[Dovecot] SSL cert problems.

Sahil Tandon sahil at tandon.net
Wed Dec 24 22:26:04 EET 2008


Geoff Sweet wrote:

> Ok so I downloaded the intermediate ca cert thing onto my local machine
> as intca.cer.  Then I ran this command:
> 
> :~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995

You're pointing to a *file* so you need -CAfile; not -CApath.  But even
after making that change, there appears to be a problem with your cert.
To test, I downloaded common root certificates from the curl website and
placed them in ~/CA.  Then, the gmail cert verifies just fine:

% openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 -quiet
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify return:1
+OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17

However, your server cert still fails.  This may be related to the
intermediate cert you define in dovecot.conf.  I also noticed the zlib
compression is turned on, whereas it is disabled on my own and many 
other POP and IMAP servers I tested.

This does not appear to be a dovecot issue; perhaps try the OpenSSL
mailing list?

-- 
Sahil Tandon <sahil at tandon.net>


More information about the dovecot mailing list