18.04.2014 19:57, Charles Marcus:
Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs...
Until now, we've been using self-signed certs with the following dovecot config:
ssl = required ssl_cert = </etc/ssl/ourCerts/imap.pem ssl_key = </etc/ssl/ourCerts/imap_key.pem
Now, I've created new keys/certs and the CSR, got the new certs from RapidSSL (and also downloaded their Intermediate bundle), saved everything per their instructions, which say to reference them as follows:
ssl = required ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
But my current config doesn't have the _file for the variable names, and the wiki doesn't use them, so I'm planning on setting these to:
ssl = required ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
Anyone else ever used RapidSSL certs? Does this look correct?
Yes. No. Aside from the missing indirection (use ... = </etc/... as you did before) the documentation indicates that ssl_ca is only used for client certificate verification and has nothing to do with the certificate chain of your server certificate.
Instead, cat your new server certificate together with the CA certificates into one file and point ssl_cert to this file (see "Chained SSL certificates" in http://wiki2.dovecot.org/SSL/DovecotConfiguration ).
-- Regards mks