[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's

Shadi Habbal sh.habbal at hotmail.com
Mon Sep 16 00:39:22 EEST 2013 

Hello,
I'm using dovecot v2.0.21.
According to http://wiki2.dovecot.org/SSL/DovecotConfiguration,dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's.----------------------------------------------------------------------------Here is the my dovecot.conf:# 2.0.21: /etc/dovecot/dovecot.conf# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_master_user_separator = *auth_mechanisms = PLAIN LOGINdict {  acl = mysql:/etc/dovecot/dovecot-share-folder.conf  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf}first_valid_uid = 2000last_valid_uid = 2000listen = *log_path = /var/log/dovecot.logmail_gid = 2000mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/mail_plugins = quotamail_uid = 2000managesieve_notify_capability = mailtomanagesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihavenamespace {  inbox = yes  location =   prefix =   separator = /  type = private}namespace {  list = children  location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u  prefix = Shared/%%u/  separator = /  subscriptions = yes  type = shared}passdb {  args = /etc/dovecot/dovecot-mysql.conf  driver = sql}passdb {  args = /etc/dovecot/dovecot-master-users-password  driver = passwd-file  master = yes}plugin {  acl = vfile  acl_shared_dict = proxy::acl  auth_socket_path = /var/run/dovecot/auth-master  autocreate = INBOX  autocreate2 = Sent  autocreate3 = Trash  autocreate4 = Drafts  autocreate5 = Junk  autosubscribe = INBOX  autosubscribe2 = Sent  autosubscribe3 = Trash  autosubscribe4 = Drafts  autosubscribe5 = Junk  quota = dict:user::proxy::quotadict  quota_rule = *:storage=1G  quota_warning = storage=85%% quota-warning 85 %u  quota_warning2 = storage=90%% quota-warning 90 %u  quota_warning3 = storage=95%% quota-warning 95 %u  sieve = /%Lh/sieve/dovecot.sieve  sieve_dir = /%Lh/sieve  sieve_global_dir = /var/vmail/sieve  sieve_global_path = /var/vmail/sieve/dovecot.sieve}protocols = pop3 imap sieveservice auth {  unix_listener /var/spool/postfix/dovecot-auth {    group = postfix    mode = 0666    user = postfix  }  unix_listener auth-master {    group = vmail    mode = 0666    user = vmail  }  unix_listener auth-userdb {    group = vmail    mode = 0660    user = vmail  }}service dict {  unix_listener dict {    group = vmail    mode = 0660    user = vmail  }}service imap-login {  process_limit = 500  service_count = 1}service pop3-login {  service_count = 1}service quota-warning {  executable = script /usr/local/bin/dovecot-quota-warning.sh  unix_listener quota-warning {    group = vmail    mode = 0660    user = vmail  }}ssl = requiredssl_cert = </etc/pki/tls/certs/iRedMail_CA.pemssl_key = </etc/pki/tls/private/iRedMail.keyuserdb {  args = /etc/dovecot/dovecot-mysql.conf  driver = sql}verbose_ssl = yesprotocol lda {  auth_socket_path = /var/run/dovecot/auth-master  lda_mailbox_autocreate = yes  log_path = /var/log/sieve.log  mail_plugins = quota sieve autocreate  postmaster_address = root}protocol imap {  imap_client_workarounds = tb-extra-mailbox-sep  mail_plugins = quota imap_quota autocreate}protocol pop3 {  mail_plugins = quota  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh  pop3_uidl_format = %08Xu%08Xv}local_name nourcc.com {  ssl_ca = </etc/ssl/comodo.ca.crt  ssl_cert = </etc/pki/tls/certs/nourcc.com.pem  ssl_key = </etc/pki/tls/private/nourcc.com.key}local_name rockmetal-ae.com {  ssl_ca = </etc/ssl/comodo.ca.crt  ssl_cert = </etc/pki/tls/certs/rockmetal-ae.com.pem  ssl_key = </etc/pki/tls/private/rockmetal-ae.com.key}local_name alliance-sir.com {  ssl_ca = </etc/ssl/comodo.ca.crt  ssl_cert = </etc/pki/tls/certs/alliance-sir.com.pem  ssl_key = </etc/pki/tls/private/alliance-sir.com.key}----------------------------------------------------------------------------Here are my certs permissions, just in case:[root at epm certs]# ll /etc/ssl/comodo.ca.crt-rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt[root at epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem-rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem[root at epm certs]# ll /etc/pki/tls/private/nourcc.com.key-rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key----------------------------------------------------------------------------Here is my openssl test output:$ openssl s_client -connect nourcc.com:pop3sCONNECTED(00000003)depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.comverify error:num=18:self signed certificateverify return:1depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.comverify return:1.......................... blah blah blah .........................
so I'm not sure, is there a certain way for doing it that I overlooked?
Thanks.

More information about the dovecot mailing list