On Thu, 2009-07-30 at 20:37 +0300, Evaggelos Balaskas wrote:
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825
I guess this is ok, but to prevent confusion let's say these were client.crt and client.key instead.
# Country Name (2 letter code) [AU]:GR # State or Province Name (full name) [Some-State]:Athens # Locality Name (eg, city) []:Aigaleo # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr # Organizational Unit Name (eg, section) []:Mail Apps # Common Name (eg, YOUR name) []:myhome # Email Address []:ebalaskas@ebalaskas.gr
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key
-name "dovecot Certificate Client" -out dovecot.p12
Again client.crt, client.key here.
openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign
What do you do with the dovecot.crl here? It's a client CRL and unless you add it to the Dovecot's CRL list it's not necessary. Also the -selfsign is ignored..
I've imported the dovecot.p12 to thunderbird certificates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors)
OK.
ssl_ca_file: /opt/certificates/dovecot/dovecot.crl
This is probably where the problem is. This file must contain the CA certificate and the CRL, not just the CRL. And initially the CRL should be empty.
ssl_cert_file: /opt/certificates/dovecot/dovecot.crt ssl_key_file: /opt/certificates/dovecot/dovecot.key
And I hope these dovecot.* files aren't the same you just generated for the client?