SSL error after upgrading to 2.31

A. Schulze sca at andreasschulze.de
Wed May 30 11:41:35 EEST 2018


Aki Tuomi:

> There is already ssl_client_ca, for verifying clients. ssl_ca verifies
> certs when dovecot is connecting somewhere.


For clarification:

there is a third use case an admin may need intermediate certificates:
And that's where dovecot act as server providing imap/pop3/lmtp/sieve  
via TLS or STARTTLS

that's different semantic:
ssl_client_ca and ssl_ca provide lists of CAs, dovecot should trust
while in the third case an administrator has to define exactly one list
of intermediate CAs used as chain to a root. Mixing them is wrong.

In the third case an administrator has to provide files with  
certificates. And these files
are required (by best practice) to include any chain-certificates  
excluding the self signed root.

There is no reason to only provide a certificate via ssl_cert = </path/to/file
and an new/other place to provide intermediates.

/path/to/file has to be build from "cat cert intermediate > /path/to/file"
No need for other options...

Andreas




More information about the dovecot mailing list