[Dovecot] TLS SNI with Dovecot

Michael Neurohr mnewpipe at gmail.com
Sun Dec 22 23:07:13 EET 2013


Hi!
I've been using Dovecot for one single Domain with SSL certificates.
Now I would like to use Dovecot with several Domains and proper SSL
certificates. I tried to setup TLS SNI but it does not work. What I
basically did was just adding

local_name imap.samsoft.at {
  ssl_cert = </etc/ssl/private/mailserver/imap.samsoft.at.crt
  ssl_key = </etc/ssl/private/mailserver/imap.samsoft.at.key
}

for the additional domain.

When trying to login via IMAP, I see the following lines in the log file:
===================================================================
Dec 22 21:01:05 mx0 dovecot: imap-login: Warning: SSL alert:
where=0x4004, ret=554: fatal bad certificate [151.236.5.22]
Dec 22 21:01:05 mx0 dovecot: imap-login: Warning: SSL failed:
where=0x2002: SSLv3 read client certificate A [151.236.5.22]
Dec 22 21:01:05 mx0 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=151.236.5.22, lip=151.38.7.25, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate: SSL alert number 42, session=<Rg5EzyXutgCX7AaF>
===================================================================

The actual Dovecot config is pasted below.

How can I solve that and server different certificates on the same IP
Address?

Thanks,
Michael



doveconf -n
# 2.2.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab076.8 i686 CentOS release 6.5 (Final) simfs
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_plugins = notify
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave imapflags
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  antispam_backend = dspam
  antispam_dspam_args = --source=error;--signature=%%s;--user;%u
  antispam_dspam_binary = /usr/bin/dspam
  antispam_signature = X-DSPAM-Signature
  antispam_signature_missing = move
  antispam_spam = Spam
  antispam_trash = trash;Trash;Deleted Items;Deleted Messages
  sieve = /var/mail/vhosts/sieve-scripts/%d/%n/.dovecot.sieve
  sieve_before = /var/mail/vhosts/sieve-scripts/before
  sieve_dir = /var/mail/vhosts/sieve-scripts/%d/%n/sieve
  sieve_extensions = +imapflags
}
postmaster_address = postmaster at changed.at
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service dict {
  unix_listener dict {
    user = vmail
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
ssl = required
ssl_ca = </etc/ssl/private/mailserver/ca-bundle.crt
ssl_cert = </etc/ssl/private/mailserver/mx0.domain1.at.pem
ssl_key = </etc/ssl/private/mailserver/mx0.domain1.at.key
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol lmtp {
  mail_plugins = sieve
}
protocol lda {
  mail_plugins = sieve
}
protocol imap {
  mail_plugins = antispam
}
local_name imap.samsoft.at {
  ssl_cert = </etc/ssl/private/mailserver/imap.samsoft.at.crt
  ssl_key = </etc/ssl/private/mailserver/imap.samsoft.at.key
}


More information about the dovecot mailing list