Timo Sirainen <t...@iki.fi> wrote: > On 24.3.2013, at 23.07, Michael Grimm <trash...@odo.in-berlin.de> wrote:
> >> First of all I did need to extend http://wiki2.dovecot.org/Replication to >> get dsync over tcp running without ssl: > .. >> | dovecot: doveadm(test): Error: doveadm_password not set, can't >> authenticate to remote server > > Updated http://master.wiki2.dovecot.org/Replication with it. My point has been, that I needed to add ... | local 1.2.3.4 { | doveadm_password = secret | } ... besides ... | service doveadm { | inet_listener { | address = 1.2.3.4 | port = 12345 | } | } ... which I cannot find at http://master.wiki2.dovecot.org/Replication if I am not mistaken. >> 1. Question: may one include "secret" from a file? > > name = </path/file works for all settings. Thanks, applied and working. >> Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm' >> (see above) and adding ... >> >> | # used by replicator/dsync over tcp >> | # >> | ssl_client_ca_dir = /<path-to>/ssl/certs >> >> ... and ... >> >> | mail_replica = tcps:SERVER-A.TLD >> >> But, this didn't work (logfile at remote server): >> >> | dovecot: doveadm(test): Invalid certificate: self signed certificate: >> /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmas...@other-name.tld >> | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL >> certificate >> | dovecot: doveadm(test): Error: sync: Disconnected from remote >> >> The OTHER-NAME.TLD is served by my additional settings used by my MUAs: >> >> | ssl_cert = </<path-to>/ssl/certs/OTHER-NAME.TLD.pem >> | ssl_key = </<path-to>/ssl/private/OTHER-NAME.TLD.pem >> >> I did supply SERVER-A.TLD certs and private certificates at both servers as >> well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync >> instead :-( > > The SERVER-A.TLD needs to have a certificate that is signed by one of the CAs > in ssl_client_ca_dir. ssl_cert/key settings are irrelevant here. You can't > use a self-signed cert, unless you put it into the CA dir (I don't know how > exactly that works). I did get tcps running in the meantime following: 1. http://www.zytrax.com/tech/survival/ssl.html ("Method 3" plus "Multi-Server Certificates") 2. postfix' documentation at http://www.postfix.org/TLS_README.html#server_cert_key (here I had to reverse order, meaning CA first) 3. pointing ssl_cert, ssl_key to relevant files in /<path-to>/ssl/ca/certs and /<path-to>/ssl/ca/private, respectively 4. ssl_client_ca_dir = /<path-to>/ssl/ca/certs Question: Why is it neccessary to use ssl_cert/key settings from my CA although you state: > ssl_cert/key settings are irrelevant here. Besides dovecot is synchronising as expected, I do get a lot of logfile entries like ... | dovecot: dsync-local(test): Warning: I/O leak: 0x10b8cf20 (line 341, fd 14) ... and in addition if "verbose_ssl = yes" is set: | dsync-remote(test): Warning: SSL alert: where=0x4004, ret=256: warning close notify Hmm, I do have to admit that I do not understand SSL/TLS/CA/...! Thus, I am uncertain whether to ignore those warnings or if my setup is broken in the first place? All hints are highly appreciated, Michael
