Displaying 20 results from an estimated 1000 matches similar to: "Dovecot proxy ignores trusted root certificate store"
2015 Sep 21
4
Dovecot proxy ignores trusted root certificate store
On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
> doveconf -n?
doveconf -n|grep ssl should suffice:
ssl = required
ssl_ca = </usr/local/share/certs/ca-root-nss.crt
ssl_cert = </path/to/my/file.pem
ssl_key = </path/to/my/file.pem
ssl_require_crl = no
I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a
temporary workaround, even though this is not what
2015 Sep 21
4
Dovecot proxy ignores trusted root certificate store
The result is the same with or without "<" before the file path. With "<"
the inode atime is updated at Dovecot startup, so the file is at least
opened, but Dovecot still can't verify the cert.
The only place in the Wiki that shows an example of ssl_client_ca_file is
on this page, and there's no "<" in front of the file path:
2015 Sep 21
2
Dovecot proxy ignores trusted root certificate store
On Mon, 21 Sep 2015, Andrew McN wrote:
>> http://wiki2.dovecot.org/Replication
>>
>> (quote)
>> The client must be able to verify that the SSL certificate is valid, so
>> you need to specify the directory containing valid SSL CA roots:
>>
>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
2015 Sep 22
0
Dovecot proxy ignores trusted root certificate store
On 22 Sep 2015, at 01:11, Alex Bulan <avb at korax.net> wrote:
>
> On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
>
>> doveconf -n?
>
> doveconf -n|grep ssl should suffice:
>
> ssl = required
> ssl_ca = </usr/local/share/certs/ca-root-nss.crt
> ssl_cert = </path/to/my/file.pem
> ssl_key = </path/to/my/file.pem
> ssl_require_crl = no
>
>
2015 Sep 22
0
Dovecot proxy ignores trusted root certificate store
On 09/21/2015 05:11 PM, Alex Bulan wrote:
> On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
>
>> doveconf -n?
>
> doveconf -n|grep ssl should suffice:
>
> ssl = required
shouldn't it be:
ssl = yes
I was only aware of the choice of yes or no here, but I could be wrong.
> ssl_ca = </usr/local/share/certs/ca-root-nss.crt
> ssl_cert = </path/to/my/file.pem
>
2017 Mar 20
2
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>
> On 20.03.2017 14:30, Ralf Hildebrandt wrote:
> > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt
>
> Leave the < out. It is misleading, I know, but it does say file. =)
Makes no difference:
# doveconf |fgrep ssl_client_ca
ssl_client_ca_dir =
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
and with
2017 Mar 20
4
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
Hi!
I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error:
Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
I checked, and alas, I had
ssl_client_ca_dir =
ssl_client_ca_file =
So I set:
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
On 2015-09-21 09:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file path. With
> "<" the inode atime is updated at Dovecot startup, so the file is at
> least opened, but Dovecot still can't verify the cert.
>
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
Hi
> I've pointed ssl_client_ca_file to my root certificate store, but I
> suspect ssl_client_ca_file is only used in imapc context. It seems to
> be ignored in proxy context.
>
> doveconf -n ssl_client_ca_file:
> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
You are missing the "<" before the file path
Try ssl_client_ca_file =
2015 Oct 11
2
dovecot as proxy and verification of the backends certificate
Hello,
I'm using a dovecot as proxy, connecting to one or more backends.
The backends use X.509 certificates.
The proxy's passdb returns
extra fields:
user=foo
proxy
host=backend1.<domain>
ssl=yes
nopassword=y
Thus the proxy connects to the backend but can't verify the backends
certificate.
The following comment suggests using ssl_client_ca_file for
2017 Feb 06
2
Dovecot dsync 'ssl_client_ca'
Hi Aki,
I do not have any error message but (on both server):
doveadm replicator status '*'
doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
Thx
Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez :
> Please keep responses in list. rm -f
> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
> On
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
On 21/09/15 17:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file path. With
> "<" the inode atime is updated at Dovecot startup, so the file is at
> least opened, but Dovecot still can't verify the cert.
>
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's no
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
doveconf -n?
On 09/21/2015 12:45 PM, Alex Bulan wrote:
> On Mon, 21 Sep 2015, Andrew McN wrote:
>
>>> http://wiki2.dovecot.org/Replication
>>>
>>> (quote)
>>> The client must be able to verify that the SSL certificate is valid, so
>>> you need to specify the directory containing valid SSL CA roots:
>>>
>>> ssl_client_ca_dir =
2017 Feb 03
4
Dovecot dsync 'ssl_client_ca'
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_key = </etc/ssl/private/private.key
ssl_cert = </etc/ssl/certs/key.crt
ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
# Create a listener for doveadm-server
service doveadm {
user = vmail
inet_listener {
port = 12345
ssl= yes
}
}
and doveadm_port = 12345 // mail_replica =
2019 Mar 28
2
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
> Set
>
> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
Can those be used?
> Are you using haproxy or something in front of dovecot?
No. Just Squirrelmail webmail with sendmail.
2017 Feb 07
2
Dovecot dsync 'ssl_client_ca'
Bonjour Markus,
> - Have you checked that port 12345 as specified below is open/forwarded
> and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
Yes of course:
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 22025/dovecot
tcp6 0 0 :::12345 :::* LISTEN 22025/dovecot
> -
2017 Aug 23
2
Aw: Dovecot - Postfix Calender Synchronisation
We murdered web applications with a chainsaw. Web 2.0 has too many security holes.
On Wed, Aug 23, 2017 at 8:35 PM, Mihai Badici <mihai at badici.ro> wrote:
> the vaste majority of web applications around use the same stack.
2017 Jan 04
3
Dovecot dsync tcps sends incomplete certificate chain
Hi,
I'm trying to configure a Dovecot dsync service between two servers, using a tcp+ssl connection and
a valid Let's Encrypt certificate.
I followed the guide on the wiki (http://wiki.dovecot.org/Replication) using the tcps method, but
when I launch the replication it fails writing on the log (/var/log/mail.err):
(Server 1 - sync "client" )| Error: sync: Disconnected from
2019 Mar 28
2
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
2017 Sep 28
2
imapc and masteruser
Hi,
My end goal is to set up shared mailboxes on a cluster as per:
https://wiki.dovecot.org/SharedMailboxes/ClusterSetup
I was having very little luck with it, so I had been trying to break
down into pieces and get individual components working. So I have
things setup on a single server, with a working dovecot instance. I
have no director or any thing else running yet, and I am just trying