similar to: /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism

Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one

On 2015/2/16 16:28, Jochen Bern wrote: > On 02/16/2015 04:23 PM, Reindl Harald wrote: >>> "The CA file should contain the certificate(s) followed by the >>> matching CRL(s). Note that the CRLs are required to exist. For a >>> multi-level CA place the certificates in this order: >>> >>> Issuing CA cert >>> Issuing CA CRL

Am 16.02.2015 um 15:53 schrieb dovecot at lists.killian.com: > Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: > > "The CA file should contain the

This directory in later times is where more and more distros are putting system wide server CA type certs, most distros are moving to this path, so the package maintainer should fix their script, maybe to /etc/ssl/private or such. On 2/16/15, Wolfgang Gross <WGross at uni-hd.de> wrote: > Hi, > > this is not a genuine Dovecot bug, more a nuisance. > It applies to OpenSuse 13.2

Hi, this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's. The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox. I found a

Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If

Hi, already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is

Hello, As far as I can read in the Dovecot SSL configuration wiki page, each CA cert must be followed by the related CA CRL in the client certificate verification context ("ssl_ca_file" setting). In my company we do have our own PKI and as soon as Client certificate is compromised we do revoke it and update the related CA's CRL. Does that mean that I have to issue a new

Dear List, I self-host my e-mail and run Dovecot since ever I do that. Dovecot version is 2.3.4.1 (f79e8e7e4), running on Debian testing. Now I am trying to configure Dovecot for client TLS certificates. I have a self-signed certificate whose private key resides on a smartcard (Yubikey, to be exact). I wanted Dovecot to accept that TLS client certificate instead of a password. So I searched and

Hello, I am using Postfix/Dovecot/IMAP. Everything is working fine, but I have noticed that every time I connect with Thunderbird to my server via IMAP, not one but 4 connections are being logged into /var/log/mail/mail.log: 2014-08-27 09:17:46 dovecot: imap-login: Login: user=<martin>, method=PLAIN, rip=11.22.33.44, lip=55.66.77.88, mpid=12519, TLS, session=<uyb/N5cB+gBUDFRB>

Hello, there is a way with a sieve rule to add a Date: header when it is missing? Adding one with the time of reception of the message or using the date from the the first Received: header would be good options. Unfortunately I'm receiving some useful automated messages that lack a Date header and this screws up the sorting in my imap clients. I have a script to fix those acting on the

Hi all I recently install Postfix and Dovecot, and so far so good. My assumption was that calendar and address book (similar to Gmail calendar or address book) are part of Dovecot. However I do not see anything concerning them in any of the docs I have read so far. What other software (ideally open source, free) do I need in other to have Calendar and address book so my users can manage their

Hi, I have a postfix+dovecot-2.2.13 system and have configured it to support IMAPS on 993 with SSL/TLS. I'm noticing with users using Thunderbird, the autodetect defaults to IMAPS on 143 with STARTTLS. Which is preferred? Which is more secure? Which is more common? Why would someone choose one over the other? Can I ask the same question about SMTP and submission? Why would one choose 587

Hello all! # dovecot --version 2.1.17 Sometimes I have this in the logfile: May 11 16:55:52 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped May 11 17:35:03 master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped May 11 17:36:27 master: Warning: service(imap-login): process_limit (100)

after having my own dnsbl feeded by a honeypot and even mod_security supports it for webservers i think dovecot sould support the same to prevent dictionary attacks from known bad hosts, in our case that blacklist is 100% trustable and blocks before SMTP-Auth while normal RBL's are after SASL i admit that i am not a C/C++-programmer, but i think doing the DNS request and in case it has a

> Seems like your firewall could redirect to a different port that doesn't > offer starttls. Yes, of course. But that would require multiple ports, making the client configuration cumbersome and error-prone. Michael

Am 04.03.2015 um 21:03 schrieb Dave McGuire: > On 03/04/2015 02:12 PM, Michael Orlitzky wrote: >>> I would like to reiterate Reindl Harald's point above, since subsequent >>> discussion has gotten away from it. If Dovecot had DNS RBL support >>> similar to Postfix, I think quite a few people would use it, and thereby >>> defeat the scanners far more

On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > doveconf -n? doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what

Hi All, I would like to use glusterfs in an environment where storage servers are managed by an IT service - myself :) - and several users in the organization can mount the distributed fs. The users are root on their machines. As far as I know about glusterfs, a root client user may impersonate any uid/gid since it provides its uid/gid itself when it talks to the bricks (like nfsv3). The thing

I would like to use Client certificate verification/authentication. My MTA used this function. I've a problem to make a valid certificate. For my MTA i used : openssl req -new -nodes -x509 -keyout user_key.pem -out user_req.pem -days 365 openssl ca -out user_signed.pem -infiles user_req.pem openssl pkcs12 -in user_signed.pem -inkey user_key.pem -out user.p12 -export -name "user at