Geoff Sweet wrote:
[Please do not top-post]
Oh, ok once I added the -CAfile change the cert verifies without issue.
That's because you installed the intermediate cert on your client; this should not be required.
openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify return:1 +OK Dovecot ready.
So does that mean I need to install the intermediate cert on all my clients that will be accessing this server? That's going to be a bit of a PITA...
No, you need to properly install and configure dovecot to see the intermediate cert on your server. See: http://www.verisign.com/support/advisories/page_040611.html
The article is quite dated, but might be helpful to you.
-- Sahil Tandon sahil@tandon.net