Dovecot proxy ignores trusted root certificate store
Edgar Pettijohn
edgar at pettijohn-web.com
Tue Sep 22 01:42:24 UTC 2015
On 09/21/2015 05:11 PM, Alex Bulan wrote:
> On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
>
>> doveconf -n?
>
> doveconf -n|grep ssl should suffice:
>
> ssl = required
shouldn't it be:
ssl = yes
I was only aware of the choice of yes or no here, but I could be wrong.
> ssl_ca = </usr/local/share/certs/ca-root-nss.crt
> ssl_cert = </path/to/my/file.pem
> ssl_key = </path/to/my/file.pem
> ssl_require_crl = no
>
> I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a
> temporary workaround, even though this is not what ssl_ca is for. It
> happens to work, at least for now, but this is not a fix.
>
> ssl_client_ca_file should be used instead, but it has no effect in
> proxy mode:
>
> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
>
> This doesn't work either (and the Dovecot Wiki shows it used without
> "<"):
>
> ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
>
> And "ssl_require_crl = no" to silence "unable to get certificate CRL"
> log messages. I don't need it to check CRLs on the backend's
> certificate chain.
More information about the dovecot
mailing list