service doveadm : ssl problems

nerbrume at free.fr nerbrume at free.fr
Thu Nov 10 15:09:02 UTC 2016


Hello,

I'm using dovecot 2.2.13 on Debian stable.
My users are authenticated through PAM, and stored in an LDAP backend
I'm trying to set-up replication with ssl, following (mainly) this : http://wiki2.dovecot.org/Replication

1) I only diverted from the instructed setup by not setting "doveadm_port = 12345", as it would give me errors of the like:
> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't support crentials lookups (to see if user is proxied, because doveadm_port is set)
but rather specifying the port in the mail_replica setting : "mail_replica = tcps:my.domain.com:1465"
(following a mail from here : http://www.dovecot.org/list/dovecot/2016-September/105356.html)
So far, this seems to be working for me.

2) However, I'm having ssl problems. I have a let's encrypt certificate, and have concatened the CA cert and my server cert in a fullchain.pem.
Excerpt from my ssl config :
> ssl = yes
> ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem
> ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pem

doveadm return me these errors (sudo -u dovecot doveadm -v sync -u user tcps:my.domain.com:12345) :
> doveadm(casoli): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com
> doveadm(casoli): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com
> doveadm(casoli): Fatal: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com

Which I can reproduce with openssl (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:12345) :
> (...)
> Verify return code: 21 (unable to verify the first certificate)
Indeed, in this case, dovecot only returns the local part of the certificate (my.domain.com), and not the full chain (with the intermediate CA).

While testing regular IMAPS with openssl is ok (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993)
> (...)
> Verify return code: 0 (ok)
And I can see the full chain.


So, it's seems to me that doveadm is somehow wrongly serving my certificate, truncating it, but I can't see why, and if this is a misconfiguratin on my part.
I can post more config files or message outputs if needed, I kept them redacted here for the sake of brevity.

Regards,
N


More information about the dovecot mailing list