16 Sep
2013
16 Sep
'13
12:45 a.m.
Sorry for the mess, forgot to change the formatting to plain text.
I'm using dovecot v2.0.21.
According to http://wiki2.dovecot.org/SSL/DovecotConfiguration, dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's.
Here is the my dovecot.conf: # 2.0.21: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_master_user_separator = * auth_mechanisms = PLAIN LOGIN dict { acl = mysql:/etc/dovecot/dovecot-share-folder.conf quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf } first_valid_uid = 2000 last_valid_uid = 2000 listen = * log_path = /var/log/dovecot.log mail_gid = 2000 mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/ mail_plugins = quota mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { inbox = yes location = prefix = separator = / type = private } namespace { list = children location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u prefix = Shared/%%u/ separator = / subscriptions = yes type = shared } passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-master-users-password driver = passwd-file master = yes } plugin { acl = vfile acl_shared_dict = proxy::acl auth_socket_path = /var/run/dovecot/auth-master autocreate = INBOX autocreate2 = Sent autocreate3 = Trash autocreate4 = Drafts autocreate5 = Junk autosubscribe = INBOX autosubscribe2 = Sent autosubscribe3 = Trash autosubscribe4 = Drafts autosubscribe5 = Junk quota = dict:user::proxy::quotadict quota_rule = *:storage=1G quota_warning = storage=85%% quota-warning 85 %u quota_warning2 = storage=90%% quota-warning 90 %u quota_warning3 = storage=95%% quota-warning 95 %u sieve = /%Lh/sieve/dovecot.sieve sieve_dir = /%Lh/sieve sieve_global_dir = /var/vmail/sieve sieve_global_path = /var/vmail/sieve/dovecot.sieve } protocols = pop3 imap sieve service auth { unix_listener /var/spool/postfix/dovecot-auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service dict { unix_listener dict { group = vmail mode = 0660 user = vmail } } service imap-login { process_limit = 500 service_count = 1 } service pop3-login { service_count = 1 } service quota-warning { executable = script /usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail } } ssl = required ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem ssl_key = </etc/pki/tls/private/iRedMail.key userdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } verbose_ssl = yes protocol lda { auth_socket_path = /var/run/dovecot/auth-master lda_mailbox_autocreate = yes log_path = /var/log/sieve.log mail_plugins = quota sieve autocreate postmaster_address = root } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_plugins = quota imap_quota autocreate } protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv } local_name nourcc.com { ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/nourcc.com.pem ssl_key = </etc/pki/tls/private/nourcc.com.key } local_name rockmetal-ae.com { ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/rockmetal-ae.com.pem ssl_key = </etc/pki/tls/private/rockmetal-ae.com.key } local_name alliance-sir.com { ssl_ca = </etc/ssl/comodo.ca.crt ssl_cert = </etc/pki/tls/certs/alliance-sir.com.pem ssl_key = </etc/pki/tls/private/alliance-sir.com.key }
Here are my certs permissions, just in case: [root@epm certs]# ll /etc/ssl/comodo.ca.crt -rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt [root@epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem -rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem [root@epm certs]# ll /etc/pki/tls/private/nourcc.com.key -rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key
Here is my openssl test output: $ openssl s_client -connect nourcc.com:pop3s CONNECTED(00000003) depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root@epm.nourcc.com verify error:num=18:self signed certificate verify return:1 depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root@epm.nourcc.com verify return:1 .......................... blah blah blah .........................
so I'm not sure, is there a certain way for doing it that I overlooked?
Thanks.