similar to: chained SSL certificates

Hi, In case of tl;dr: I fixed a bug in TLS support for LMTP which caused chained certificates not to work, and another one which caused certificate read errors to be ignored; the patches are attached to this email. While testing LMTP with TLS and certificate verification by Postfix I discovered that certificate chains are not exchanged properly when using LMTP, even though everything works fine

I am running a production server with 40 pop3 users using dovecot 0.99.14. I am trying to get a chained certificate installed that I purchased through godaddy.com. I need some clarification on how to do this. I found some really vague instructions on the dovecot wiki http://wiki.dovecot.org/ChainedSSLCertificates?highlight=%28chained%29 Unfortunately these instructions are very confusing for me. I

Hi, I have, in one customer, a web server running on a Verisign-signed certificate SSL certificate. Everything works fine, IE and Firefox connects on https without asking anything, which usually happens on self-signed certificates. I'm trying to use that certificate on dovecot, but clients (Thunderbird basically) keeps saying the certificate is not valid. yes i'm using,

Sure, and thanks for trying to help! These are the two correct answers when SNI is included. The certificates are fully chained. Both certificates carry the same subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN). X509v3 Subject Alternative Name:? ? DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at, DNS:pop.cs.sbg.ac.at X509v3 Subject Alternative Name:? ?

I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me). I have success with self-signed certificates but not with others (e.g. StartSSL.com) With StartSSL certs: I've been able to connect and test commands via: openssl s_client -connect imaps.unixathome.org:993 Can you configure your iPhone or Macbook to access the above? Authentication

Hi. Little story :-) I'm playing with dovecot 2.2.25 and multiple SSL certificates. ~7000 certificates which are loaded twice, so my dovecot has ~14 000 certificate pairs (14k key + 14k cert) in config. 14 000 local_name entries. Like these: local_name imap.example.com { ssl_cert = </etc/certs/cert1.pem ssl_key = </etc/certs/cert1.pem } local_name pop3.example.com { ssl_cert =

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, So this question means you need to do some more reading about all SSL/TLS services. On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote: > Excuse dopey question. > I'm not exactly clear about certificates. > Apache2 default install has this snake oil certificate > Can make a new one for apache > Can make one for

Hi, I recognised some funny behaviour on my server. IMAP clients which won't send an Server Name Indication (SNI) sometimes get the wrong certificate. I would expect that those clients always get the default certificate (of my new domain), instead in about 20 to 50% of connections the certificate of my old domain will be presented. (sample rate was 3 times 30 connections) Clients sending SNI

Hello, we're running RC2 and seeing a problem with the way SSL certs are handled by Dovecot. We've set ssl_verify_client_cert=yes and ssl_require_valid_client_cert=no. Using this setup we get (rather interesting) log entries like these: Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <CA

Op 14-03-19 om 11:46 schreef mick crane via dovecot: > Excuse dopey question. > I'm not exactly clear about certificates. > Apache2 default install has this snake oil certificate > Can make a new one for apache > Can make one for dovecot > Can make one for ssl > Is there supposed to be the one (self signed ) certificate pair in one > place for the machine that each

With PKIX validation the certificate should match the hostname. With SMTP, the hostname should match the reverse IP though often it does not. Using subdomains gives you flexibility. with DANE validation, it is DNSSEC that validates the fingerprint to the hostname so I do not believe there is a need for the hostname in the cert to match anything, but DANE validation is currently not used by

Greetings. I was wondering if there were any plans to add support for an SSL certificate chain file? This is useful to provide a valid certificate chain for lower cost signing authorities. I'm afraid that I'm not 100% positive of the implementation requirements. Although it does seem that OpenSSL supports this concept. I am aware that Apache HTTPD (via mod_ssl) and Courier-IMAP offer

Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson: > I'm handling mail for several domains, let's call them a.com, b.com, > and c.com. I have certificates for each of these domains individually > via certbot (letsencrypt) and nginx is happy with all of that. > > Since I initially configured the site to handle mail only for a.com, > my /etc/postfix/main.cf file currently

I have to manage 2 different domains, with 1 ssl certificate each, but I don't know how to configure them. I tried this example: "Different certificates per IP and protocol" http://wiki2.dovecot.org/SSL/DovecotConfiguration but I got this error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set I dont find any documentation

I've tried setting up multiple SSL-Certificates (using letsencrypt) for dovecot on my ubuntu machine. Used dovecot version is 2.2.18. Regarding to official docs this should be working. My test-client (Thunderbird on linux) has been mentioned to be working fine with SNI here: https://wiki.dovecot.org/SSL/SNIClientSupport https://wiki.dovecot.org/SSL/DovecotConfiguration#line-89 >

Can you provide some details on what those openssl commands returned? Aki On 20.07.2018 12:14, Martin Johannes Dauser wrote: > Hi, > > I recognised some funny behaviour on my server. IMAP clients which > won't send an Server Name Indication (SNI) sometimes get the wrong > certificate. I would expect that those clients always get the default > certificate (of my new

Hi list, ? I am currently trying to configure dovecot to act as a imap proxy in front of a Groupwise server. Because of a policy no services of the gw server may be directly served to the web. So currently this is only a security measure. Dovecot was previously used for providing sasl-auth capabilities to postfix. IMAP proxy features should be added now. Authentication backend is LDAP. OS is

Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following dovecot config: ssl = required ssl_cert = </etc/ssl/ourCerts/imap.pem ssl_key = </etc/ssl/ourCerts/imap_key.pem Now, I've created new keys/certs and the CSR, got the new

5 Gennaio 2017 01:21, "John Fawcett" <john at voipsupport.it> wrote: > On 01/04/2017 08:40 PM, Juri wrote: > >> Hi, >> I'm trying to configure a Dovecot dsync service between two servers, using a tcp+ssl connection and >> a valid Let's Encrypt certificate. >> I followed the guide on the wiki (http://wiki.dovecot.org/Replication) using the

On Thu, 14 Mar 2019 12:13:15 +0100 "Guido Goluke, MajorLabel via dovecot" <dovecot at dovecot.org> wrote: > Op 14-03-19 om 11:46 schreef mick crane via dovecot: > > Excuse dopey question. > > I'm not exactly clear about certificates. > > Apache2 default install has this snake oil certificate > > Can make a new one for apache > > Can make one