...

...Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez : > Please keep responses in list. rm -f > /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > On 2017-02-03 17:00, Thierry wrote: >> Hi, >> >> I have removed the '<' : >> >> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >> >> But now: >> >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> doveadm: Error: Corrupted SSL pa...

Aki Tuomi: > There is already ssl_client_ca, for verifying clients. ssl_ca verifies > certs when dovecot is connecting somewhere. For clarification: there is a third use case an admin may need intermediate certificates: And that's where dovecot act as server providing imap/pop3/lmtp/sieve via TLS or STARTTLS that's different...

...tes (e.g. if you run a local CA to issue user certificate </div> <div> for mutual authentication, you would put your local CA certificate here). </div> <div> <br> </div> <div> (Maybe this config variable should be renamed "ssl_client_ca".) </div> </blockquote> <div> <br> </div> <div> ... except there already is ssl_client_ca_* settings used to validate connections from dovecot. </div> <div> <br> </div> <blockquote type="cite"&...

Hi, I have made change: ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key = </etc/ssl/private/private.key ssl_cert = </etc/ssl/certs/key.crt ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem # Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } } and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port And now: Feb 03 14:11:16 doveadm(user1...

* Aki Tuomi <aki.tuomi at dovecot.fi>: > > > On 20.03.2017 14:30, Ralf Hildebrandt wrote: > > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt > > Leave the < out. It is misleading, I know, but it does say file. =) Makes no difference: # doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt and with auto8 I still get: Mar 20 15...

On 20.03.2017 16:40, Ralf Hildebrandt wrote: > * Aki Tuomi <aki.tuomi at dovecot.fi>: >> >> On 20.03.2017 14:30, Ralf Hildebrandt wrote: >>> ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt >> Leave the < out. It is misleading, I know, but it does say file. =) > Makes no difference: > > # doveconf |fgrep ssl_client_ca > ssl_client_ca_dir = > ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt > > and with...

On 28.05.2018 13:05, Hauke Fath wrote: > On 05/28/18 11:08, Aki Tuomi wrote: >> >> >> On 28.05.2018 12:06, Hauke Fath wrote: >>> On 05/21/18 17:55, Aki Tuomi wrote: >>>> ssl_ca is used only for validating client certificates. >>> >>> But it was used (though not documented, IIRC) for validating server >>> certs, too. Since

...is not used to to establish the trust chain to your server certificate, but rather, to your client's certificates (e.g. if you run a local CA to issue user certificate for mutual authentication, you would put your local CA certificate here). (Maybe this config variable should be renamed "ssl_client_ca".) Appending intermediate and server certificates is what you're supposed to do. Joseph Tam <jtam.home at gmail.com>

Hi! I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error: Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) I checked, and alas, I had ssl_client_ca_dir = ssl_client_ca_file = So I set: ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt But I'm still getting the error above. I addition, dovecot is crashing with SIGSEGV: Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(e...