> On January 6, 2017 at 2:34 AM John Fawcett <[email protected]> wrote: > > > On 01/05/2017 08:55 PM, Juri wrote: > > 5 Gennaio 2017 01:21, "John Fawcett" <[email protected]> wrote: > > > >> On 01/04/2017 08:40 PM, Juri wrote: > >> > >> > > Thank you. > > > > In fact I tried both settings, that is > > |ssl_client_ca_dir = /etc/ssl/certs > > |ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem > > but with no luck. > > Actually, I noticed that with the two settings I get a slightly different > > error message (it took me > > quite a bit to notice it!), that is: > > |Error: sync: Disconnected from remote: Received invalid SSL certificate: > > unable to get issuer > > certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > |Error: sync: Disconnected from remote: Received invalid SSL certificate: > > unable to get *local* > > issuer certificate: /CN=mail.dividebyzero.it > > (emphasis mine). > > I suppose that in the first case - as the server is sending only the last > > certificate on the chain > > - the client is unable to find the intermediate, while in the second case > > it won't find the root > > one. > > > > I then tried, as you suggested me, to concatenate both the intermediate and > > the root certificate in > > a single file, and it finally worked. > > In any case the original point still stands: in the sync mode - at least on > > my version (2.2.13) - > > the server sends only the last cert, so the client has to have the rest of > > the chain, instead of > > needing to have only the root certificate. > > > > May I ask you which is the version of Dovecot bundled with CentOS, to know > > if this may be a bug > > fixed in a newer version? > > > > Juri > > Hi Juri > > if you find validation failing when you have only the root certificate > in the CA file but a chained server+intermediate in the server > certificate file, then your analysis makes sense and it seems that the > intermediate certificate is not being sent by the server. That ties in > with the different error messages between imap and replication. > > It might be interesting to do a test with -showcerts parameter. > > |openssl s_client -showcerts -connect hostname:|7557 > > |openssl s_client -showcerts -connect hostname:993 The bundled version of > Dovecot on Centos 7 is 2.2.10 but I am not using that version. I am on > 2.2.26, where I don't have the problem you see and both services send > the server and intermediate certificate. I was unable to see any > specific patches to the ssl or doveadm code for this issue, though it > has undergone a few changes from 2.2.13. John |
You might want to return from passdb following things, if I understood your scenario correctly. proxy=y host=your-backend-host ssl=any-cert port=993 https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy Aki
