Re: ee key too small

Apparently, the file is not ignored, because when I type wrong file name in the config, I immediately get error on startup.

Marek

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 19:52, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:

If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.

Aki

...

On 20/11/2025 20:40 EET Marek Greško via dovecot dovecot@dovecot.org wrote:

It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?

Thanks

Marek

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot dovecot@dovecot.org napísal/a:

...

OK, while inspecting dovecot I see the problem.

doveconf -n reports different file paths than 10-ssl.conf file.

It is:

ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }

there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.

Marek

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:

...

Can you post doveconf -n output?

Aki

...

On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote:

I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?

Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?

Marek

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a:

...

Both these command return same result as the previous I posted.

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:

> either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > > On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > > > When trying openssl s_client to port 143, I get: > > > > no peer certificate available > > -- > > No client certificate CA names sent > > Negotiated TLS1.3 group: <NULL> > > --- > > SSL handshake has read 5 bytes and written 1556 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Protocol: TLSv1.3 > > This TLS version forbids renegotiation. > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > > > Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak? > > > > Marek > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a: > > > > > Hello, > > > > > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > > > > > Any other suggestion? > > > > > > I still cannot imagine what could be the cause. > > > > > > Thanks > > > > > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > > > start with a thorough read of > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > > > ssl = required > > > > ... > > > > ssl_server { > > > > ca_file = /path/to/your_CA.crt.pem > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > ... > > > > } > > > > ssl_client { > > > > ca_file = /path/to/your_CA.crt.pem > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > ... > > > > } > > > > _______________________________________________ > > dovecot mailing list -- dovecot@dovecot.org > > To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.

Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com

napisal/a:

either do

openssl s_client -connect host:993

or

openssl s_client -connect host:143 -starttls imap

Aki

On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:

When trying openssl s_client to port 143, I get:

no peer certificate available

No client certificate CA names sent Negotiated TLS1.3 group: <NULL>

---

SSL handshake has read 5 bytes and written 1556 bytes Verification: OK

New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:

Hello,

I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.

Any other suggestion?

I still cannot imagine what could be the cause.

Thanks

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:

after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.

imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.

Should the authority certificate be configured somewhere in dovecot?

start with a thorough read of

[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html

if using self-signed certs, you'll end up with something similar to

ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }

---

dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org

References

Visible links

1. https://proton.me/mail/home
2. mailto:dovecot@dovecot.org
3. mailto:marek.gresko@protonmail.com
4. mailto:pgnd@dev-mail.net
5. https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:dovecot@dovecot.org
7. mailto:dovecot-leave@dovecot.org

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.

doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com

napisal/a:

Can you post doveconf -n output?

Aki

On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:

I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?

Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:

Both these command return same result as the previous I posted.

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:

either do

openssl s_client -connect host:993

or

openssl s_client -connect host:143 -starttls imap

Aki

On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:

When trying openssl s_client to port 143, I get:

no peer certificate available

No client certificate CA names sent Negotiated TLS1.3 group: <NULL>

---

SSL handshake has read 5 bytes and written 1556 bytes Verification: OK

New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:

Hello,

I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.

Any other suggestion?

I still cannot imagine what could be the cause.

Thanks

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:

after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.

imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.

Should the authority certificate be configured somewhere in dovecot?

start with a thorough read of

[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html

if using self-signed certs, you'll end up with something similar to

ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }

---

dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.

Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com

napisal/a:

either do

openssl s_client -connect host:993

or

openssl s_client -connect host:143 -starttls imap

Aki

On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:

When trying openssl s_client to port 143, I get:

no peer certificate available

No client certificate CA names sent Negotiated TLS1.3 group: <NULL>

---

SSL handshake has read 5 bytes and written 1556 bytes Verification: OK

New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:

Hello,

I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.

Any other suggestion?

I still cannot imagine what could be the cause.

Thanks

Marek

Odoslane pomocou bezpecneho emailu Proton Mail.

stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:

after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.

imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.

Should the authority certificate be configured somewhere in dovecot?

start with a thorough read of

[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html

if using self-signed certs, you'll end up with something similar to

ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }

---

dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org

References

Visible links

1. [18]https://proton.me/mail/home
2. mailto:[19]dovecot@dovecot.org
3. mailto:[20]marek.gresko@protonmail.com
4. mailto:[21]pgnd@dev-mail.net
5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:[23]dovecot@dovecot.org
7. mailto:[24]dovecot-leave@dovecot.org

---

dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org

---

dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org

References

Visible links

1. https://proton.me/mail/home
2. mailto:dovecot@dovecot.org
3. mailto:dovecot@dovecot.org
4. mailto:aki.tuomi@open-xchange.com
5. mailto:dovecot@dovecot.org
6. mailto:marek.gresko@protonmail.com
7. mailto:pgnd@dev-mail.net
8. https://doc.dovecot.org/2.4.2/core/config/ssl.html
9. mailto:dovecot@dovecot.org
10. mailto:dovecot-leave@dovecot.org
11. mailto:aki.tuomi@open-xchange.com
12. mailto:dovecot@dovecot.org
13. mailto:marek.gresko@protonmail.com
14. mailto:pgnd@dev-mail.net
15. https://doc.dovecot.org/2.4.2/core/config/ssl.html
16. mailto:dovecot@dovecot.org
17. mailto:dovecot-leave@dovecot.org
18. https://proton.me/mail/home
19. mailto:dovecot@dovecot.org
20. mailto:marek.gresko@protonmail.com
21. mailto:pgnd@dev-mail.net
22. https://doc.dovecot.org/2.4.2/core/config/ssl.html
23. mailto:dovecot@dovecot.org
24. mailto:dovecot-leave@dovecot.org
25. mailto:dovecot@dovecot.org
26. mailto:dovecot-leave@dovecot.org
27. mailto:dovecot@dovecot.org
28. mailto:dovecot-leave@dovecot.org

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org