On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote:
Set
ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
Can those be used?
Set it to *CA* cert. You can also use
ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)
or
ssl_client_ca_dir=/etc/ssl/certs (on debian based)
Are you using haproxy or something in front of dovecot?
No. Just Squirrelmail webmail with sendmail.
Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?
Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with