Dovecot proxy ignores trusted root certificate store

Alex Bulan avb at korax.net
Mon Sep 21 07:28:25 UTC 2015


The result is the same with or without "<" before the file path.  With "<" 
the inode atime is updated at Dovecot startup, so the file is at least 
opened, but Dovecot still can't verify the cert.

The only place in the Wiki that shows an example of ssl_client_ca_file is 
on this page, and there's no "<" in front of the file path:

http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid, so 
you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)



On Mon, 21 Sep 2015, Christian Kivalo wrote:

> Hi
>
>> I've pointed ssl_client_ca_file to my root certificate store, but I
>> suspect ssl_client_ca_file is only used in imapc context.  It seems to
>> be ignored in proxy context.
>> 
>> doveconf -n ssl_client_ca_file:
>> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
>
> You are missing the "<" before the file path
>
> Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
>
> See http://wiki2.dovecot.org/SSL/DovecotConfiguration
>
> Regards
> Christian
>


More information about the dovecot mailing list