OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server {
ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_server_key_file = /etc/pki/tls/private/dovecot.pem
#cert_file = /etc/pki/tls/certs/dovecot.pem
#key_file = /etc/pki/tls/private/dovecot.pem
#prefer_ciphers = server
request_client_cert = no
}
there. The file is definitely read, because when I uncomment
this #ssl_verify_client_cert = no I get suntax error. I cannot understand
why the configuration is not accepted. If there is no meaningful reasoning
on that, I can fix by configuration, I can overwrite the files in default
paths by the wanted files.
Marek
stvrtok 20. novembra 2025, 18:55, Marek Gresko
<[email protected]> napisal/a:
Sure.
M.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:46, Aki Tuomi <[email protected]>
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot
<[2][email protected]> wrote:
I run ls -lu on the key file. It's access time is not updated. It
seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be
ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
<[3][email protected]> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[4][email protected] napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
[5][email protected] wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
[6][email protected] napisal/a:
Hello,
I added ca_file to the server section. I do not want clients
to present certificates, so I did not create the ssl client
section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7][email protected]
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot
got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere
in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something
similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [9][email protected]
To unsubscribe send an email to [10][email protected]
Both these command return same result as the previous I
posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[11][email protected]
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2][12][email protected]> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3][13][email protected]> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section
you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14][email protected]
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6][16][email protected]
To unsubscribe send an email to [7][17][email protected]
References
Visible links
1. [18]https://proton.me/mail/home
2. mailto:[19][email protected]
3. mailto:[20][email protected]
4. mailto:[21][email protected]
5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:[23][email protected]
7. mailto:[24][email protected]
_______________________________________________
dovecot mailing list -- [25][email protected]
To unsubscribe send an email to [26][email protected]
_______________________________________________
dovecot mailing list -- [27][email protected]
To unsubscribe send an email to [28][email protected]
References
Visible links
1. https://proton.me/mail/home
2. mailto:[email protected]
3. mailto:[email protected]
4. mailto:[email protected]
5. mailto:[email protected]
6. mailto:[email protected]
7. mailto:[email protected]
8. https://doc.dovecot.org/2.4.2/core/config/ssl.html
9. mailto:[email protected]
10. mailto:[email protected]
11. mailto:[email protected]
12. mailto:[email protected]
13. mailto:[email protected]
14. mailto:[email protected]
15. https://doc.dovecot.org/2.4.2/core/config/ssl.html
16. mailto:[email protected]
17. mailto:[email protected]
18. https://proton.me/mail/home
19. mailto:[email protected]
20. mailto:[email protected]
21. mailto:[email protected]
22. https://doc.dovecot.org/2.4.2/core/config/ssl.html
23. mailto:[email protected]
24. mailto:[email protected]
25. mailto:[email protected]
26. mailto:[email protected]
27. mailto:[email protected]
28. mailto:[email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
