[Dovecot] TLS SNI with Dovecot
Michael Neurohr
mnewpipe at gmail.com
Sun Dec 22 23:07:13 EET 2013
Hi!
I've been using Dovecot for one single Domain with SSL certificates.
Now I would like to use Dovecot with several Domains and proper SSL
certificates. I tried to setup TLS SNI but it does not work. What I
basically did was just adding
local_name imap.samsoft.at {
ssl_cert = </etc/ssl/private/mailserver/imap.samsoft.at.crt
ssl_key = </etc/ssl/private/mailserver/imap.samsoft.at.key
}
for the additional domain.
When trying to login via IMAP, I see the following lines in the log file:
===================================================================
Dec 22 21:01:05 mx0 dovecot: imap-login: Warning: SSL alert:
where=0x4004, ret=554: fatal bad certificate [151.236.5.22]
Dec 22 21:01:05 mx0 dovecot: imap-login: Warning: SSL failed:
where=0x2002: SSLv3 read client certificate A [151.236.5.22]
Dec 22 21:01:05 mx0 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=151.236.5.22, lip=151.38.7.25, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate: SSL alert number 42, session=<Rg5EzyXutgCX7AaF>
===================================================================
The actual Dovecot config is pasted below.
How can I solve that and server different certificates on the same IP
Address?
Thanks,
Michael
doveconf -n
# 2.2.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab076.8 i686 CentOS release 6.5 (Final) simfs
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_plugins = notify
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave imapflags
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
antispam_backend = dspam
antispam_dspam_args = --source=error;--signature=%%s;--user;%u
antispam_dspam_binary = /usr/bin/dspam
antispam_signature = X-DSPAM-Signature
antispam_signature_missing = move
antispam_spam = Spam
antispam_trash = trash;Trash;Deleted Items;Deleted Messages
sieve = /var/mail/vhosts/sieve-scripts/%d/%n/.dovecot.sieve
sieve_before = /var/mail/vhosts/sieve-scripts/before
sieve_dir = /var/mail/vhosts/sieve-scripts/%d/%n/sieve
sieve_extensions = +imapflags
}
postmaster_address = postmaster at changed.at
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service dict {
unix_listener dict {
user = vmail
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
ssl = required
ssl_ca = </etc/ssl/private/mailserver/ca-bundle.crt
ssl_cert = </etc/ssl/private/mailserver/mx0.domain1.at.pem
ssl_key = </etc/ssl/private/mailserver/mx0.domain1.at.key
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lmtp {
mail_plugins = sieve
}
protocol lda {
mail_plugins = sieve
}
protocol imap {
mail_plugins = antispam
}
local_name imap.samsoft.at {
ssl_cert = </etc/ssl/private/mailserver/imap.samsoft.at.crt
ssl_key = </etc/ssl/private/mailserver/imap.samsoft.at.key
}
More information about the dovecot
mailing list