2.2.10 is quite old. try reproducing this with .36 or 2.3.2.1
---Aki TuomiDovecot oy -------- Original message --------From: Martin Johannes Dauser <[email protected]> Date: 31/08/2018 13:10 (GMT+02:00) To: [email protected] Subject: Re: SNI Dovecot FYI dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI. As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of the default cert, --Perhaps dovecot just utilises the last used cert? One speciality of my certs is, that both share the same Common Name (CN) but differ in Subject Alternative Names (SAN). Once your config works, you can check by initialising several connections (I tried 30 times) without SNI using openssl. First command is without SNI, second is with SNI. $ openssl s_client -showcerts -connect IP-address:993 $ openssl s_client -showcerts -connect IP-address:993 -servername server.domain This is my bugreport on this list.https://dovecot.org/pipermail/dovecot/2018-July/112368.html Best regardsMartin Johannes Dauser On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote: Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem I got a warning of course when using my second domain, mydomain2.fr. If I do the config : local_name mail.mydomain.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem } local_name mail.mydomain2.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem } I got this on dovecot's start : dovecot[930]: master: Error: service(imap-login): command startup failed, throttling for 8 secs dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY It's working without local_name, so why it can be a certificate issue? Any idea? I'm using dovecot 2.2.27-3+deb9u2 from debian. Thanks, Nicola
