On May 31, 2017 at 6:10 PM Ralf Hildebrandt Ralf.Hildebrandt@charite.de wrote:

• Ralf Hildebrandt Ralf.Hildebrandt@charite.de:

...

So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt

But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca =

Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!

ssl_ca =

So what gives?

It seems to be similar to: https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html

"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"

-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de

Hi.

passdb imap was changed to verify remote SSL cert by default (yeah, it kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir setting in args. Or you can disable this behaviour with allow_invalid_cert.

Aki

On June 1, 2017 at 1:42 PM Ralf Hildebrandt Ralf.Hildebrandt@charite.de wrote:

• Aki Tuomi aki.tuomi@dovecot.fi:

...

...

...

So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt

But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca =

Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!

ssl_ca =

So what gives?

It seems to be similar to: https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html

"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"

-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de

Hi.

passdb imap was changed to verify remote SSL cert by default (yeah, it kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir setting in args. Or you can disable this behaviour with allow_invalid_cert.

I did specify "ssl_ca_file", but then dovecot said "ssl_ca_file has been replaced by ssl_ca =

-- Ralf Hildebrandt

I ment

passdb { driver = imap args = ... ssl_ca_file=/path/to/ca }

Aki

• Ralf Hildebrandt Ralf.Hildebrandt@charite.de:

• Aki Tuomi aki.tuomi@dovecot.fi:

...

I meant

passdb { driver = imap args = ... ssl_ca_file=/path/to/ca }

That doesn't work:

passdb { driver = imap # Change the line below to reflect the IP address of your Exchange Server. args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca=

or args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt

both give me:

Jun 2 17:38:19 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca_file

Jun 2 17:38:29 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca

Working now with 2.2.30-1~auto+1: args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt

-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de