search for: ssl_client_ca_file

Dovecot v2.2.18 OS: FreeBSD 10.1/amd64 Dovecot in proxy mode ignores the root certificate store and can't verify the backend's SSL certificate. I've pointed ssl_client_ca_file to my root certificate store, but I suspect ssl_client_ca_file is only used in imapc context. It seems to be ignored in proxy context. doveconf -n ssl_client_ca_file: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt In my password_query I return host set to the backend's IP addr...

The result is the same with or without "<" before the file path. With "<" the inode atime is updated at Dovecot startup, so the file is at least opened, but Dovecot still can't verify the cert. The only place in the Wiki that shows an example of ssl_client_ca_file is on this page, and there's no "<" in front of the file path: http://wiki2.dovecot.org/Replication (quote) The client must be able to verify that the SSL certificate is valid, so you need to specify the directory containing valid SSL CA roots: ssl_client_ca_dir = /etc/ssl/cer...

...gt; http://wiki2.dovecot.org/Replication >> >> (quote) >> The client must be able to verify that the SSL certificate is valid, so >> you need to specify the directory containing valid SSL CA roots: >> >> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >> (end quote) >> > > Suggesting that on Redhat you should specify "the directory containing > valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. > Sounds like setting a file instead. So that bit of documentation...

...t = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. ssl_client_ca_file should be used instead, but it has no effect in proxy mode: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt This doesn't work either (and the Dovecot Wiki shows it used without "<"): ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt And "ssl_requ...

...; The result is the same with or without "<" before the file path. With > "<" the inode atime is updated at Dovecot startup, so the file is at > least opened, but Dovecot still can't verify the cert. > > The only place in the Wiki that shows an example of ssl_client_ca_file > is on this page, and there's no "<" in front of the file path: > > http://wiki2.dovecot.org/Replication > > (quote) > The client must be able to verify that the SSL certificate is valid, > so you need to specify the directory containing valid SSL CA roots:...

Hi, I have made change: ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key = </etc/ssl/private/private.key ssl_cert = </etc/ssl/certs/key.crt ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem # Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } } and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port And now: Feb 03 14:11:16 doveadm(user1 at do...

Hi > I've pointed ssl_client_ca_file to my root certificate store, but I > suspect ssl_client_ca_file is only used in imapc context. It seems to > be ignored in proxy context. > > doveconf -n ssl_client_ca_file: > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt You are missing the "<" before...

...Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez : > Please keep responses in list. rm -f > /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > On 2017-02-03 17:00, Thierry wrote: >> Hi, >> >> I have removed the '<' : >> >> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >> >> But now: >> >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> doveadm: Error: Corrupted SSL paramet...

...The backends use X.509 certificates. The proxy's passdb returns extra fields: user=foo proxy host=backend1.<domain> ssl=yes nopassword=y Thus the proxy connects to the backend but can't verify the backends certificate. The following comment suggests using ssl_client_ca_file for that. # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based system...

* Aki Tuomi <aki.tuomi at dovecot.fi>: > > > On 20.03.2017 14:30, Ralf Hildebrandt wrote: > > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt > > Leave the < out. It is misleading, I know, but it does say file. =) Makes no difference: # doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt and with auto8 I still get: Mar 20 15:38:2...

...to 2:2.2.28-1~auto+8) I now I'm getting an error: Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) I checked, and alas, I had ssl_client_ca_dir = ssl_client_ca_file = So I set: ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt But I'm still getting the error above. I addition, dovecot is crashing with SIGSEGV: Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remot...

...57 ssl = yes } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } ssl = required ssl_cert = </etc/letsencrypt/live/mail.dividebyzero.it/fullchain.pem ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem ssl_key = </etc/letsencrypt/live/mail.dividebyzero.it/privkey.pem userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n driver = static } Is it a known problem, or has it been resolved in a subsequent ve...

> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used? > Are you using haproxy or something in fron...

Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. On 2017-02-03 17:00, Thierry wrote: > Hi, > > I have removed the '<' : > > ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem > > But now: > > doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > doveadm: Error: Corrupted SSL parameters file in state_dir: s...

...;> ssl = yes >> } >> } >> service replicator { >> process_min_avail = 1 >> unix_listener replicator-doveadm { >> mode = 0666 >> } >> } >> ssl = required >> ssl_cert = </etc/letsencrypt/live/mail.dividebyzero.it/fullchain.pem >> ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem >> ssl_key = </etc/letsencrypt/live/mail.dividebyzero.it/privkey.pem >> userdb { >> driver = passwd >> } >> userdb { >> args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n >> driver = static >&...

...2, vous ?criviez : > >> Please keep responses in list. rm -f >> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > >> On 2017-02-03 17:00, Thierry wrote: >>> Hi, >>> >>> I have removed the '<' : >>> >>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>> >>> But now: >>> >>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>> doveadm: Erro...

Hello, Still working with my dsync pb. I have done a clone (vmware) of my email server. Today I have two strictly identical emails servers (server1 (main) and server2 (bck) (except IP, hostname and mail_replica). The ssl config on my both server: ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key = </etc/ssl/private/private.key ssl_cert =

...; The result is the same with or without "<" before the file path. With > "<" the inode atime is updated at Dovecot startup, so the file is at > least opened, but Dovecot still can't verify the cert. > > The only place in the Wiki that shows an example of ssl_client_ca_file > is on this page, and there's no "<" in front of the file path: > > http://wiki2.dovecot.org/Replication > > (quote) > The client must be able to verify that the SSL certificate is valid, so > you need to specify the directory containing valid SSL CA roots:...

.../Replication >>> >>> (quote) >>> The client must be able to verify that the SSL certificate is valid, so >>> you need to specify the directory containing valid SSL CA roots: >>> >>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >>> (end quote) >>> >> >> Suggesting that on Redhat you should specify "the directory containing >> valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. >> Sounds like setting a file instead. So t...

...key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a > temporary workaround, even though this is not what ssl_ca is for. It > happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it has no effect in > proxy mode: > > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt > > This doesn't work either (and the Dovecot Wiki shows it used without > "<"): > > ssl_client_ca_file = </usr/local/share/cer...