On Mon, 21 Sep 2015, Christian Kivalo wrote:
Haven't found much about proxying and ssl but found a configuration parameter ssl_ca =
http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate verification/authentication
ssl_ca serves a different purpose, it's for setting your certificate authority in order to verify client certs you've issued.
Setting "ssl_ca =
The correct setting to use is ssl_client_ca_file. It's just not being applied in proxy mode.
The patchset that implemented ssl_client_ca_file is here:
http://www.dovecot.org/list/dovecot-cvs/2013-April/023089.html
Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set the CAfile path, as it should, but apparently only when it's talking to an imapc storage backend, not when it's acting as a simple proxy.
See http://dovecot.org/pipermail/dovecot/2013-June/090884.html