[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's

Mon Sep 16 00:45:42 EEST 2013

Sorry for the mess, forgot to change the formatting to plain text.

I'm using dovecot v2.0.21.

According to http://wiki2.dovecot.org/SSL/DovecotConfiguration,
dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work.

When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's.
----------------------------------------------------------------------------
Here is the my dovecot.conf:
# 2.0.21: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final) 
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = *
log_path = /var/log/dovecot.log
mail_gid = 2000
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_plugins = quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
passdb {
  args = /etc/dovecot/dovecot-master-users-password
  driver = passwd-file
  master = yes
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk
  quota = dict:user::proxy::quotadict
  quota_rule = *:storage=1G
  quota_warning = storage=85%% quota-warning 85 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=95%% quota-warning 95 %u
  sieve = /%Lh/sieve/dovecot.sieve
  sieve_dir = /%Lh/sieve
  sieve_global_dir = /var/vmail/sieve
  sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = pop3 imap sieve
service auth {
  unix_listener /var/spool/postfix/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  process_limit = 500
  service_count = 1
}
service pop3-login {
  service_count = 1
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl = required
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
verbose_ssl = yes
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  log_path = /var/log/sieve.log
  mail_plugins = quota sieve autocreate
  postmaster_address = root
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins = quota imap_quota autocreate
}
protocol pop3 {
  mail_plugins = quota
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}
local_name nourcc.com {
  ssl_ca = </etc/ssl/comodo.ca.crt
  ssl_cert = </etc/pki/tls/certs/nourcc.com.pem
  ssl_key = </etc/pki/tls/private/nourcc.com.key
}
local_name rockmetal-ae.com {
  ssl_ca = </etc/ssl/comodo.ca.crt
  ssl_cert = </etc/pki/tls/certs/rockmetal-ae.com.pem
  ssl_key = </etc/pki/tls/private/rockmetal-ae.com.key
}
local_name alliance-sir.com {
  ssl_ca = </etc/ssl/comodo.ca.crt
  ssl_cert = </etc/pki/tls/certs/alliance-sir.com.pem
  ssl_key = </etc/pki/tls/private/alliance-sir.com.key
}
----------------------------------------------------------------------------
Here are my certs permissions, just in case:
[root at epm certs]# ll /etc/ssl/comodo.ca.crt
-rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt
[root at epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem
-rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem
[root at epm certs]# ll /etc/pki/tls/private/nourcc.com.key
-rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key
----------------------------------------------------------------------------
Here is my openssl test output:
$ openssl s_client -connect nourcc.com:pop3s
CONNECTED(00000003)
depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root at epm.nourcc.com
verify return:1
.......................... blah blah blah .........................

so I'm not sure, is there a certain way for doing it that I overlooked?

Thanks. 		 	   		  