Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Both these command return same result as the previous I posted. Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi <aki.tuomi@open-xchange.com> napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6]dovecot@dovecot.org
To unsubscribe send an email to [7]dovecot-leave@dovecot.orgReferences
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org