Aki Tuomi:
There is already ssl_client_ca, for verifying clients. ssl_ca verifies certs when dovecot is connecting somewhere.
For clarification:
there is a third use case an admin may need intermediate certificates:
And that's where dovecot act as server providing imap/pop3/lmtp/sieve
via TLS or STARTTLS
that's different semantic: ssl_client_ca and ssl_ca provide lists of CAs, dovecot should trust while in the third case an administrator has to define exactly one list of intermediate CAs used as chain to a root. Mixing them is wrong.
In the third case an administrator has to provide files with
certificates. And these files
are required (by best practice) to include any chain-certificates
excluding the self signed root.
There is no reason to only provide a certificate via ssl_cert =
/path/to/file has to be build from "cat cert intermediate > /path/to/file" No need for other options...
Andreas