On 30/03/2026 13:28 EEST Patrick Cernko via dovecot <dovecot@dovecot.org> wrote:
Hi Markus, hi list,
On 2026-03-30 12:15:15, markus-dovecot--- via dovecot wrote:
Unfortunately the upgrade to v2.4.3 broke the ldap connection.
I have configured an ldap connection like this:
ldap_uris = ldaps://xxx.com ldap_auth_dn = uid=xxx,ou=general accounts,dc=xxx,dc=com ldap_auth_dn_password = xxx ldap_base = dc=xxx,dc=com passdb ldap { ldap_bind = yes [...] }v2.4.3 cannot connect and says:
auth: Error: ldap(ldaps://xxx.com636): Can't connect to server: ldaps://xxx.comLdap server logs:
ACCEPT from IP=[XXX]:45674 (IP=[::]:636) TLS established tls_ssf=256 ssf=256 tls_proto=TLS1.3 tls_cipher=AES-256-GCM closed (connection lost)Downgrade to dovecot v2.4.2 makes it work again.
Was there any ldap change in v2.4.3 that required a config change?
I had a similar error. In my case, dovecot was missing the CA certificate for the cert of the LDAP server, as it was not included in the OS' ca-certificates bundle. I fixed it in my case with:
ssl_client_ca_file = /path/to/ldapservers-ca-certificate.crt
Seems like dovecot did not check the CA signing the LDAP server's certificate before 2.4.3.
Best,
Patrick Cernko <pcernko@mpi-klsb.mpg.de> +49 681 9325 5815
It did check the CA cert validity before, but in 2.4.3 the code interacting with libldap TLS settings was improved which changed this. So dovecot did check LDAP certs but the way it was enabling these with libldap was clearly not 100% correct.
Aki