> On 30/03/2026 13:28 EEST Patrick Cernko via dovecot <[email protected]> > wrote: > > > Hi Markus, hi list, > > On 2026-03-30 12:15:15, markus-dovecot--- via dovecot wrote: > > Unfortunately the upgrade to v2.4.3 broke the ldap connection. > > > > I have configured an ldap connection like this: > > > > ``` > > ldap_uris = ldaps://xxx.com > > ldap_auth_dn = uid=xxx,ou=general accounts,dc=xxx,dc=com > > ldap_auth_dn_password = xxx > > ldap_base = dc=xxx,dc=com > > > > passdb ldap { > > ldap_bind = yes > > [...] > > } > > ``` > > > > v2.4.3 cannot connect and says: > > > > ``` > > auth: Error: ldap(ldaps://xxx.com636): Can't connect to server: > > ldaps://xxx.com > > ``` > > > > Ldap server logs: > > > > ``` > > ACCEPT from IP=[XXX]:45674 (IP=[::]:636) > > TLS established tls_ssf=256 ssf=256 tls_proto=TLS1.3 tls_cipher=AES-256-GCM > > closed (connection lost) > > ``` > > > > Downgrade to dovecot v2.4.2 makes it work again. > > > > Was there any ldap change in v2.4.3 that required a config change? > > > > I had a similar error. In my case, dovecot was missing the CA certificate for > the > cert of the LDAP server, as it was not included in the OS' ca-certificates > bundle. I > fixed it in my case with: > > ssl_client_ca_file = /path/to/ldapservers-ca-certificate.crt > > Seems like dovecot did not check the CA signing the LDAP server's certificate > before > 2.4.3. > > Best, > -- > Patrick Cernko <[email protected]> +49 681 9325 5815
It did check the CA cert validity before, but in 2.4.3 the code interacting with libldap TLS settings was improved which changed this. So dovecot did check LDAP certs but the way it was enabling these with libldap was clearly not 100% correct. Aki _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
