similar to: ssl_verify_server_cert against SAN?

Have you considered any alternatives? I'm thinking of IPSec to create a secured network encapsulation channel(s) "above" the TCP connection(s). This would provide encryption with control over cipher(s), and cert validation on both sides (if you used cert auth, not PSK). -- K On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot wrote: > Ok then it seems again a MariaDB

On 17.4.2019 23.00, Kostya Vasilyev via dovecot wrote: > I'm not Aki but hope you don't mind... > > On Wed, Apr 17, 2019, at 10:42 PM, TG Servers via dovecot wrote: >> Hi, >> >> MariaDB documentation says it accepts OpenSSL cipher strings in its >> ssl_cipher parameters like ssl_cipher="TLSv1.2". >> This is also mentioned when creating or

> On 18 April 2019 11:34 TG Servers via dovecot <dovecot at dovecot.org> wrote: > > > Hi, > > when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)? > Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP. > But the cert is good as the

Hello! I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: ?mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 20/07/2019 13:12 Reio Remma via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div>

Hello All, First of all thanks a lot for providing a quality software such as Dovecot. I am having troubles for setting up the config files of OpenBSD's binary package of Dovecot, flavor sieve/mysql. Do you know where some documentation could be found for setting up correctly the .conf (dovecot.conf & dovecot-sql.conf) since it does not even load ("Error in configuration file

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br>

Hey everybody, I'm trying to get mysql master/slave replication to work under SSL. I've created the certs for both the slave and the master. I've configured the master and slave my.cnf. And it does appear that replication is actually working. Master is actually MariaDB (version 5.5.41-MariaDB-log, and the slave is MySQL (version 5.5.41-log). But there are two issues I'd like to

On 18/07/2019 23:24, Reio Remma via dovecot wrote: > Hello! > > I'm attempting to get Dovecot working with MySQL user database on > another machine. I can connect to the MySQL (5.7.26) instance with SSL > enabled: > > ?mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem > --ssl-cert=/etc/dovecot/client-cert.pem > --ssl-key=/etc/dovecot/client-key.pem

I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f. A few months ago there was an update to all these systems and since then I've had to talk W7 and old Mac clients through disabling ports 993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected. Could anyone share a set of port 993/995 SSL

On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot at dovecot.org> wrote: > > On 20.07.2019 22:37, Aki Tuomi via dovecot wrote: >> >>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> <mailto:dovecot at dovecot.org> wrote: >>> >>> >>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: >>>>

On Wed, 7 Aug 2019 20:24:13 +0300 (EEST), Aki Tuomi via dovecot wrote: >> i thought ssl_ca is where to put the intermediate cert? Well, it surely worked that way until v2.3... > (Sorry for duplicate mail, keyboard acted up...) > > No, that has always been a mistake and it was fixed in 2.3. Our SSL > pages in documentation & wiki have always recommended concatenating >

I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. Now, there is no way to exclude a specific group of one or more TLS versions. For a new bug report, I think we need two new settings: * `ssl_tls13_ciphersuite` and * `ssl_tls10_cipher`