Well. At least I know now the cn overlaps. That should not be a problem but is at least something to pursue. 



---
Aki Tuomi
Dovecot oy

-------- Original message --------
From: Martin Johannes Dauser <mdauser@cs.sbg.ac.at>
Date: 24/07/2018 18:03 (GMT+02:00)
To: dovecot@dovecot.org
Subject: Re: dovecot sometimes sends non-default SSL cert if IMAP client   won't send SNI

Sure, and thanks for trying to help!

These are the two correct answers when SNI is included. The
certificates are fully chained. Both certificates carry the same
subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN).

X509v3 Subject Alternative Name: 
  DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at,
DNS:pop.cs.sbg.ac.at

X509v3 Subject Alternative Name: 
  DNS:mail.cs.sbg.ac.at, DNS:mail.cosy.sbg.ac.at,
DNS:smtp.cosy.sbg.ac.at, DNS:imap.cosy.sbg.ac.at,
DNS:pop.cosy.sbg.ac.at

I thought of attaching a file with 13 outputs of command
$ openssl s_client -showcerts -connect 141.201.4.5:993
but this would certainly exceed the limit of 40kb. Anyway, except for
the SSL handshake the outputs exactly meet the two examples a few lines
below.

Statistics: Only connections 10,11,13 showed the default certificate.
So running only a few connections might end up with 100% false certs --
or the other way round.  

OpenSSL itself is always happy, as both certificates fit to the
(r)DNS records of mail.cs.sbg.ac.at/141.201.4.5.

Would it help you to run dovecot in debug mode?


###################################################################
$ openssl s_client -showcerts -connect 141.201.4.5:993 -servername
imap.cs.sbg.ac.at


CONNECTED(00000003)
---
Certificate chain
 0 s:/C=AT/ST=Salzburg/L=Salzburg/O=University of
Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
-----BEGIN CERTIFICATE-----
MIIGjDCCBXSgAwIBAgIQApnSP3xZbyr6dGTMvuxaSDANBgkqhkiG9w0BAQ0FADBk
MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
Q0EgMzAeFw0xNzAxMjQwMDAwMDBaFw0yMDAxMjgxMjAwMDBaMIGZMQswCQYDVQQG
EwJBVDERMA8GA1UECBMIU2FsemJ1cmcxETAPBgNVBAcTCFNhbHpidXJnMR8wHQYD
VQQKExZVbml2ZXJzaXR5IG9mIFNhbHpidXJnMScwJQYDVQQLEx5EZXBhcnRtZW50
IG9mIENvbXB1dGVyIFNjaWVuY2UxGjAYBgNVBAMTEW1haWwuY3Muc2JnLmFjLmF0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAus33Jb+HE64oJvBEwpeh
7cwyMAknhE5k/49eUG7/E0j2ffEo1APzxYooZ1hlHcf7meH7h1KYD3lSXw5RX0Mi
KtuUHSUIqYE1U3+pyussB11r18ucHk8MoFQqPnJDeuSPaHozmdQtJJHRVDabddHz
5l4RVEUduUjzl7vnfFrBhbHV/LpYcLMsNgdlg5I0TXU99Y8paMeF32cWiR2dCeyN
t2AajjMpHYRDaJ9DGed8nWOeqK0YRQuaEGF68VBVdygDcOQ0eBflwYEjJChJHhN4
UsQSmwoXYj5ZRvyhcAxxPDYveNhM4oVox67Nvw1AgHz/spaWgJVMKrTU4hFDYcnO
0F6KkumLke0t4IvoLEU7ScAm6d3ttQ5ZBbSIX811kWHC/ddu12AhRiq3y5fN2o3n
6pbRrqljyg4Mu0Tj9UEuwC8bJnCJreo32HQwo82vD1xU8jPUci4UoD21PfkjFssm
qbtwwWs1KAIvX52U79u6CC7hvsPNtCiMK0K6/9jg8OyKMraBWvIUV6YxgnuJZ4Mi
so/OD6uqdpqCYuq5LLZVAVcBu/vGTzfcckkz71nN2eZSO870rnxyHeTWmepQv4nc
gxN49JeReO4zZMio6eC5N9D+SYc5Ae5mS8qyHe/gur6VmbmbWk/vRt/m75lcGLgR
A4FRqRvu+GIWNh0uCP9SlkUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGf9iCAU
J5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBR6nRddyu+D1h42fba+bgkBi6OipzBU
BgNVHREETTBLghFtYWlsLmNzLnNiZy5hYy5hdIIRc210cC5jcy5zYmcuYWMuYXSC
EWltYXAuY3Muc2JnLmFjLmF0ghBwb3AuY3Muc2JnLmFjLmF0MA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAv
oC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmww
L6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3Js
MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAC
hixodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQA6Xbkobv3hQAr532wf0NsZ
kYErQebiMLCrKDAhtLc7Z/bO/srUgOs0x9uoIU5ErjLnPcWrPK0eFQevjZ+6CUry
NgAcf6f1z9g1IejuapXb6F41YAteJzo+QkvAtQFkOaq9AADXNo6iIOIDyE1M8hWW
W0gcwx6h4+UUSLac0LN/i+Q2LcHa6fg/kH59Yt2oIzkJrVRSHn11R8iUHiLgW3X2
XL9BgCZHqI8t3OaJpXLHmvA0pKDIvjFK9+CDcXZWQbZyLlMzGxVyrZfK+rBjL05h
QQ3CTy9JJ3/1//AD1mSgog3qSejMQ7ZK01ZZv4lDoEU8ADGFA6VKlV/CiaYz5Ztk
-----END CERTIFICATE-----
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
-----BEGIN CERTIFICATE-----

MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG
EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt
MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio
Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS
lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10
VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct
85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8
mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA
AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG
CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw
Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js
MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk
SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS
JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq
hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd
xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ
WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC
J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ
+hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5
hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==
-----END CERTIFICATE-----
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AT/ST=Salzburg/L=Salzburg/O=University of
Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at
issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4882 bytes and written 360 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
E75B0B35DFEFC9F6CABD8851BAA4B2A2E2AE309E3A203333C7CD9CCC4AE0C9A6
    Session-ID-ctx: 
    Master-Key:
2D90C5223EB2265793E990153B3877E07B8FF1DCED85EB3A8FC853E3CE4E1C9A5BFF1FA
7123D7FB1CAC517A42DED5E70
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 74 4a 71 29 b0 9a 0b 9a-36 5d a4 5d 3c 03 25
5e   tJq)....6].]<.%^
    0010 - d2 4c 0b 9d ef b8 ef 04-44 d1 d1 8e d2 60 2d
5f   .L......D....`-_
    0020 - 81 67 f6 62 e4 7d 4a 15-17 fa 03 a1 3b 81 70
43   .g.b.}J.....;.pC
    0030 - b2 0a 40 ce 7e c1 a7 de-7a 3e ba 01 9f 4b da
cd   ..@.~...z>...K..
    0040 - 6c 22 a2 63 5d b6 22 5c-fd 75 6b 25 f0 9c 04
a8   l".c]."\.uk%....
    0050 - 36 cb df b0 56 e9 3c 35-a3 0c d1 76 e3 4c c5
62   6...V.<5...v.L.b
    0060 - 9f 79 0b 0d fe 88 25 97-d5 d5 3d 93 ac 52 52
eb   .y....%...=..RR.
    0070 - d6 9f ba b4 b3 a1 ba 91-37 e9 ad 83 92 39 ec
f9   ........7....9..
    0080 - 1b 0c 15 3b 07 e5 11 36-b1 8f de d0 b2 69 13
5e   ...;...6.....i.^
    0090 - 98 77 46 d0 11 27 72 25-d1 ab 43 a4 14 7f 02
6c   .wF..'r%..C....l
    00a0 - cd a5 56 6a 13 12 3f ff-ad 0f 59 4b 7a 72 d5
0b   ..Vj..?...YKzr..

    Start Time: 1532434946
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.



###################################################################
$ openssl s_client -showcerts -connect 141.201.4.5:993 -servername
imap.cosy.sbg.ac.at

