similar to: SSL error after upgrading to 2.31

After upgrading to 2.31 I'm getting this error. Not sure what I'm doing wrong. No (No signatures could be verified because the chain contains only one certificate and it is not self signed.) ssl = yes ssl_cert = </etc/exim/certs/ctyme.com.crt ssl_key = </etc/exim/certs/ctyme.com.key ssl_ca = </etc/exim/certs/ca.crt local mail.ctyme.com { ? protocol imap { ??? ssl_cert =

On 28.05.2018 12:06, Hauke Fath wrote: > On 05/21/18 17:55, Aki Tuomi wrote: >> ssl_ca is used only for validating client certificates. > > But it was used (though not documented, IIRC) for validating server > certs, too. Since intermediate CA certs are usually valid a lot longer > than the server certs, having to concat the certs is awkward, at best. > > I would very

On 28.05.2018 13:05, Hauke Fath wrote: > On 05/28/18 11:08, Aki Tuomi wrote: >> >> >> On 28.05.2018 12:06, Hauke Fath wrote: >>> On 05/21/18 17:55, Aki Tuomi wrote: >>>> ssl_ca is used only for validating client certificates. >>> >>> But it was used (though not documented, IIRC) for validating server >>> certs, too. Since

On 28.05.2018 14:30, Hauke Fath wrote: > On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote: >> I'm sure. But putting it as ssl_ca makes no sense, since it becomes >> confused what it is for. > I guess - I haven't had a need for client certs, and only ever used > ssl_ca for the server ca chain. > >> We can try restoring this as ssl_cert_chain setting in

On 11/13/18 19:58, Aki Tuomi wrote: > On 13 November 2018 at 20:53 Arkadiusz Mi?kiewicz wrote: >> I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to >> dovecot 2.3.3 run with openssl 1.1.1. >> >> Currently I have both variants running with identical configs and certs >> (the only differences are due to config syntax changes in dovecot

All, our dovecot installation provides a bundle of intermedia CA certificates using the ssl_ca option. 2.3.0 does not supply the bundle, resulting in various clients either complaining about an unverifiable server cert, or quietly not connecting. The log has Jan 5 17:01:46 Bounce dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX, lip=YYY, TLS

On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: > Was the certificate path bundled in the server certificate? No, as a separate file, provided from the local (intermediate) CA: ssl_cert = </etc/openssl/certs/server.cert ssl_key = </etc/openssl/private/server.key ssl_ca = </etc/openssl/certs/ca-cert-chain.pem Worked fine with 2.2.x, 2.3 gives % openssl s_client -connect XXX:993

On Wed, 7 Aug 2019 20:24:13 +0300 (EEST), Aki Tuomi via dovecot wrote: >> i thought ssl_ca is where to put the intermediate cert? Well, it surely worked that way until v2.3... > (Sorry for duplicate mail, keyboard acted up...) > > No, that has always been a mistake and it was fixed in 2.3. Our SSL > pages in documentation & wiki have always recommended concatenating >

Hi. I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to dovecot 2.3.3 run with openssl 1.1.1. Currently I have both variants running with identical configs and certs (the only differences are due to config syntax changes in dovecot 2.3), so for example on both I have: ssl_ca = </etc/openssl/certs/wildcard_ca.pem (this file contains single intermediate certificate of

On Thu, 11 Jan 2018 13:22:07 +0200, Aki Tuomi wrote: > Can you try if it works if you concatenate the cert and cert-chain > to single file? We'll start looking if this is misunderstanding or bug. This is a production machine, so I would rather stick with the downgrade until you've looked into the issue. I went home late yesterday. ;) Cheerio, Hauke -- The ASCII Ribbon

OK - trying to migrate to dovecot and I like what I see so far, but having a hard time getting it to work. I decided to go with the 1.0 version because I need to get away from the ~/Mail namespace. I'm trying to port from a Linuxconf virtual WU-IMAP type config. So - I compiled but then decided I wanted mysql so I tried to reconfigure and now getting compile errors. Looks like I'm

http://dovecot.org/releases/2.2/dovecot-2.2.24.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.24.tar.gz.sig This should be a good release. :) * doveconf now warns if it sees a global setting being changed when the same setting was already set inside some filters. (A common mistake has been adding more plugins to a global mail_plugins setting after it was already set inside protocol

http://dovecot.org/releases/2.2/dovecot-2.2.24.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.24.tar.gz.sig This should be a good release. :) * doveconf now warns if it sees a global setting being changed when the same setting was already set inside some filters. (A common mistake has been adding more plugins to a global mail_plugins setting after it was already set inside protocol

On 11.01.2018 13:20, Hauke Fath wrote: >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? />/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = </etc/openssl/certs/server.cert />/ssl_key = </etc/openssl/private/server.key />/ssl_ca =

On 05/28/18 11:08, Aki Tuomi wrote: > > > On 28.05.2018 12:06, Hauke Fath wrote: >> On 05/21/18 17:55, Aki Tuomi wrote: >>> ssl_ca is used only for validating client certificates. >> >> But it was used (though not documented, IIRC) for validating server >> certs, too. Since intermediate CA certs are usually valid a lot longer >> than the server

Hi list, after about a day of operation, dovecot 1.0alpha5 (NetBSD/i386 2.1) died on me with Dec 14 10:53:52 bounce dovecot: pipe() failed: Too many open files Dec 14 10:54:23 bounce last message repeated 279661 times Dec 14 10:56:23 bounce last message repeated 1071807 times Dec 14 10:56:59 bounce last message repeated 325386 times -- any ideas on what to tune? hauke -- /~\ The ASCII

On 05/21/18 17:55, Aki Tuomi wrote: > ssl_ca is used only for validating client certificates. But it was used (though not documented, IIRC) for validating server certs, too. Since intermediate CA certs are usually valid a lot longer than the server certs, having to concat the certs is awkward, at best. I would very much like to see the pre-2.3 behaviour of "ssl_ca" restored.

On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote: > I'm sure. But putting it as ssl_ca makes no sense, since it becomes > confused what it is for. I guess - I haven't had a need for client certs, and only ever used ssl_ca for the server ca chain. > We can try restoring this as ssl_cert_chain setting in future release. Sounds good. How about (re)naming them

Hi, the email status problem that I reported for Dovecot 0.99.10.5 on June 3rd does still show up in 0.99.10.6. Quoting myself: (1) When new mail is delivered to the inbox, the last read mail(s) change(s) to "unread". Clients: Eudora 6 (Mac), Mozilla 1.6 (NetBSD, Linux, Win XP), MS Outlook. (2) When you attempt to move mails from the inbox to another folder with Mozilla (1.6 on