Hi,

I'm about to move all mailboxes from an old machine - running Dovecot 2.2.13 - to a new machine - running Dovecot 2.3.13 (89f716dc2). Cause the new machine is in a different location I must use SSL encryption.

I followed the guide's I found, but I stuck on certificate verification:

$ doveadm backup -Ru <user> tcps:<host>:12354 doveadm(<user>): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?) doveadm(<user>): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?) doveadm(<user>): Error: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)

On port 12354 the server sends an incomplete certificate chain, whereas on port 993 everything is fine.

I read that the settings

• ssl_client_ca_dir
• ssl_client_ca_file

are not used on certificate verification for port 12354, one should use the setting

ssl_ca

Here are the non-default setting on the client side:

$ dovecot -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-9-amd64 x86_64 Debian 11.1 ... ssl_ca =

According to

https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/

the setting

ssl_ca

should contain

Issuing CA cert
Issuing CA CRL
Intermediate CA cert
Intermediate CA CRL
Root CA cert
Root CA CRL

But how do I build this file? I tried root certificate, root + intermediate certificate and root + intermediate + signed certificate. None of them made it work... I'm completely stuck on how to make certificate verification work.

Can anyone give me a hint? Thanks in advance.