CONNECTED(00000003)
---
Certificate chain
 0 s:/C=AT/L=Salzburg/O=University of Salzburg/OU=Department of
Computer Science/CN=mail.cs.sbg.ac.at
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
-----BEGIN CERTIFICATE-----
MIIIATCCBumgAwIBAgIQAmDFTQk2675Y0/0vo5hcIDANBgkqhkiG9w0BAQsFADBk
MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
Q0EgMzAeFw0xODA3MTgwMDAwMDBaFw0yMDA3MjIxMjAwMDBaMIGGMQswCQYDVQQG
EwJBVDERMA8GA1UEBxMIU2FsemJ1cmcxHzAdBgNVBAoTFlVuaXZlcnNpdHkgb2Yg
U2FsemJ1cmcxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5j
ZTEaMBgGA1UEAxMRbWFpbC5jcy5zYmcuYWMuYXQwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDulmTg3+JDxZr0uEsxr9521HV+Qja0/+gcQE1UlWe2Tx4V
iHx6GtqOSSyDl8vTPvmCv/ethTaGQVFZLWOGK8mvUkNqO0PpzcrucuvO8nyycjWE
TWsthWkCK0uIg1ivyWji1gn53XjattDAjbaLCHNKVne3KoD0hM0nNJF56zyv7QSJ
xh6HWAHNRb2Uc6R24vmCWdXh8/I5Cs4fHUpi9RQ8Qtw3C6W8JXOfdJ30uEOzHM0d
a1lh6eYc+kDQHSdyLc6l7T0/Mm8i0WbbHWk2V5LPEyuqFcbjg9xfX5W2TboJun28
0qog2UWT+Ofo20kRzcVQZKcw3xi7Q0avi0IkIckC8rqfZp67gPKp0/q4arYpK15d
n7jwz14lJ4xu9a/OWGdVKJ0pW3ydaKNwreFdGpHuhZ2VAJOzTK3N/7luBD0Qb1PW
vV232kZBkUPGKsJJ9DLDgnzzqYZChM460lbOS7M7CtQW+1doXF3COK8R0X9nrNht
tNMDEJlysuytFWX7mq1FeRxS2/eFEkeT3wiIRKLO/ZPdM++mKAyJJd4Ouob+pyfh
nsnzSAdNQsTZFE3OSnWkE3wFepzddBa4FXrw3Q5zPA1BXIZ8v5ARUeAr/Rnmq6ED
svLhopD/ixAXIFJFCNTrpxwxCgHanvR+hshkr/ydJyxRmlJz2UT3nbpnPXhzMwID
AQABo4IDijCCA4YwHwYDVR0jBBgwFoAUZ/2IIBQnmMcJ0iUZu+lREWN1UGIwHQYD
VR0OBBYEFAM1hJQoRxwTpqH9lz3lXpZdAN7vMFoGA1UdEQRTMFGCEW1haWwuY3Mu
c2JnLmFjLmF0ghNtYWlsLmNvc3kuc2JnLmFjLmF0ghNpbWFwLmNvc3kuc2JnLmFj
LmF0ghJwb3AuY29zeS5zYmcuYWMuYXQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDAvoC2gK4YpaHR0cDov
L2NybDQuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmwwTAYDVR0gBEUwQzA3
BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQu
Y29tL0NQUzAIBgZngQwBAgIwbgYIKwYBBQUHAQEEYjBgMCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly9jYWNl
cnRzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3J0MAwGA1UdEwEB/wQCMAAw
ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AKS5CZC0GFgUh7sTosxncAo8NZgE
+RvfuON3zQ7IDdwQAAABZK3JdOIAAAQDAEcwRQIgZQUkCneHZEcXfC1yumvuTMIJ
MKf3GFGUanmHYO4l2NQCIQCuOkt7wI4HvMWr+jhq3PfM/GfPr03POT0WHaBx8Eug
CQB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABZK3JdZ4AAAQD
AEcwRQIhAMIyrqtbop76t3oH3TpEHjxJdb/abztkdE2dhDhSX+yNAiBpMlZSeCKH
t94VtRIgVeYX1iQoj+z3dicgh/ZpdfBEwwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UK
q1LoGpCWZDaOHtGFAAABZK3JdbEAAAQDAEcwRQIhAIHVyGRqGMI9IV1ZsGcXl16+
jtVT0Z77Ky2CgoPTW915AiBHqCxvZUfu8Hpjs78JGLIKS/Vf1c+h/GBfs0FJFKzt
fjANBgkqhkiG9w0BAQsFAAOCAQEAMJAGj8Vh6fuWdQFHHJ5pjX3uQ6GQwAVnnmbS
IWLO0pcD7niy4IDeF/Q4Bwx9U4M12SImZr61UL0JL9UYy82xeSDEMReTbC83Ghug
aTTTrfHJjjH3/T69mFRjUHtsYhZVIoLlm0T+K4FiBMuaNSz09r0PmTHRpBdsPjwU
42ONsdcyI/nlaalzvNsG/JorNn2oG3zU9n7T4iXcMeIQqCzaBEVQKUi7zfeOuBk1
epA6679yxLTMsMpzd0xaXAZ4tlh7Cs7ozQwRCe4ZNQTmrtfTZ0od+6xLUpvTJylp
Yvc4n6jGgk8UrgkPTeloOnhuunZ9HNPaL8gBGCpvPwbJzfHJXg==
-----END CERTIFICATE-----
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG
EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt
MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio
Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS
lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10
VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct
85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8
mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA
AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG
CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw
Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js
MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk
SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS
JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq
hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd
xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ
WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC
J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ
+hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5
hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==
-----END CERTIFICATE-----
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AT/L=Salzburg/O=University of Salzburg/OU=Department of
Computer Science/CN=mail.cs.sbg.ac.at
issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
---

