Hello,
I’ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it working in Postfix, but this example for Dovecot: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support doesn’t seem to work for me.
I’m using LetsEncrypt certificates. They work without a problem with the regular ssl_cert and ssl_key settings like this:
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
… but as soon as I put them in local_name blocks like this:
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem
}
and restart dovecot I get the following error:
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=213.127.63.224, lip=142.93.135.7, session=<wKjTIaLJtSXVfz/g>
I have verified that the certificate paths are correct, the files have content. I’ve already checked permissions (chmodded 777 to debug), as well as the that these are actually symlinks (updated the config to point to the real files) but nothing so far seems to change anything. I have also recreated my dh.pem (4096).
I’m hoping anyone has any idea where I might be going wrong.
Kind regards,
Silvan
Output of dovecot -n:
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4
# Hostname: azrael00
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = postmaster@datavenia.nl
protocols = imap lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0666
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = required
ssl_dh = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}