It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks Marek Odoslané pomocou bezpečného emailu Proton Mail. štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot <[email protected]> napísal/a: > OK, while inspecting dovecot I see the problem. > > doveconf -n reports different file paths than 10-ssl.conf file. > > It is: > > ssl_server { > ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem > #ssl_server_dh_file = /etc/dovecot/dh.pem > ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem > ssl_server_key_file = /etc/pki/tls/private/dovecot.pem > #cert_file = /etc/pki/tls/certs/dovecot.pem > #key_file = /etc/pki/tls/private/dovecot.pem > #prefer_ciphers = server > request_client_cert = no > } > > there. The file is definitely read, because when I uncomment this > #ssl_verify_client_cert = no I get suntax error. I cannot understand why the > configuration is not accepted. If there is no meaningful reasoning on that, I > can fix by configuration, I can overwrite the files in default paths by the > wanted files. > > Marek > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 17:46, Aki Tuomi [email protected] > napísal/a: > > > Can you post doveconf -n output? > > > > Aki > > > > > On 20/11/2025 18:37 EET Marek Greško via dovecot [email protected] > > > wrote: > > > > > > I run ls -lu on the key file. It's access time is not updated. It seems > > > dovecot does not even read it. What is the correct syntax? > > > > > > Should it be in the ssl_server section? Should it be ssl_server_cert_file > > > or cert file parameter? Or even another? > > > > > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot > > > [email protected] napísal/a: > > > > > > > Both these command return same result as the previous I posted. > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > štvrtok 20. novembra 2025, 17:07, Aki Tuomi [email protected] > > > > napísal/a: > > > > > > > > > either do > > > > > > > > > > openssl s_client -connect host:993 > > > > > > > > > > or > > > > > > > > > > openssl s_client -connect host:143 -starttls imap > > > > > > > > > > Aki > > > > > > > > > > > On 20/11/2025 17:49 EET Marek Greško via dovecot > > > > > > [email protected] wrote: > > > > > > > > > > > > When trying openssl s_client to port 143, I get: > > > > > > > > > > > > no peer certificate available > > > > > > -- > > > > > > No client certificate CA names sent > > > > > > Negotiated TLS1.3 group: <NULL> > > > > > > --- > > > > > > SSL handshake has read 5 bytes and written 1556 bytes > > > > > > Verification: OK > > > > > > --- > > > > > > New, (NONE), Cipher is (NONE) > > > > > > Protocol: TLSv1.3 > > > > > > This TLS version forbids renegotiation. > > > > > > Compression: NONE > > > > > > Expansion: NONE > > > > > > No ALPN negotiated > > > > > > Early data was not sent > > > > > > Verify return code: 0 (ok) > > > > > > > > > > > > Why there is no certificate present? Because dovecot refuse to > > > > > > present it since it thinks it is weak? > > > > > > > > > > > > Marek > > > > > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško > > > > > > [email protected] napísal/a: > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > I added ca_file to the server section. I do not want clients to > > > > > > > present certificates, so I did not create the ssl client section > > > > > > > you proposed. > > > > > > > > > > > > > > Any other suggestion? > > > > > > > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > Marek > > > > > > > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd [email protected] > > > > > > > napísal/a: > > > > > > > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > > > > > > > > upgraded to version 2.4. > > > > > > > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to > > > > > > > > significantly change imap config at the same time as an OS > > > > > > > > upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > > > > > > > > > Should the authority certificate be configured somewhere in > > > > > > > > > dovecot? > > > > > > > > > > > > > > > > start with a thorough read of > > > > > > > > > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > > > > > > > if using self-signed certs, you'll end up with something > > > > > > > > similar to > > > > > > > > > > > > > > > > ssl = required > > > > > > > > ... > > > > > > > > ssl_server { > > > > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > > > > ... > > > > > > > > } > > > > > > > > ssl_client { > > > > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > > > > ... > > > > > > > > } > > > > > > > > > > > > _______________________________________________ > > > > > > dovecot mailing list -- [email protected] > > > > > > To unsubscribe send an email to [email protected] Both > > > > > > these command return same result as the previous I posted. > > > > > > > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > > > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi [email protected] > > > > > > > > napisal/a: > > > > > > > > either do > > > > > > > > openssl s_client -connect host:993 > > > > > > > > or > > > > > > > > openssl s_client -connect host:143 -starttls imap > > > > > > > > Aki > > > > > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > > > > <[2][email protected]> wrote: > > > > > > > > When trying openssl s_client to port 143, I get: > > > > > > > > no peer certificate available > > > > -- > > > > No client certificate CA names sent > > > > Negotiated TLS1.3 group: <NULL> > > > > > > > > --- > > > > SSL handshake has read 5 bytes and written 1556 bytes > > > > Verification: OK > > > > --- > > > > New, (NONE), Cipher is (NONE) > > > > Protocol: TLSv1.3 > > > > This TLS version forbids renegotiation. > > > > Compression: NONE > > > > Expansion: NONE > > > > No ALPN negotiated > > > > Early data was not sent > > > > Verify return code: 0 (ok) > > > > > > > > Why there is no certificate present? Because dovecot refuse to present > > > > it since it thinks it is weak? > > > > > > > > Marek > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > > > > <[3][email protected]> napisal/a: > > > > > > > > Hello, > > > > > > > > I added ca_file to the server section. I do not want clients to > > > > present certificates, so I did not create the ssl client section you > > > > proposed. > > > > > > > > Any other suggestion? > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > Thanks > > > > > > > > Marek > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > > > > > stvrtok 20. novembra 2025, 16:13, pgnd [4][email protected] > > > > napisal/a: > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > > > upgraded to version 2.4. > > > > > > > > imo, a sloppy choice on their part, forcing the need to > > > > significantly change imap config at the same time as an OS > > > > upgrade, and 'breaking imap' for lots of folks. > > > > > > > > Should the authority certificate be configured somewhere in > > > > dovecot? > > > > > > > > start with a thorough read of > > > > > > > > [5]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > if using self-signed certs, you'll end up with something similar > > > > to > > > > > > > > ssl = required > > > > ... > > > > ssl_server { > > > > ca_file = /path/to/your_CA.crt.pem > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > ... > > > > } > > > > ssl_client { > > > > ca_file = /path/to/your_CA.crt.pem > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > ... > > > > } > > > > > > > > _______________________________________________ > > > > dovecot mailing list -- [6][email protected] > > > > To unsubscribe send an email to [7][email protected] > > > > > > > > References > > > > > > > > Visible links > > > > 1. https://proton.me/mail/home > > > > 2. mailto:[email protected] > > > > 3. mailto:[email protected] > > > > 4. mailto:[email protected] > > > > 5. https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > 6. mailto:[email protected] > > > > 7. mailto:[email protected] > > > > _______________________________________________ > > > > dovecot mailing list -- [email protected] > > > > To unsubscribe send an email to [email protected] > > > > > > _______________________________________________ > > > dovecot mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] OK, while > > > inspecting dovecot I see the problem. > > doveconf -n reports different file paths than 10-ssl.conf file. > It is: > ssl_server { > ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem > #ssl_server_dh_file = /etc/dovecot/dh.pem > ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem > ssl_server_key_file = /etc/pki/tls/private/dovecot.pem > #cert_file = /etc/pki/tls/certs/dovecot.pem > #key_file = /etc/pki/tls/private/dovecot.pem > #prefer_ciphers = server > request_client_cert = no > } > there. The file is definitely read, because when I uncomment > this #ssl_verify_client_cert = no I get suntax error. I cannot understand > why the configuration is not accepted. If there is no meaningful reasoning > on that, I can fix by configuration, I can overwrite the files in default > paths by the wanted files. > Marek > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > stvrtok 20. novembra 2025, 17:46, Aki Tuomi [email protected] > > napisal/a: > > Can you post doveconf -n output? > > Aki > > On 20/11/2025 18:37 EET Marek Gresko via dovecot > <[2][email protected]> wrote: > > > > I run ls -lu on the key file. It's access time is not updated. It > seems dovecot does not even read it. What is the correct syntax? > > Should it be in the ssl_server section? Should it be > ssl_server_cert_file or cert file parameter? Or even another? > > Marek > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot > <[3][email protected]> napisal/a: > > > > Both these command return same result as the previous I posted. > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi > [4][email protected] napisal/a: > > > either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > [5][email