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5255 bytes and written 362 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
1F74E0FB2AC74C65A4C68CAE898C305C6DB245A3566078A6C85E74572593951B
    Session-ID-ctx: 
    Master-Key:
C6CEE7B44A640152E71EB72172DEC4DCD0604585A9D38427AA6E4604E4B8351458B648D
7010D8757924DDB82EC181585
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b2 8f ed 2a fc 9a f8 4e-4b aa b8 9e 56 e1 01
95   ...*...NK...V...
    0010 - 3d 9b 01 c4 b6 dc 64 0a-9c 1a be 5d a4 7f f0
c9   =.....d....]....
    0020 - 12 d8 f0 94 f3 8c 92 7f-b8 fa f9 cd 60 e0 21
e8   ............`.!.
    0030 - d3 63 77 65 6f e7 ec 04-09 b4 f2 bb df cd 6d
10   .cweo.........m.
    0040 - dd 1a 87 fb c1 b7 de 89-f2 05 0f 70 3b 0d ef
62   ...........p;..b
    0050 - d4 60 f7 54 1b 38 bf d9-8f f7 81 56 1f 61 2d
b6   .`.T.8.....V.a-.
    0060 - f4 06 f1 e3 ba 65 95 95-d0 6b dd 92 39 30 1f
e2   .....e...k..90..
    0070 - 6e 60 6e 39 d6 51 ed a4-ae 8e 4a b6 ae 3e d6
77   n`n9.Q....J..>.w
    0080 - d9 f9 5d d6 fc b1 a5 89-94 e9 4b c5 cb 39 24
3c   ..].......K..9$<
    0090 - 65 06 81 56 0b 16 d5 b6-a2 34 11 ea 18 c9 a3
6a   e..V.....4.....j
    00a0 - ae a7 62 75 f4 5b 37 31-6f f4 56 26 06 78 2c
62   ..bu.[71o.V&.x,b

    Start Time: 1532434962
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.



On Mon, 2018-07-23 at 10:05 +0300, Aki Tuomi wrote:
> Can you provide some details on what those openssl commands returned?
>
> Aki
>
>
> On 20.07.2018 12:14, Martin Johannes Dauser wrote:
> > Hi,
> >
> > I recognised some funny behaviour on my server. IMAP clients which
> > won't send an Server Name Indication (SNI) sometimes get the wrong
> > certificate. I would expect that those clients always get the
> > default
> > certificate (of my new domain), instead in about 20 to 50% of
> > connections the certificate of my old domain will be presented.
> > (sample rate was 3 times 30 connections)
> >
> > Clients sending SNI always get the right certificate.
> >
> > A user informed me that offlineIMAP complains 
> > 'CA Cert verifying failed:
> >    no matching domain name found in certificate'
> > So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
> > there is a newer version upstream though.
> >
> >
> > I myself checked the server's behaviour with openssl:
> >
> > $ openssl s_client -showcerts -connect IP-address:993
> >
> > and
> >
> > $ openssl s_client -showcerts -connect IP-address:993 -servername
> > imap.domain
> >
> >
> > I'm totally clueless about how come.
> >
> > Best regards
> > Martin Johannes Dauser
> >
> >
> >
> >
> > # 2.2.10: /etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
> > Server release 7.5 (Maipo) 
> >
> > ...
> >
> > service imap-login {
> >   inet_listener imap {
> >     address = 127.0.0.1
> >     port = 143
> >   }
> >   inet_listener imaps {
> >     port = 993
> >     ssl = yes
> >   }
> >   process_min_avail = 8
> >   service_count = 0
> > }
> >
> > ...
> >
> > ssl = required
> > # set default cert
> > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> > ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-
> > SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1
> >
> > ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
> > ssl_protocols = !SSLv2 !SSLv3
> >
> > ...
> >
> > # set alternativ cert for old domain
> > local_name mail.old.domain {
> >   ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
> >   ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
> > }
> > local_name imap.old.domain {
> >   ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
> >   ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
> > }
> > local_name pop.old.domain {
> >   ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
> >   ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
> > }
> >
> > # set explicit cert for new domain
> > local_name mail.new.domain {
> >   ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> >   ssl_key = </etc/pki/dovecot/private/mail_new_doman.key
> > }
> > local_name imap.new.domain {
> >   ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> >   ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
> > }
> > local_name pop.new.domain {
> >   ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> >   ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
> > }
> >
> >
> >
>
>