Agree with Hugo most root CA have intermidate certificates which should supplied with your server certificate. Otherwise chain won't work and any client don't trust it.
- original message - Subject: Re: [Dovecot] SSL/TLS with Outlook client From: Hugo Monteiro <[EMAIL PROTECTED]> Date: 14/11/2007 00:14 Eli Sand wrote: > Hugo Monteiro wrote: > >> Ah ... wildcard certs .. from what i recall, certs issued like >> *.example.com were not very well accepted by M$ clients. You should >> test against non wildcard certs and see how it behaves. >> > > Already have and no luck :( My domain is elisand.com and I have tried > *.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if > not, whatever it is is what I tried) and mail.elisand.com which is the > smtp/imap server name I use in Outlook. All three yield the same result :( > > Eli. > > > I have taken the liberty to connect to your server, using openssl, i've seen the following: $ openssl s_client -CApath /usr/share/ca-certificates/cacert.org/ -connect mail.elisand.com:993 CONNECTED(00000003) depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[EMAIL PROTECTED] verify return:1 depth=0 /CN=*.elisand.com verify return:1 --- Certificate chain 0 s:/CN=*.elisand.com i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[EMAIL PROTECTED] --- i believe you should change two things. If the name you wish to use on your clients is mail.alisand.com, then the certificate should read CN=mail.elisand.com. Furthermore, it's always a good idea to provide the chaining certificate path on dovecots side. Try using the ssl_ca_file directive on dovecot's configuration. Regards, Hugo Monteiro. -- ci.fct.unl.pt:~# cat .signature Hugo Monteiro Email : [EMAIL PROTECTED] Telefone : +351 212948300 Ext.15307 Centro de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.ci.fct.unl.pt [EMAIL PROTECTED] ci.fct.unl.pt:~# _
