similar to: Multiple ssl-certs on different ports with the same protocol

I don't understand how to use multiple keys/certs on different IPs without SNI. http://wiki2.dovecot.org/SSL/DovecotConfiguration explains how to use different keys for different protocols like POP3 and IMAP. But how to bind those keys/ on IPs/Ports? Looks like it is not possible to use ssl_cert inside service { inet_listener {} } Is it still necessary to run multiple instances like

Hi Dovecot Users and Developers, I am hosting the server with multiple domains. I have setup the dovecot with the instructions from http://wiki2.dovecot.org/SSL/DovecotConfiguration Each domain has it's own ip address. However, when I connect via Thunderbird or any other mail clients, the client is ONLY picking up the top-level "default" ssl_key and ssl_cert and the

> On 30 July 2018 at 21:42 J Doe <general at nativemethods.com> wrote: > > > > > On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > > > Am 29.07.2018 um 21:02 schrieb J Doe: > >> Hello, > >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. > >> In: 10-ssl.conf there are

> On Jul 29, 2018, at 6:02 PM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > > Am 29.07.2018 um 21:02 schrieb J Doe: >> Hello, >> I have a question regarding SSL/TLS settings for Dovecot version 2.2.22. >> In: 10-ssl.conf there are two parameters: >> ssl_protocols >> ssl_cipher_list >> ssl_protocols is commented with ?SSL protocol to

List, good afternoon, I was reading up on a TLS Diffie Hellman protocol weakness described here https://weakdh.org/sysadmin.html which is similar to the earlier FREAK attack, and can result in downgrade of cipher suites. Part of the solution workaround that the researchers describe for Dovecot here https://weakdh.org/sysadmin.html includes altering DH parameters length to 2048, and

Quoting Gedalya <gedalya at gedalya.net>: > On 05/26/2015 10:37 AM, Ron Leach wrote: >> https://weakdh.org/sysadmin.html >> >> includes altering DH parameters length to 2048, and re-specifying the >> allowable cipher suites - they give their suggestion. > > It looks like there is an error on this page regarding regeneration. In > current dovecots

Dear Dovecot lovers! When starting Dovecot 1.x the first time, it runs "ssl-build-params" to generate a file named "ssl-parameters.dat". This takes a couple of minutes. During this time users have no access to their mail, but this can be planned in advance and users can be notified. This is explained in http://wiki.dovecot.org/SSL/DovecotConfiguration With Dovecot 2.0.rc4,

Hi there, Just wondering what is considered current best practice for managing dovecot? The options I see are: Doveadm binary Doveadm protocol via socket Doveadm http protocol I?m currently on v2.2.10 and it appears the doveadm protocol command set is limited to just the ?mailbox? commands and the http protocol hasn?t been implemented. Is the doveadm http protocol still experimental in v2.3.2?

>From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry. Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian. Thank you, On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: > > On 2020-05-25 02:54, hanasaki at gmail.com wrote: > > Config has >

Quoting Gedalya <gedalya at gedalya.net>: > On 05/27/2015 09:55 AM, Rick Romero wrote: >> Quoting Gedalya <gedalya at gedalya.net>: >> >>> On 05/26/2015 10:37 AM, Ron Leach wrote: >>>> https://weakdh.org/sysadmin.html >>>> >>>> includes altering DH parameters length to 2048, and re-specifying the >>>> allowable

On 05/26/2015 10:37 AM, Ron Leach wrote: > > https://weakdh.org/sysadmin.html > > includes altering DH parameters length to 2048, and re-specifying the > allowable cipher suites - they give their suggestion. It looks like there is an error on this page regarding regeneration. In current dovecots ssl_parameters_regenerate defaults to zero, and this means regeneration is

On 05/27/2015 09:55 AM, Rick Romero wrote: > Quoting Gedalya <gedalya at gedalya.net>: > >> On 05/26/2015 10:37 AM, Ron Leach wrote: >>> https://weakdh.org/sysadmin.html >>> >>> includes altering DH parameters length to 2048, and re-specifying the >>> allowable cipher suites - they give their suggestion. >> >> It looks like there

On 27/05/2015 05:22, Gedalya wrote: > It looks like there is an error on this page regarding regeneration. > In current dovecots ssl_parameters_regenerate defaults to zero, and > this means regeneration is disabled. The old default was 168 hours (1 > week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the

I have to manage 2 different domains, with 1 ssl certificate each, but I don't know how to configure them. I tried this example: "Different certificates per IP and protocol" http://wiki2.dovecot.org/SSL/DovecotConfiguration but I got this error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set I dont find any documentation

Hello Aki and all, The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles. Thank you, ssl_cert = </etc/letsencrypt/live/...../fullchain.pem ssl_key =

On 2020-05-25 02:54, hanasaki at gmail.com wrote: > Config has > ssl_verify_client_cert = no > What options might have the client auth turned on? why does gmail attacht empty vcard info ? without any config snippes its hard to say what config error is local https://wiki.dovecot.org/SSL/DovecotConfiguration is it auth_ssl_require_client_cert = yes i dont use this auth features to

The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted. If you are using LE cert you should configure ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem ssl_key=</etc/letsencrypt/live/domain/privkey.pem Aki > On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: > > > From the config

Hi! Can you do openssl x509 text -noout </etc/letsencrypt/live/...../fullchain.pem and check these things: your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24 Also, can you provide output of openssl s_client -connect host:993 -trace Aki > On 25/05/2020 18:46 hanasaki

Sorry... openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pem and openssl s_client -connect host:993 Aki > On 25/05/2020 18:52 hanasaki at gmail.com <hanasaki at gmail.com> wrote: > > > s_client: Option unknown option -trace > *** > x509: Unknown parameter text > > > On 5/25/20 11:49 AM, Aki Tuomi wrote: > > Hi! > > >

s_client: Option unknown option -trace *** x509: Unknown parameter text On 5/25/20 11:49 AM, Aki Tuomi wrote: > Hi! > > Can you do > > openssl x509 text -noout </etc/letsencrypt/live/...../fullchain.pem > > and check these things: > > your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see