Agree with Hugo most root CA have intermidate certificates which should supplied with your server certificate. Otherwise chain won't work and any client don't trust it.
- original message - Subject: Re: [Dovecot] SSL/TLS with Outlook client From: Hugo Monteiro <hugo.monteiro@fct.unl.pt> Date: 14/11/2007 00:14
Eli Sand wrote:
Hugo Monteiro wrote:
Ah ... wildcard certs .. from what i recall, certs issued like *.example.com were not very well accepted by M$ clients. You should test against non wildcard certs and see how it behaves.
Already have and no luck :( My domain is elisand.com and I have tried *.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if not, whatever it is is what I tried) and mail.elisand.com which is the smtp/imap server name I use in Outlook. All three yield the same result :(
Eli.
I have taken the liberty to connect to your server, using openssl, i've seen the following:
$ openssl s_client -CApath /usr/share/ca-certificates/cacert.org/ -connect mail.elisand.com:993 CONNECTED(00000003) depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org verify return:1 depth=0 /CN=*.elisand.com verify return:1
Certificate chain 0 s:/CN=*.elisand.com i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
i believe you should change two things. If the name you wish to use on your clients is mail.alisand.com, then the certificate should read CN=mail.elisand.com. Furthermore, it's always a good idea to provide the chaining certificate path on dovecots side. Try using the ssl_ca_file directive on dovecot's configuration.
Regards,
Hugo Monteiro.
-- ci.fct.unl.pt:~# cat .signature
Hugo Monteiro Email : hugo.monteiro@fct.unl.pt Telefone : +351 212948300 Ext.15307
Centro de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.ci.fct.unl.pt apoio@fct.unl.pt
ci.fct.unl.pt:~# _