Hi,
I recognised some funny behaviour on my server. IMAP clients which won't send an Server Name Indication (SNI) sometimes get the wrong certificate. I would expect that those clients always get the default certificate (of my new domain), instead in about 20 to 50% of connections the certificate of my old domain will be presented. (sample rate was 3 times 30 connections)
Clients sending SNI always get the right certificate.
A user informed me that offlineIMAP complains 'CA Cert verifying failed: no matching domain name found in certificate' So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI, there is a newer version upstream though.
I myself checked the server's behaviour with openssl:
$ openssl s_client -showcerts -connect IP-address:993
and
$ openssl s_client -showcerts -connect IP-address:993 -servername imap.domain
I'm totally clueless about how come.
Best regards Martin Johannes Dauser
# 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux Server release 7.5 (Maipo)
...
service imap-login { inet_listener imap { address = 127.0.0.1 port = 143 } inet_listener imaps { port = 993 ssl = yes } process_min_avail = 8 service_count = 0 }
...
ssl = required # set default cert ssl_cert =
ssl_key =
...
# set alternativ cert for old domain local_name mail.old.domain { ssl_cert =
# set explicit cert for new domain local_name mail.new.domain { ssl_cert =