Geoff Sweet wrote: > Ok so I downloaded the intermediate ca cert thing onto my local machine > as intca.cer. Then I ran this command: > > :~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995
You're pointing to a *file* so you need -CAfile; not -CApath. But even after making that change, there appears to be a problem with your cert. To test, I downloaded common root certificates from the curl website and placed them in ~/CA. Then, the gmail cert verifies just fine: % openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 -quiet depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify return:1 +OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17 However, your server cert still fails. This may be related to the intermediate cert you define in dovecot.conf. I also noticed the zlib compression is turned on, whereas it is disabled on my own and many other POP and IMAP servers I tested. This does not appear to be a dovecot issue; perhaps try the OpenSSL mailing list? -- Sahil Tandon <sa...@tandon.net>
