Hello,

 

I’ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it working in Postfix, but this example for Dovecot: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-support doesn’t seem to work for me.

 

I’m using LetsEncrypt certificates. They work without a problem with the regular ssl_cert and ssl_key settings like this:

 

ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem

ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem

 

… but as soon as I put them in local_name blocks like this:

 

local_name datavenia.nl {

  ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem

  ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem

}

 

local_name verovia.nl {

  ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem

  ssl_key = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem

}

 

and restart dovecot I get the following error:

 

dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=213.127.63.224, lip=142.93.135.7, session=<wKjTIaLJtSXVfz/g>

 

I have verified that the certificate paths are correct, the files have content. I’ve already checked permissions (chmodded 777 to debug), as well as the that these are actually symlinks (updated the config to point to the real files) but nothing so far seems to change anything. I have also recreated my dh.pem (4096).

 

I’m hoping anyone has any idea where I might be going wrong.

 

Kind regards,

Silvan

 

Output of dovecot -n:

 

# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.5.13 (cdd19fe3)

# OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4

# Hostname: azrael00

auth_mechanisms = plain login

mail_location = maildir:/var/mail/vhosts/%d/%n

mail_privileged_group = mail

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  args = /etc/dovecot/dovecot-sql.conf.ext

  driver = sql

}

postmaster_address = postmaster@datavenia.nl

protocols = imap lmtp

service auth-worker {

  user = vmail

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

  unix_listener auth-userdb {

    mode = 0666

    user = vmail

  }

  user = dovecot

}

service imap-login {

  inet_listener imap {

    port = 0

  }

}

service lmtp {

  unix_listener /var/spool/postfix/private/dovecot-lmtp {

    group = postfix

    mode = 0600

    user = postfix

  }

}

ssl = required

ssl_dh = # hidden, use -P to show it

userdb {

  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n

  driver = static

}

local_name datavenia.nl {

  ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem

  ssl_key = # hidden, use -P to show it

}

local_name verovia.nl {

  ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem

  ssl_key = # hidden, use -P to show it

}