Dovecot v2.2.18
OS: FreeBSD 10.1/amd64
Dovecot in proxy mode ignores the root certificate store and can't verify
the backend's SSL certificate.
I've pointed ssl_client_ca_file to my root certificate store, but I
suspect ssl_client_ca_file is only used in imapc context. It seems to be
ignore
The result is the same with or without "<" before the file path. With "<"
the inode atime is updated at Dovecot startup, so the file is at least
opened, but Dovecot still can't verify the cert.
The only place in the Wiki that shows an example of ssl_client_ca_file is
on this page, and there's
On Mon, 21 Sep 2015, Christian Kivalo wrote:
Haven't found much about proxying and ssl but found a configuration parameter
ssl_ca =
http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate
verification/authentication
ssl_ca serves a different purpose, it's for setting yo
On Mon, 21 Sep 2015, Andrew McN wrote:
http://wiki2.dovecot.org/Replication
(quote)
The client must be able to verify that the SSL certificate is valid, so
you need to specify the directory containing valid SSL CA roots:
ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /
On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
doveconf -n?
doveconf -n|grep ssl should suffice:
ssl = required
ssl_ca = I'm using "ssl_ca = temporary workaround, even though this is not what ssl_ca is for. It
happens to work, at least for now, but this is not a fix.
ssl_client_ca_file shoul
On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
ssl = required
shouldn't it be:
ssl = yes
I was only aware of the choice of yes or no here, but I could be wrong.
See http://wiki2.dovecot.org/SSL/DovecotConfiguration
On Tue, 22 Sep 2015, Timo Sirainen wrote:
Yeah. The ssl_client_ca_file was implemented later than the SSL proxying
code. I think this may be something that needs to wait for v2.3 to get
fixed. v2.3 hopefully removes the duplicated ssl code and uses
lib-ssl-iostream for proxying also, which mak
