After upgrading from 2.2.28-1~auto+45 to 2.2.29-1~auto+25 I'm gettings this:
May 31 16:44:31 mproxy dovecot: auth: Fatal: passdb imap: Cannot verify certificate without ssl_ca_dir or ssl_ca_file setting May 31 16:44:31 mproxy dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs May 31 16:44:31 mproxy dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 2 secs): user=<>, rip=141.42.206.36, lip=141.42.206.11, TLS, session=<ze1A9dJQZ8yNKs4k>
# doveconf -n # 2.2.devel (215fd61): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.devel (403042e) # OS: Linux 4.4.0-71-generic x86_64 Ubuntu 16.04.2 LTS auth_mechanisms = plain login default_vsz_limit = 1 G imapc_host = exchange-imap.charite.de imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = no listen = *,:: mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_plugins = mail_log notify mail_uid = imapproxy passdb { args = host=exchange-imap.charite.de port=993 ssl=imaps default_fields = userdb_imapc_user=%u userdb_imapc_password=%w userdb_imapc_host=exchange-imap.charite.de userdb_imapc_ssl=imaps userdb_imapc_port=993 driver = imap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap service auth { inet_listener { address = 127.0.0.1 port = 12345 } } ssl = required ssl_ca = </etc/ssl/certs/ca-certificates.crt ssl_cert = </etc/dovecot/dovecot.pem ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { driver = prefetch } verbose_proctitle = yes
So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file
Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!
ssl_ca = </etc/ssl/certs/ca-certificates.crt
So what gives?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
- Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file
Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!
ssl_ca = </etc/ssl/certs/ca-certificates.crt
So what gives?
It seems to be similar to: https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html
"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
On May 31, 2017 at 6:10 PM Ralf Hildebrandt <Ralf.Hildebrandt@charite.de> wrote:
- Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file
Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!
ssl_ca = </etc/ssl/certs/ca-certificates.crt
So what gives?
It seems to be similar to: https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html
"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
Hi.
passdb imap was changed to verify remote SSL cert by default (yeah, it kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir setting in args. Or you can disable this behaviour with allow_invalid_cert.
Aki
- Aki Tuomi <aki.tuomi@dovecot.fi>:
So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file
Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!
ssl_ca = </etc/ssl/certs/ca-certificates.crt
So what gives?
It seems to be similar to: https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html
"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
Hi.
passdb imap was changed to verify remote SSL cert by default (yeah, it kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir setting in args. Or you can disable this behaviour with allow_invalid_cert.
I did specify "ssl_ca_file", but then dovecot said "ssl_ca_file has been replaced by ssl_ca = <file" -- so I used that and it wouldn't work either!
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
On June 1, 2017 at 1:42 PM Ralf Hildebrandt <Ralf.Hildebrandt@charite.de> wrote:
- Aki Tuomi <aki.tuomi@dovecot.fi>:
So I added ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
But alas: May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file
Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!
ssl_ca = </etc/ssl/certs/ca-certificates.crt
So what gives?
It seems to be similar to: https://www.dovecot.org/pipermail/dovecot/2017-March/107488.html
"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
Hi.
passdb imap was changed to verify remote SSL cert by default (yeah, it kinda didn't do this before). It requires a ssl_ca_file or ssl_ca_dir setting in args. Or you can disable this behaviour with allow_invalid_cert.
I did specify "ssl_ca_file", but then dovecot said "ssl_ca_file has been replaced by ssl_ca = <file" -- so I used that and it wouldn't work either!
-- Ralf Hildebrandt
I ment
passdb { driver = imap args = ... ssl_ca_file=/path/to/ca }
Aki
- Aki Tuomi <aki.tuomi@dovecot.fi>:
I meant
passdb { driver = imap args = ... ssl_ca_file=/path/to/ca }
That doesn't work:
passdb { driver = imap # Change the line below to reflect the IP address of your Exchange Server. args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca=</etc/ssl/certs/ca-certificates.crt ...
or args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt
both give me:
Jun 2 17:38:19 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca_file
Jun 2 17:38:29 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
- Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
- Aki Tuomi <aki.tuomi@dovecot.fi>:
I meant
passdb { driver = imap args = ... ssl_ca_file=/path/to/ca }
That doesn't work:
passdb { driver = imap # Change the line below to reflect the IP address of your Exchange Server. args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca=</etc/ssl/certs/ca-certificates.crt ...
or args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt
both give me:
Jun 2 17:38:19 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca_file
Jun 2 17:38:29 mproxy dovecot: auth: Fatal: passdb imap: Unknown parameter: ssl_ca
Working now with 2.2.30-1~auto+1: args = host=exchange-imap.charite.de port=993 ssl=imaps ssl_ca_file=/etc/ssl/certs/ca-certificates.crt
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | https://www.charite.de
participants (2)
-
Aki Tuomi
-
Ralf Hildebrandt