I guess what I don't understand is why the IP address approach is more attractive to you, and why you think the "public Internet" path is less good.

Best regards,

A

-- Please excuse my clumbsy thums

On December 21, 2017 12:47:47 AM Joseph Ward <jbwlists@hilltopgroup.com> wrote:

Hi,

I have two servers (HA configuration) on which I'm attempting to get replication working over SSL.  They're at two different sites, but connected via a site-site VPN.

Everything seems to be fine, except that the certificates are not validating as I'm using IP addresses for the sync, as opposed to the public hostnames for which the certificates are valid, and so I get the following error: 

doveadm(user@domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name 10.x.x.x

I'm on Dovecot 2.2.33.

Is there any way to disable the certificate checking/validation for the sync engine? 

( I'm aware of at least a couple of fallback options: -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert These are both much less palatable than simply disabling the cert validation if it's possible. )

Thank you in advance for any assistance, Joseph

On December 20, 2017 6:46:24 PM EST, Joseph Ward <jbwlists@hilltopgroup.com> wrote:

Hi,

I have two servers (HA configuration) on which I'm attempting to get replication working over SSL.  They're at two different sites, but connected via a site-site VPN.

Everything seems to be fine, except that the certificates are not validating as I'm using IP addresses for the sync, as opposed to the public hostnames for which the certificates are valid, and so I get the following error: 

doveadm(user@domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name 10.x.x.x

I'm on Dovecot 2.2.33.

Is there any way to disable the certificate checking/validation for the sync engine? 

( I'm aware of at least a couple of fallback options: -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert These are both much less palatable than simply disabling the cert validation if it's possible.

You could add an entry in /etc/hosts (or in your internal DNS system if you have one) that gives the internal IP in response to the public hostname.

--Sean