On August 16, 2021 3:03:22 AM GMT+02:00, sil...@datavenia.nl wrote:
>Hello,
>
>
>
>I’ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it
>working in Postfix, but this example for Dovecot:
>https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support
> doesn’t seem to work for me.
>
>
>
>I’m using LetsEncrypt certificates. They work without a problem with the
>regular ssl_cert and ssl_key settings like this:
>
>
>
>ssl_cert =
></docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
>
>ssl_key =
></docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
>
>
>
>… but as soon as I put them in local_name blocks like this:
>
>
>
>local_name datavenia.nl {
>
> ssl_cert =
> </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
>
> ssl_key =
> </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
>
>}
>
>
>
>local_name verovia.nl {
>
> ssl_cert =
> </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
>
> ssl_key =
> </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem
>
>}
>
>
>
>and restart dovecot I get the following error:
>
>
>
>dovecot: imap-login: Error: Failed to initialize SSL server context: Can't
>load SSL certificate (ssl_cert setting): The certificate is empty: user=<>,
>rip=213.127.63.224, lip=142.93.135.7, session=<wKjTIaLJtSXVfz/g>
>
You still need a default ssl_cert outside the local ... block.
This is noted in the section about different certs for different IPs just
before the section about SNI
-> Note
-> You will still need a top-level default ssl_key and ssl_cert as well, or you
will receive errors.
That default cert ia used as fallback for clients that don't do SNI.
>
>I have verified that the certificate paths are correct, the files have
>content. I’ve already checked permissions (chmodded 777 to debug), as well as
>the that these are actually symlinks (updated the config to point to the real
>files) but nothing so far seems to change anything. I have also recreated my
>dh.pem (4096).
>
>
>
>I’m hoping anyone has any idea where I might be going wrong.
>
>
>
>Kind regards,
>
>Silvan
>
>
>
>Output of dovecot -n:
>
>
>
># 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
>
># Pigeonhole version 0.5.13 (cdd19fe3)
>
># OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4
>
># Hostname: azrael00
>
>auth_mechanisms = plain login
>
>mail_location = maildir:/var/mail/vhosts/%d/%n
>
>mail_privileged_group = mail
>
>namespace inbox {
>
> inbox = yes
>
> location =
>
> mailbox Drafts {
>
> special_use = \Drafts
>
> }
>
> mailbox Junk {
>
> special_use = \Junk
>
> }
>
> mailbox Sent {
>
> special_use = \Sent
>
> }
>
> mailbox "Sent Messages" {
>
> special_use = \Sent
>
> }
>
> mailbox Trash {
>
> special_use = \Trash
>
> }
>
> prefix =
>
>}
>
>passdb {
>
> args = /etc/dovecot/dovecot-sql.conf.ext
>
> driver = sql
>
>}
>
>postmaster_address = postmas...@datavenia.nl <mailto:postmas...@datavenia.nl>
>
>protocols = imap lmtp
>
>service auth-worker {
>
> user = vmail
>
>}
>
>service auth {
>
> unix_listener /var/spool/postfix/private/auth {
>
> group = postfix
>
> mode = 0666
>
> user = postfix
>
> }
>
> unix_listener auth-userdb {
>
> mode = 0666
>
> user = vmail
>
> }
>
> user = dovecot
>
>}
>
>service imap-login {
>
> inet_listener imap {
>
> port = 0
>
> }
>
>}
>
>service lmtp {
>
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>
> group = postfix
>
> mode = 0600
>
> user = postfix
>
> }
>
>}
>
>ssl = required
>
>ssl_dh = # hidden, use -P to show it
>
>userdb {
>
> args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
>
> driver = static
>
>}
>
>local_name datavenia.nl {
>
> ssl_cert =
> </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
>
> ssl_key = # hidden, use -P to show it
>
>}
>
>local_name verovia.nl {
>
> ssl_cert =
> </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
>
> ssl_key = # hidden, use -P to show it
>
>}
>
--
Christian Kivalo
