On 11 Oct 2015, at 20:04, Heiko Schlittermann <h...@schlittermann.de> wrote: > > Hello, > > I'm using a dovecot as proxy, connecting to one or more backends. > The backends use X.509 certificates. > > The proxy's passdb returns > > extra fields: > user=foo > proxy > host=backend1.<domain> > ssl=yes > nopassword=y > > Thus the proxy connects to the backend but can't verify the backends > certificate. > > The following comment suggests using ssl_client_ca_file for that. > > # Directory and/or file for trusted SSL CA certificates. These are used > only > # when Dovecot needs to act as an SSL client (e.g. imapc backend). The > # directory is usually /etc/ssl/certs in Debian-based systems and the file > is > # /etc/pki/tls/cert.pem in RedHat-based systems. > #ssl_client_ca_dir = > #ssl_client_ca_file = > ssl_client_ca_file = /tmp/certs/ca-local.pem > > But that does not work! Instead I've to use ssl_ca > > # PEM encoded trusted certificate authority. Set this only if you intend > to use > # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) > # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) > # ssl_ca = > ssl_ca = </tmp/certs/ca-local.pem > > Bug or feature? Mainly I'm asking because the comments do not indicate > that I should have used ssl_ca for this type of operation (dovecot as a > SSL client)
It's a missing feature. I updated http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy about this. I'm thinking that once login-common code uses lib-ssl-iostream instead of the duplicated SSL code this gets fixed more or less automatically. Note sure if that'll happen for v2.3 or not.
