Hello Alex
Am 14.08.2015 um 19:57 schrieb Alexander Dalloz:
What have you done to exclude that SELinux interferes?
Just some sysinfo: CentOS Linux release 7.1.1503 (Core) (i run yum update every day)
sestatus: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Run "ausearch -m avc" to check for AVCs.
There is no indication SELinux is blocking somewhat
grep "SELinux is preventing" /var/log/messages grep "denied" /var/log/audit/audit.log ausearch -m avc shows no deniead messages
### This works (Thunderbird, Outlook 2013, Opera Mail ect.) ####
local mydomain01.tld {
protocol imap { ssl_cert =
}
Sorry the above has some typo errors, forget it.
Ok, this works well:
Configfile: /etc/dovecot/conf.d/10-ssl.conf protocol imap { ssl_cert =
if i change it to protocol imap { ssl_cert =
This works well to (i can connect from a Windows box, with Mozilla Thunderbird, Microsoft Outlook 2013 an IMAP Folders are showing, EMail sending and receiving is working and the logs are show no error.
#### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local imap.mydomain01.tld { protocol imap { ssl_cert =
local imap.mydomain01.tld { protocol imap { ssl_cert =
It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog
The certs are accepted each in single domainmode but failing in multidomain mode. I have checked if local_name works (SNI) with the fully DNS Domainname or just the IP-Address but this doesnt show any effects. Multidomainmode of Dovecot is
Notes: The certs are StartSSL Domain validated free certs, pointing to imap.mydomain01.tld and imap.mydomain02.tld In single Domain mod like explained abow any of the two certificate is accepted and Thunderbird and Outlook accepting the certs as StartSSL without any warning or error message.
ps: imap.mydomain01.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY----- imap.mydomain02.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
ps2: There was a hint on some website thadt dovecot needs the certs in a single *.pem file because the implementation of SNI and related code "was poorly implemented".
Thanks , Drav