If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.
Aki > On 20/11/2025 20:40 EET Marek Greško via dovecot <[email protected]> wrote: > > > It seems copying the pem files to the default location from the configured > one solved the problem. Is it a bug or configuration problem the files were > not searched in configured path? > > Thanks > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot > <[email protected]> napísal/a: > > > OK, while inspecting dovecot I see the problem. > > > > doveconf -n reports different file paths than 10-ssl.conf file. > > > > It is: > > > > ssl_server { > > ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem > > #ssl_server_dh_file = /etc/dovecot/dh.pem > > ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem > > ssl_server_key_file = /etc/pki/tls/private/dovecot.pem > > #cert_file = /etc/pki/tls/certs/dovecot.pem > > #key_file = /etc/pki/tls/private/dovecot.pem > > #prefer_ciphers = server > > request_client_cert = no > > } > > > > there. The file is definitely read, because when I uncomment this > > #ssl_verify_client_cert = no I get suntax error. I cannot understand why > > the configuration is not accepted. If there is no meaningful reasoning on > > that, I can fix by configuration, I can overwrite the files in default > > paths by the wanted files. > > > > Marek > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > štvrtok 20. novembra 2025, 17:46, Aki Tuomi [email protected] > > napísal/a: > > > > > Can you post doveconf -n output? > > > > > > Aki > > > > > > > On 20/11/2025 18:37 EET Marek Greško via dovecot [email protected] > > > > wrote: > > > > > > > > I run ls -lu on the key file. It's access time is not updated. It seems > > > > dovecot does not even read it. What is the correct syntax? > > > > > > > > Should it be in the ssl_server section? Should it be > > > > ssl_server_cert_file or cert file parameter? Or even another? > > > > > > > > Marek > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot > > > > [email protected] napísal/a: > > > > > > > > > Both these command return same result as the previous I posted. > > > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > > > štvrtok 20. novembra 2025, 17:07, Aki Tuomi > > > > > [email protected] napísal/a: > > > > > > > > > > > either do > > > > > > > > > > > > openssl s_client -connect host:993 > > > > > > > > > > > > or > > > > > > > > > > > > openssl s_client -connect host:143 -starttls imap > > > > > > > > > > > > Aki > > > > > > > > > > > > > On 20/11/2025 17:49 EET Marek Greško via dovecot > > > > > > > [email protected] wrote: > > > > > > > > > > > > > > When trying openssl s_client to port 143, I get: > > > > > > > > > > > > > > no peer certificate available > > > > > > > -- > > > > > > > No client certificate CA names sent > > > > > > > Negotiated TLS1.3 group: <NULL> > > > > > > > --- > > > > > > > SSL handshake has read 5 bytes and written 1556 bytes > > > > > > > Verification: OK > > > > > > > --- > > > > > > > New, (NONE), Cipher is (NONE) > > > > > > > Protocol: TLSv1.3 > > > > > > > This TLS version forbids renegotiation. > > > > > > > Compression: NONE > > > > > > > Expansion: NONE > > > > > > > No ALPN negotiated > > > > > > > Early data was not sent > > > > > > > Verify return code: 0 (ok) > > > > > > > > > > > > > > Why there is no certificate present? Because dovecot refuse to > > > > > > > present it since it thinks it is weak? > > > > > > > > > > > > > > Marek > > > > > > > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > > > > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško > > > > > > > [email protected] napísal/a: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I added ca_file to the server section. I do not want clients to > > > > > > > > present certificates, so I did not create the ssl client > > > > > > > > section you proposed. > > > > > > > > > > > > > > > > Any other suggestion? > > > > > > > > > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > Marek > > > > > > > > > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > > > > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd [email protected] > > > > > > > > napísal/a: > > > > > > > > > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > > > > > > > > > upgraded to version 2.4. > > > > > > > > > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to > > > > > > > > > significantly change imap config at the same time as an OS > > > > > > > > > upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > > > > > > > > > > > Should the authority certificate be configured somewhere in > > > > > > > > > > dovecot? > > > > > > > > > > > > > > > > > > start with a thorough read of > > > > > > > > > > > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > > > > > > > > > if using self-signed certs, you'll end up with something > > > > > > > > > similar to > > > > > > > > > > > > > > > > > > ssl = required > > > > > > > > > ... > > > > > > > > > ssl_server { > > > > > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > > > > > ... > > > > > > > > > } > > > > > > > > > ssl_client { > > > > > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > > > > > ... > > > > > > > > > } > > > > > > > > > > > > > > _______________________________________________ > > > > > > > dovecot mailing list -- [email protected] > > > > > > > To unsubscribe send an email to [email protected] Both > > > > > > > these command return same result as the previous I posted. > > > > > > > > > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > > > > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi [email protected] > > > > > > > > > > napisal/a: > > > > > > > > > > either do > > > > > > > > > > openssl s_client -connect host:993 > > > > > > > > > > or > > > > > > > > > > openssl s_client -connect host:143 -starttls imap > > > > > > > > > > Aki > > > > > > > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > > > > > <[2][email protected]> wrote: > > > > > > > > > > When trying openssl s_client to port 143, I get: > > > > > > > > > > no peer certificate available > > > > > -- > > > > > No client certificate CA names sent > > > > > Negotiated TLS1.3 group: <NULL> > > > > > > > > > > --- > > > > > SSL handshake has read 5 bytes and written 1556 bytes > > > > > Verification: OK > > > > > --- > > > > > New, (NONE), Cipher is (NONE) > > > > > Protocol: TLSv1.3 > > > > > This TLS version forbids renegotiation. > > > > > Compression: NONE > > > > > Expansion: NONE > > > > > No ALPN negotiated > > > > > Early data was not sent > > > > > Verify return code: 0 (ok) > > > > > > > > > > Why there is no certificate present? Because dovecot refuse to present > > > > > it since it thinks it is weak? > > > > > > > > > > Marek > > > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > > > > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > > > > > <[3][email protected]> napisal/a: > > > > > > > > > > Hello, > > > > > > > > > > I added ca_file to the server section. I do not want clients to > > > > > present certificates, so I did not create the ssl client section you > > > > > proposed. > > > > > > > > > > Any other suggestion? > > > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > > > Thanks > > > > > > > > > > Marek > > > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > > > > > > > stvrtok 20. novembra 2025, 16:13, pgnd [4][email protected] > > > > > napisal/a: > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > > > > upgraded to version 2.4. > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to > > > > > significantly change imap config at the same time as an OS > > > > > upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > > Should the authority certificate be configured somewhere in > > > > > dovecot? > > > > > > > > > > start with a thorough read of > > > > > > > > > > [5]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > if using self-signed certs, you'll end up with something similar > > > > > to > > > > > > > > > > ssl = required > > > > > ... > > > > > ssl_server { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > ... > > > > > } > > > > > ssl_client { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > ... > > > > > } > > > > > > > > > > _______________________________________________ > > > > > dovecot mailing list -- [6][email protected] > > > > > To unsubscribe send an email to [7][email protected] > > > > > > > > > > References > > > > > > > > > > Visible links > > > > > 1. https://proton.me/mail/home > > > > > 2. mailto:[email protected] > > > > > 3. mailto:[email protected] > > > > > 4. mailto:[email protected] > > > > > 5. https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > 6. mailto:[email protected] > > > > > 7. mailto:[email protected] > > > > > _______________________________________________ > > > > > dovecot mailing list -- [email protected] > > > > > To unsubscribe send an email to [email protected] > > > > > > > > _______________________________________________ > > > > dovecot mailing list -- [email protected] > > > > To unsubscribe send an email to [email protected] OK, while > > > > inspecting dovecot I see the problem. > > > > doveconf -n reports different file paths than 10-ssl.conf file. > > It is: > > ssl_server { > > ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem > > #ssl_server_dh_file = /etc/dovecot/dh.pem > > ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem > > ssl_server_key_file = /etc/pki/tls/private/dovecot.pem > > #cert_file = /etc/pki/tls/certs/dovecot.pem > > #key_file = /etc/pki/tls/private/dovecot.pem > > #prefer_ciphers = server > > request_client_cert = no > > } > > there. The file is definitely read, because when I uncomment > > this #ssl_verify_client_cert = no I get suntax error. I cannot understand > > why the configuration is not accepted. If there is no meaningful reasoning > > on that, I can fix by configuration, I can overwrite the files in default > > paths by the wanted files. > > Marek > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > > stvrtok 20. novembra 2025, 17:46, Aki Tuomi [email protected] > > > > napisal/a: > > > > Can you post doveconf -n output? > > > > Aki > > > > On 20/11/2025 18:37 EET Marek Gresko via dovecot > > <[2][email protected]> wrote: > > > > > > > > I run ls -lu on the key file. It's access time is not updated. It > > seems dovecot does not even read it. What is the correct syntax? > > > > Should it be in the ssl_server section? Should it be > > ssl_server_cert_file or cert file parameter? Or even another? > > > > Marek > > > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot > > <[3][email protected]> napisal/a: > > > > > > > > Both these command return same result as the previous I posted. > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi > > [4][email protected] napisal/a: > > > > > > either do > > > > openssl s_client -connect host:993 > > > > or > > > > openssl s_client -connect host:143 -starttls imap > > > > Aki > > > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > > [5][email protected] wrote: > > > > When trying openssl s_client to port 143, I get: > > > > no peer certificate available > > -- > > No client certificate CA names sent > > Negotiated TLS1.3 group: <NULL> > > > > --- > > SSL handshake has read 5 bytes and written 1556 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Protocol: TLSv1.3 > > This TLS version forbids renegotiation. > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > > > Why there is no certificate present? Because dovecot refuse to > > present it since it thinks it is weak? > > > > Marek > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > > [6][email