Bug with 2.2.29-1~auto+25 back to haunt me

Aki Tuomi aki.tuomi at dovecot.fi
Wed May 31 18:36:01 EEST 2017


> On May 31, 2017 at 6:10 PM Ralf Hildebrandt <Ralf.Hildebrandt at charite.de> wrote:
> 
> 
> * Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:
> 
> > So I added 
> > ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
> > 
> > But alas:
> > May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file
> > 
> > Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!
> > 
> > ssl_ca = </etc/ssl/certs/ca-certificates.crt
> > 
> > So what gives?
> 
> It seems to be similar to:
> https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html
> 
> "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"
> 
> -- 
> Ralf Hildebrandt
>   Geschäftsbereich IT | Abteilung Netzwerk
>   Charité - Universitätsmedizin Berlin
>   Campus Benjamin Franklin
>   Hindenburgdamm 30 | D-12203 Berlin
>   Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>   ralf.hildebrandt at charite.de | https://www.charite.de
>

Hi.

passdb imap was changed to verify remote SSL cert by default (yeah, it kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir setting in args. Or you can disable this behaviour with allow_invalid_cert.

Aki


More information about the dovecot mailing list