Re: ee key too small

either do

openssl s_client -connect host:993

or

openssl s_client -connect host:143 -starttls imap

Aki

 On 20/11/2025 17:49 EET Marek Gresko via dovecot
 <[1]dovecot@dovecot.org> wrote:


 When trying openssl s_client to port 143, I get:

 no peer certificate available
 --
 No client certificate CA names sent
 Negotiated TLS1.3 group: <NULL>
 ---
 SSL handshake has read 5 bytes and written 1556 bytes
 Verification: OK
 ---
 New, (NONE), Cipher is (NONE)
 Protocol: TLSv1.3
 This TLS version forbids renegotiation.
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 Early data was not sent
 Verify return code: 0 (ok)

 Why there is no certificate present? Because dovecot refuse to present
 it since it thinks it is weak?

 Marek





 Odoslane pomocou bezpecneho emailu Proton Mail.

 stvrtok 20. novembra 2025, 16:45, Marek Gresko
 <[2]marek.gresko@protonmail.com> napisal/a:


   Hello,

   I added ca_file to the server section. I do not want clients to
   present certificates, so I did not create the ssl client section you
   proposed.

   Any other suggestion?

   I still cannot imagine what could be the cause.

   Thanks

   Marek




   Odoslane pomocou bezpecneho emailu Proton Mail.


   stvrtok 20. novembra 2025, 16:13, pgnd [3]pgnd@dev-mail.net napisal/a:


       after upgrading from Fedora 42 to Fedora 43 the dovecot got
       upgraded to version 2.4.

     imo, a sloppy choice on their part, forcing the need to
     significantly change imap config at the same time as an OS upgrade,
     and 'breaking imap' for lots of folks.


       Should the authority certificate be configured somewhere in
       dovecot?

     start with a thorough read of

     [4]https://doc.dovecot.org/2.4.2/core/config/ssl.html

     if using self-signed certs, you'll end up with something similar to

     ssl = required
     ...
     ssl_server {
     ca_file = /path/to/your_CA.crt.pem
     cert_file = /path/to/your_domain.server.ec.crt.pem
     key_file = /path/to/your_domain.server.ec.key.pem
     ...
     }
     ssl_client {
     ca_file = /path/to/your_CA.crt.pem
     cert_file = /path/to/your_domain.client.ec.crt.pem
     key_file = /path/to/your_domain.client.ec.key.pem
     ...
     }

 _______________________________________________
 dovecot mailing list -- [5]dovecot@dovecot.org
 To unsubscribe send an email to [6]dovecot-leave@dovecot.org

References

Visible links

1. mailto:dovecot@dovecot.org
2. mailto:marek.gresko@protonmail.com
3. mailto:pgnd@dev-mail.net
4. https://doc.dovecot.org/2.4.2/core/config/ssl.html
5. mailto:dovecot@dovecot.org
6. mailto:dovecot-leave@dovecot.org