Dovecot proxy ignores trusted root certificate store

Alex Bulan avb at
Mon Sep 21 17:34:25 UTC 2015

On Mon, 21 Sep 2015, Christian Kivalo wrote:

> Haven't found much about proxying and ssl but found a configuration parameter 
> ssl_ca = </path/to/file maybe that works...
> section Client certificate 
> verification/authentication

ssl_ca serves a different purpose, it's for setting your certificate 
authority in order to verify client certs you've issued.

Setting "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" does work to 
verify the proxy backend cert, at least the current Dovecot release, but 
it's a hack.  It's misusing this setting for a different purpose than 
documented.  I can't rely on this "solution" as it could break in a future 
Dovecot release.

The correct setting to use is ssl_client_ca_file.  It's just not being 
applied in proxy mode.

The patchset that implemented ssl_client_ca_file is here:

Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set 
the CAfile path, as it should, but apparently only when it's talking to an 
imapc storage backend, not when it's acting as a simple proxy.


More information about the dovecot mailing list