On Mon, 21 Sep 2015, Christian Kivalo wrote:
Haven't found much about proxying and ssl but found a configuration parameter ssl_ca = </path/to/file maybe that works...
http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate verification/authentication
ssl_ca serves a different purpose, it's for setting your certificate authority in order to verify client certs you've issued.
Setting "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" does work to verify the proxy backend cert, at least the current Dovecot release, but it's a hack. It's misusing this setting for a different purpose than documented. I can't rely on this "solution" as it could break in a future Dovecot release.
The correct setting to use is ssl_client_ca_file. It's just not being applied in proxy mode.
The patchset that implemented ssl_client_ca_file is here:
http://www.dovecot.org/list/dovecot-cvs/2013-April/023089.html
Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set the CAfile path, as it should, but apparently only when it's talking to an imapc storage backend, not when it's acting as a simple proxy.
See http://dovecot.org/pipermail/dovecot/2013-June/090884.html