Reference: https://dovecot.org/pipermail/dovecot/2016-June/104770.html


Create ProxMox container vmid=114 "dove" with IP address 192.168.61.214/24
Alpine Linux: alpine-3.15-default_20211202_amd64.tar.xz

# n.b. this mirror has dovecot 2.3.20
/sbin/setup-apkrepos http://mirror.aarnet.edu.au/pub/alpine/latest-stable/main/ http://mirror.aarnet.edu.au/pub/alpine/latest-stable/community/
apk -U upgrade
apk add dovecot dovecot-lmtpd

uname -a
  Linux dove 5.4.162-1-pve #1 SMP PVE 5.4.162-2 (Thu, 20 Jan 2022 16:38:53 +0100) x86_64 Linux
cat /etc/alpine-release 
  3.17.1
dovecot --version
  2.3.20 (80a5ac675d)

# Create Real and Fake certificate authorities and have the Real CA sign certificates for dove.example.com and smtp.example.com

cd /etc/ssl/dovecot/

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out ca_fake.key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out ca_real.key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out imap.key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out smtp.key

openssl req -x509 -new -subj '/CN=Fake CA' -key ca_fake.key -nodes -sha256 -days 3650 -addext 'basicConstraints=critical,CA:TRUE' -addext 'keyUsage=keyCertSign,cRLSign' -out ca_fake.pem
openssl req -x509 -new -subj '/CN=Real CA' -key ca_real.key -nodes -sha256 -days 3650 -addext 'basicConstraints=critical,CA:TRUE' -addext 'keyUsage=keyCertSign,cRLSign' -out ca_real.pem

openssl req -new -nodes -key imap.key -sha256 -out imap.csr -subj '/CN=imap.example.com'
cat <<\EOF >imap.ext
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:imap.example.com
EOF
openssl x509 -req -CA ca_real.pem -CAkey ca_real.key -sha256 -days 365 -in imap.csr -extfile imap.ext -out imap.pem

openssl req -new -nodes -key smtp.key -sha256 -out smtp.csr -subj '/CN=smtp.example.com'
cat <<\EOF >smtp.ext
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:smtp.example.com
EOF
openssl x509 -req -CA ca_real.pem -CAkey ca_real.key -sha256 -days 365 -in smtp.csr -extfile smtp.ext -out smtp.pem

# Dovecot Absolute Minimum Config

cd /etc/dovecot
mv dovecot.conf dovecot.conf.orig
cat <<\END_CONF >dovecot.conf
protocols = lmtp
listen = 192.168.61.214

service lmtp {
  inet_listener lmtp {
    address = 192.168.61.214
    port = 24
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/ssl/dovecot/imap.pem
ssl_key = </etc/ssl/dovecot/imap.key
ssl_client_ca_file = /etc/ssl/dovecot/ca_real.pem
ssl_client_cert = </etc/ssl/dovecot/imap.pem
ssl_client_key = </etc/ssl/dovecot/imap.key
ssl_require_crl = no
auth_ssl_require_client_cert = yes

# multi-level filters appear to be broken. Not a huge problem
# the MTA will never talk IMAP and MUAs will never talk LMTP
# but still annoying :((

remote 192.168.61.214/0 {
  #protocol lmtp {
    ssl_verify_client_cert = yes
    ssl_ca = </etc/ssl/dovecot/ca_fake.pem
  #}
}
remote 192.168.61.207 {
  #protocol lmtp {
    ssl_verify_client_cert = yes
    ssl_ca = </etc/ssl/dovecot/ca_real.pem
  #}
}
END_CONF

doveconf -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# OS: Linux 5.4.162-1-pve x86_64  
# Hostname: dove.teletech.com.au
auth_ssl_require_client_cert = yes
listen = 192.168.61.214
protocols = lmtp
service lmtp {
  inet_listener lmtp {
    address = 192.168.61.214
    port = 24
    ssl = yes
  }
}
ssl = required
ssl_ca = </etc/ssl/dovecot/ca_fake.pem
ssl_cert = </etc/ssl/dovecot/imap.pem
ssl_client_ca_file = /etc/ssl/dovecot/ca_real.pem
ssl_client_cert = </etc/ssl/dovecot/imap.pem
ssl_client_key = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_require_crl = no
ssl_verify_client_cert = yes
ssl_ca = </etc/ssl/dovecot/ca_fake.pem
ssl_verify_client_cert = yes
remote 192.168.61.207 {
  ssl_ca = </etc/ssl/dovecot/ca_real.pem
  ssl_verify_client_cert = yes
}

doveconf -f remote=192.168.61.207 ssl_ca
  ssl_ca = </etc/ssl/dovecot/ca_real.pem
doveconf -f remote=192.168.61.208 ssl_ca
  ssl_ca = </etc/ssl/dovecot/ca_fake.pem

/usr/sbin/dovecot

=========================================================
On 192.168.61.207
copy accross //192.168.61.214/etc/ssl/dovecot/smtp.pem    to //192.168.61.207/tmp/smtp.pem
copy accross //192.168.61.214/etc/ssl/dovecot/smtp.key    to //192.168.61.207/tmp/smtp.key
copy accross //192.168.61.214/etc/ssl/dovecot/ca_real.pem to //192.168.61.207/tmp/ca_real.pem

ifconfig eth0
eth0      ...
          inet addr:192.168.61.207  Bcast:0.0.0.0  Mask:255.255.255.0
          ...

cd /tmp
openssl s_client -connect 192.168.61.214:24 -key smtp.key -cert smtp.pem -CAfile ca_real.pem

Acceptable client certificate CA names
CN = Fake CA  <<<<<<<<<<<<<<<<<<<<<<<< FATAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
=========================================================