protected] napisal/a: > > > > > > Hello, > > > > I added ca_file to the server section. I do not want clients > > to present certificates, so I did not create the ssl client > > section you proposed. > > > > Any other suggestion? > > > > I still cannot imagine what could be the cause. > > > > Thanks > > > > Marek > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 16:13, pgnd [7][email protected] > > napisal/a: > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot > > got upgraded to version 2.4. > > > > imo, a sloppy choice on their part, forcing the need to > > significantly change imap config at the same time as an OS > > upgrade, and 'breaking imap' for lots of folks. > > > > > > Should the authority certificate be configured somewhere > > in dovecot? > > > > start with a thorough read of > > > > [8]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > if using self-signed certs, you'll end up with something > > similar to > > > > ssl = required > > ... > > ssl_server { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.server.ec.crt.pem > > key_file = /path/to/your_domain.server.ec.key.pem > > ... > > } > > ssl_client { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.client.ec.crt.pem > > key_file = /path/to/your_domain.client.ec.key.pem > > ... > > } > > > > _______________________________________________ > > dovecot mailing list -- [9][email protected] > > To unsubscribe send an email to [10][email protected] > > Both these command return same result as the previous I posted. > > > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi > > [11][email protected] > > > > napisal/a: > > > > either do > > > > openssl s_client -connect host:993 > > > > or > > > > openssl s_client -connect host:143 -starttls imap > > > > Aki > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > > <[2][12][email protected]> wrote: > > > > > > > > > > When trying openssl s_client to port 143, I get: > > > > no peer certificate available > > -- > > No client certificate CA names sent > > Negotiated TLS1.3 group: <NULL> > > > > > > --- > > SSL handshake has read 5 bytes and written 1556 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Protocol: TLSv1.3 > > This TLS version forbids renegotiation. > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > > > Why there is no certificate present? Because dovecot refuse to > > present > > it since it thinks it is weak? > > > > Marek > > > > > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > > <[3][13][email protected]> napisal/a: > > > > > > > > > > Hello, > > > > I added ca_file to the server section. I do not want clients to > > present certificates, so I did not create the ssl client section you > > proposed. > > > > Any other suggestion? > > > > I still cannot imagine what could be the cause. > > > > Thanks > > > > Marek > > > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > > > stvrtok 20. novembra 2025, 16:13, pgnd [4][14][email protected] > > napisal/a: > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > upgraded to version 2.4. > > > > imo, a sloppy choice on their part, forcing the need to > > significantly change imap config at the same time as an OS > > upgrade, and 'breaking imap' for lots of folks. > > > > > > Should the authority certificate be configured somewhere in > > dovecot? > > > > start with a thorough read of > > > > [5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > if using self-signed certs, you'll end up with something similar > > to > > > > ssl = required > > ... > > ssl_server { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.server.ec.crt.pem > > key_file = /path/to/your_domain.server.ec.key.pem > > ... > > } > > ssl_client { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.client.ec.crt.pem > > key_file = /path/to/your_domain.client.ec.key.pem > > ... > > } > > > > _______________________________________________ > > dovecot mailing list -- [6][16][email protected] > > To unsubscribe send an email to [7][17][email protected] > > > > References > > > > Visible links > > 1. [18]https://proton.me/mail/home > > 2. mailto:[19][email protected] > > 3. mailto:[20][email protected] > > 4. mailto:[21][email protected] > > 5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > 6. mailto:[23][email protected] > > 7. mailto:[24][email protected] > > _______________________________________________ > > dovecot mailing list -- [25][email protected] > > To unsubscribe send an email to [26][email protected] > > > > _______________________________________________ > > dovecot mailing list -- [27][email protected] > > To unsubscribe send an email to [28][email protected] > > > > References > > > > Visible links > > 1. https://proton.me/mail/home > > 2. mailto:[email protected] > > 3. mailto:[email protected] > > 4. mailto:[email protected] > > 5. mailto:[email protected] > > 6. mailto:[email protected] > > 7. mailto:[email protected] > > 8. https://doc.dovecot.org/2.4.2/core/config/ssl.html > > 9. mailto:[email protected] > > 10. mailto:[email protected] > > 11. mailto:[email protected] > > 12. mailto:[email protected] > > 13. mailto:[email protected] > > 14. mailto:[email protected] > > 15. https://doc.dovecot.org/2.4.2/core/config/ssl.html > > 16. mailto:[email protected] > > 17. mailto:[email protected] > > 18. https://proton.me/mail/home > > 19. mailto:[email protected] > > 20. mailto:[email protected] > > 21. mailto:[email protected] > > 22. https://doc.dovecot.org/2.4.2/core/config/ssl.html > > 23. mailto:[email protected] > > 24. mailto:[email protected] > > 25. mailto:[email protected] > > 26. mailto:[email protected] > > 27. mailto:[email protected] > > 28. mailto:[email protected] > > _______________________________________________ > > dovecot mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
