Updated my Dovecot certificate for the first time

Greg Rivers gcr+dovecot at tharned.org
Wed Nov 23 22:04:22 UTC 2016


On Wed, 23 Nov 2016, Steve Litt wrote:
> [snip]
>
> Alpine still gives me a bad cert warning, saying I should either fix it 
> or disable checking. I haven't yet found a way to get Alpine to 
> discriminate between a valid self-signed cert and a bad one.
>
Like a number of applications, alpine checks the system certificates 
directory for a file containing the server certificate to be validated 
that's named according to its x509 hash. If it finds it, it trusts it.

I don't know where Linux distros keep their certs, but on FreeBSD it's in 
/etc/ssl/certs/. If you've no other way to find out, a brute force search 
of the alpine binary should locate it, e.g.:

$ strings $(whence alpine) | grep '^/.*certs$'
/etc/ssl/certs

You can fetch the certificate from a remote IMAP server and install it in 
your system certs directory like this:

# cd /path/to/certs &&
> openssl s_client -connect remote.server:143 -starttls imap -showcerts </dev/null 2>&0 |
> H=$(openssl x509 -hash -out imap.pem) &&
> ln -sf imap.pem ${H}.0
# ls -l
total 5
lrwxr-xr-x  1 root  wheel    11 Nov 23 15:34 3a82ab1a.0 -> imap.pem
-rw-r--r--  1 root  wheel  1371 Nov 23 15:34 imap.pem

-- 
Greg Rivers


More information about the dovecot mailing list