protected] wrote: > > When trying openssl s_client to port 143, I get: > > no peer certificate available > -- > No client certificate CA names sent > Negotiated TLS1.3 group: <NULL> > > --- > SSL handshake has read 5 bytes and written 1556 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Protocol: TLSv1.3 > This TLS version forbids renegotiation. > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > > Why there is no certificate present? Because dovecot refuse to > present it since it thinks it is weak? > > Marek > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > [6][email protected] napisal/a: > > > Hello, > > I added ca_file to the server section. I do not want clients > to present certificates, so I did not create the ssl client > section you proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:13, pgnd [7][email protected] > napisal/a: > > > after upgrading from Fedora 42 to Fedora 43 the dovecot > got upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to > significantly change imap config at the same time as an OS > upgrade, and 'breaking imap' for lots of folks. > > > Should the authority certificate be configured somewhere > in dovecot? > > start with a thorough read of > > [8]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something > similar to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > } > > _______________________________________________ > dovecot mailing list -- [9][email protected] > To unsubscribe send an email to [10][email protected] > Both these command return same result as the previous I posted. > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > stvrtok 20. novembra 2025, 17:07, Aki Tuomi > [11][email protected] > > napisal/a: > > either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > <[2][12][email protected]> wrote: > > > > > When trying openssl s_client to port 143, I get: > > no peer certificate available > -- > No client certificate CA names sent > Negotiated TLS1.3 group: <NULL> > > > --- > SSL handshake has read 5 bytes and written 1556 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Protocol: TLSv1.3 > This TLS version forbids renegotiation. > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > > Why there is no certificate present? Because dovecot refuse to > present > it since it thinks it is weak? > > Marek > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > <[3][13][email protected]> napisal/a: > > > > > Hello, > > I added ca_file to the server section. I do not want clients to > present certificates, so I did not create the ssl client section you > proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > stvrtok 20. novembra 2025, 16:13, pgnd [4][14][email protected] > napisal/a: > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to > significantly change imap config at the same time as an OS > upgrade, and 'breaking imap' for lots of folks. > > > Should the authority certificate be configured somewhere in > dovecot? > > start with a thorough read of > > [5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something similar > to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > } > > _______________________________________________ > dovecot mailing list -- [6][16][email protected] > To unsubscribe send an email to [7][17][email protected] > > References > > Visible links > 1. [18]https://proton.me/mail/home > 2. mailto:[19][email protected] > 3. mailto:[20][email protected] > 4. mailto:[21][email protected] > 5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html > 6. mailto:[23][email protected] > 7. mailto:[24][email protected] > _______________________________________________ > dovecot mailing list -- [25][email protected] > To unsubscribe send an email to [26][email protected] > > _______________________________________________ > dovecot mailing list -- [27][email protected] > To unsubscribe send an email to [28][email protected] > > References > > Visible links > 1. https://proton.me/mail/home > 2. mailto:[email protected] > 3. mailto:[email protected] > 4. mailto:[email protected] > 5. mailto:[email protected] > 6. mailto:[email protected] > 7. mailto:[email protected] > 8. https://doc.dovecot.org/2.4.2/core/config/ssl.html > 9. mailto:[email protected] > 10. mailto:[email protected] > 11. mailto:[email protected] > 12. mailto:[email protected] > 13. mailto:[email protected] > 14. mailto:[email protected] > 15. https://doc.dovecot.org/2.4.2/core/config/ssl.html > 16. mailto:[email protected] > 17. mailto:[email protected] > 18. https://proton.me/mail/home > 19. mailto:[email protected] > 20. mailto:[email protected] > 21. mailto:[email protected] > 22. https://doc.dovecot.org/2.4.2/core/config/ssl.html > 23. mailto:[email protected] > 24. mailto:[email protected] > 25. mailto:[email protected] > 26. mailto:[email protected] > 27. mailto:[email protected] > 28. mailto:[email protected] > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
