Dovecot serving incorrect certificate

2020-07-25 Thread Antonio Leding 
Hello all,

I have a Dovecot (v2.3.10.1) + Postfix (v3.5.3) both cfg; d to use TLS however 
each using different certificates.  In addition, I have cfg’d a DNS CNAME that 
points to the server A record.  For example,

mail.example.com (A) —> 1.2.3.4
alias.example.con (CNAME) —> mail.example.com

When setting up a new account in Apple Mail, if I specify the server name as 
the “Host Name” (i.e. mil server), the cert that is cfg’d in Dovecot is 
received and everything works fine.  However, if I instead use the alias CNAME 
as the “Host Name”,  then the cert for Postfix is sent to the client.  This 
causes issues because I do not have the CNAME in the SAN of the Postfix 
certificate.

I doubt this is a bug because I have to think others have employed a similar 
configuration so I must be missing something here — any thoughts?

Thanks in advance...

Re: Dovecot serving incorrect certificate

2020-07-25 Thread Antonio Leding 
CORRECTION:

Just discovered that actually the Postfix cert is being sent to the client 
regardless of the configuration…so now the remaining question is why would is 
the PF cert  sent rather than the cert I have configured in the dovecot.conf 
file?



> On Jul 25, 2020, at 2:02 PM, Antonio Leding  wrote:
> 
> Hello all,
> 
> I have a Dovecot (v2.3.10.1) + Postfix (v3.5.3) both cfg; d to use TLS 
> however each using different certificates.  In addition, I have cfg’d a DNS 
> CNAME that points to the server A record.  For example,
> 
> mail.example.com  (A) —> 1.2.3.4
> alias.example.con (CNAME) —> mail.example.com 
> 
> When setting up a new account in Apple Mail, if I specify the server name as 
> the “Host Name” (i.e. mil server), the cert that is cfg’d in Dovecot is 
> received and everything works fine.  However, if I instead use the alias 
> CNAME as the “Host Name”,  then the cert for Postfix is sent to the client.  
> This causes issues because I do not have the CNAME in the SAN of the Postfix 
> certificate.
> 
> I doubt this is a bug because I have to think others have employed a similar 
> configuration so I must be missing something here — any thoughts?
> 
> Thanks in advance...
> 
>

Re: Dovecot serving incorrect certificate

2020-07-25 Thread Christian Kivalo 




On 2020-07-25 23:31, Antonio Leding wrote:

CORRECTION:

Just discovered that actually the Postfix cert is being sent to the
client regardless of the configuration…so now the remaining question
is why would is the PF cert  sent rather than the cert I have
configured in the dovecot.conf file?

Because the file containes the wrong certificate.

--
 Christian Kivalo

Re: Dovecot serving incorrect certificate

2020-07-25 Thread Antonio Leding 
> Because the file containes the wrong certificate.


We must be miscommunicating…

The file that is configured in Postfix is being sent to the client..NOT the 
file cfg’d in Dovecot…

Prior to enabling TLS in Postfix, this exact same config worked fine...



> On Jul 25, 2020, at 2:35 PM, Christian Kivalo  wrote:
> 
> 
> 
> On 2020-07-25 23:31, Antonio Leding wrote:
>> CORRECTION:
>> Just discovered that actually the Postfix cert is being sent to the
>> client regardless of the configuration…so now the remaining question
>> is why would is the PF cert  sent rather than the cert I have
>> configured in the dovecot.conf file?
> Because the file containes the wrong certificate.
> 
> -- 
> Christian Kivalo

Re: Dovecot serving incorrect certificate

2020-07-25 Thread Antonio Leding 
Issued resolved...

Someone had actually copied the cert from the PF server to the DV cert location 
as well but renamed it to the same name that we had before.  So when looking at 
the config, everything appeared proper but after Christian’s message, I decided 
to go and actually check the cert contents…it had been changed…

Thanks to Christian and darkc0de and sorry for the false alarm...and now need 
to go have a discussion with someone…


> On Jul 25, 2020, at 2:43 PM, Antonio Leding  wrote:
> 
>> Because the file containes the wrong certificate.
> 
> 
> We must be miscommunicating…
> 
> The file that is configured in Postfix is being sent to the client..NOT the 
> file cfg’d in Dovecot…
> 
> Prior to enabling TLS in Postfix, this exact same config worked fine...
> 
> 
> 
>> On Jul 25, 2020, at 2:35 PM, Christian Kivalo  wrote:
>> 
>> 
>> 
>> On 2020-07-25 23:31, Antonio Leding wrote:
>>> CORRECTION:
>>> Just discovered that actually the Postfix cert is being sent to the
>>> client regardless of the configuration…so now the remaining question
>>> is why would is the PF cert  sent rather than the cert I have
>>> configured in the dovecot.conf file?
>> Because the file containes the wrong certificate.
>> 
>> -- 
>> Christian Kivalo
>