I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another? Marek Odoslané pomocou bezpečného emailu Proton Mail. štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot <[email protected]> napísal/a: > Both these command return same result as the previous I posted. > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 17:07, Aki Tuomi [email protected] > napísal/a: > > > either do > > > > openssl s_client -connect host:993 > > > > or > > > > openssl s_client -connect host:143 -starttls imap > > > > Aki > > > > > On 20/11/2025 17:49 EET Marek Greško via dovecot [email protected] > > > wrote: > > > > > > When trying openssl s_client to port 143, I get: > > > > > > no peer certificate available > > > -- > > > No client certificate CA names sent > > > Negotiated TLS1.3 group: <NULL> > > > --- > > > SSL handshake has read 5 bytes and written 1556 bytes > > > Verification: OK > > > --- > > > New, (NONE), Cipher is (NONE) > > > Protocol: TLSv1.3 > > > This TLS version forbids renegotiation. > > > Compression: NONE > > > Expansion: NONE > > > No ALPN negotiated > > > Early data was not sent > > > Verify return code: 0 (ok) > > > > > > Why there is no certificate present? Because dovecot refuse to present it > > > since it thinks it is weak? > > > > > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško > > > [email protected] napísal/a: > > > > > > > Hello, > > > > > > > > I added ca_file to the server section. I do not want clients to present > > > > certificates, so I did not create the ssl client section you proposed. > > > > > > > > Any other suggestion? > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > Thanks > > > > > > > > Marek > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd [email protected] napísal/a: > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > > > > > upgraded to version 2.4. > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to significantly > > > > > change imap config at the same time as an OS upgrade, and 'breaking > > > > > imap' for lots of folks. > > > > > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > > > > > start with a thorough read of > > > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > > > > > ssl = required > > > > > ... > > > > > ssl_server { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > ... > > > > > } > > > > > ssl_client { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > ... > > > > > } > > > > > > _______________________________________________ > > > dovecot mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] Both these > > > command return same result as the previous I posted. > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > stvrtok 20. novembra 2025, 17:07, Aki Tuomi [email protected] > > napisal/a: > > either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > <[2][email protected]> wrote: > > > > When trying openssl s_client to port 143, I get: > > no peer certificate available > -- > No client certificate CA names sent > Negotiated TLS1.3 group: <NULL> > > --- > SSL handshake has read 5 bytes and written 1556 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Protocol: TLSv1.3 > This TLS version forbids renegotiation. > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > > Why there is no certificate present? Because dovecot refuse to present > it since it thinks it is weak? > > Marek > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > <[3][email protected]> napisal/a: > > > > Hello, > > I added ca_file to the server section. I do not want clients to > present certificates, so I did not create the ssl client section you > proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > stvrtok 20. novembra 2025, 16:13, pgnd [4][email protected] > napisal/a: > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to > significantly change imap config at the same time as an OS > upgrade, and 'breaking imap' for lots of folks. > > > Should the authority certificate be configured somewhere in > dovecot? > > start with a thorough read of > > [5]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something similar > to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > } > > _______________________________________________ > dovecot mailing list -- [6][email protected] > To unsubscribe send an email to [7][email protected] > > References > > Visible links > 1. https://proton.me/mail/home > 2. mailto:[email protected] > 3. mailto:[email protected] > 4. mailto:[email protected] > 5. https://doc.dovecot.org/2.4.2/core/config/ssl.html > 6. mailto:[email protected] > 7. mailto:[email protected] > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
