Dovecot proxy ignores trusted root certificate store
Christian Kivalo
ml+dovecot at valo.at
Mon Sep 21 08:50:19 UTC 2015
On 2015-09-21 09:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file path. With
> "<" the inode atime is updated at Dovecot startup, so the file is at
> least opened, but Dovecot still can't verify the cert.
>
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's no "<" in front of the file path:
>
> http://wiki2.dovecot.org/Replication
>
> (quote)
> The client must be able to verify that the SSL certificate is valid,
> so you need to specify the directory containing valid SSL CA roots:
>
> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
> (end quote)
For replication only settings? I can only guess as i currently don't use
proxy nor replication.
Haven't found much about proxying and ssl but found a configuration
parameter ssl_ca = </path/to/file maybe that works...
http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client
certificate verification/authentication
>
> On Mon, 21 Sep 2015, Christian Kivalo wrote:
>
>> Hi
>>
>>> I've pointed ssl_client_ca_file to my root certificate store, but I
>>> suspect ssl_client_ca_file is only used in imapc context. It seems
>>> to
>>> be ignored in proxy context.
>>>
>>> doveconf -n ssl_client_ca_file:
>>> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
>>
>> You are missing the "<" before the file path
>>
>> Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
>>
>> See http://wiki2.dovecot.org/SSL/DovecotConfiguration
>>
>> Regards
>> Christian
>>
- Christian
More information about the dovecot
mailing list