Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no
Thanks
Marek
Hello, after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get: imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small: I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error. Where should I look next? My ssl config: ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no Thanks Marek
I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot?
Thanks
Marek
štvrtok 20. novembra 2025, 15:42, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no
Thanks
Marek
I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot? Thanks Marek stvrtok 20. novembra 2025, 15:42, Marek Gresko <marek.gresko@protonmail.com> napisal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to
version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying
to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't
initialize SSL server context: Can't load SSL certificate
(ssl_server_cert_file setting): error:0A00018F:SSL routines
::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use
the dh.pem file (I read somewhere it is not neede any more), I deleted
/var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server {
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server_cert_file = /somewhere/dovecot.pem
ssl_server_key_file = /somewhere/dovecot.pem
prefer_ciphers = server
}
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no
#ssl_prefer_server_ciphers = no
Thanks
MarekYou have to put full chain in the cert
I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot?
Thanks
Marek
štvrtok 20. novembra 2025, 15:42, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no
Thanks
Marek
Including root CA?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 15:51, Marc <Marc@f1-outsourcing.eu> napísal/a:
You have to put full chain in the cert
I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot?
Thanks
Marek
štvrtok 20. novembra 2025, 15:42, Marek Greško marek.gresko@protonmail.com napísal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no
Thanks
Marek
I tried even with root ca and the same result.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:04, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Including root CA?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 15:51, Marc Marc@f1-outsourcing.eu napísal/a:
You have to put full chain in the cert
I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot?
Thanks
Marek
štvrtok 20. novembra 2025, 15:42, Marek Greško marek.gresko@protonmail.com napísal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no
Thanks
Marek
Hi!
Your private key must be large enough.
Aki
On 20/11/2025 17:07 EET Marek Gresko via dovecot
<[1]dovecot@dovecot.org> wrote:
I tried even with root ca and the same result.
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:04, Marek Gresko
<[2]marek.gresko@protonmail.com> napisal/a:
Including root CA?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 15:51, Marc [3]Marc@f1-outsourcing.eu
napisal/a:
You have to put full chain in the cert
I forgot to mention the certificate is signed by my private root
certification authority. Could this be related? Should the
authority
certificate be configured somewhere in dovecot?
Thanks
Marek
stvrtok 20. novembra 2025, 15:42, Marek Gresko
[4]marek.gresko@protonmail.com napisal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded
to version 2.4.
I tweaked the configuration, dovecot starts, but when client is
trying
to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't
initialize SSL server context: Can't load SSL certificate
(ssl_server_cert_file setting): error:0A00018F:SSL routines
::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to
not use
the dh.pem file (I read somewhere it is not neede any more), I
deleted
/var/lib/dovecot/ssl-parameters.dat file, but still the same
error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server {
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server_cert_file = /somewhere/dovecot.pem
ssl_server_key_file = /somewhere/dovecot.pem
prefer_ciphers = server
}
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no
#ssl_prefer_server_ciphers = no
Thanks
Marek
_______________________________________________
dovecot mailing list -- [5]dovecot@dovecot.org
To unsubscribe send an email to [6]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:Marc@f1-outsourcing.eu
- mailto:marek.gresko@protonmail.com
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Hello,
my private key is 4096 bit.
I added also ca_file = /etc/pki/tls/certs/cacert.pem, but it did not help either.
Marek
štvrtok 20. novembra 2025, 16:27, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
Hi!
Your private key must be large enough.
Aki
On 20/11/2025 17:07 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
I tried even with root ca and the same result.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:04, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Including root CA?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 15:51, Marc Marc@f1-outsourcing.eu napísal/a:
You have to put full chain in the cert
I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot?
Thanks
Marek
štvrtok 20. novembra 2025, 15:42, Marek Greško marek.gresko@protonmail.com napísal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no
Thanks
Marek
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hello, my private key is 4096 bit. I added also ca_file = /etc/pki/tls/certs/cacert.pem, but it did not help either. Marek stvrtok 20. novembra 2025, 16:27, Aki Tuomi <aki.tuomi@open-xchange.com> napisal/a:
Hi!
Your private key must be large enough.
Aki
On 20/11/2025 17:07 EET Marek Gresko via dovecot
<[1]dovecot@dovecot.org> wrote:
I tried even with root ca and the same result.
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:04, Marek Gresko
<[2]marek.gresko@protonmail.com> napisal/a:
Including root CA?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 15:51, Marc [3]Marc@f1-outsourcing.eu
napisal/a:
You have to put full chain in the cert
I forgot to mention the certificate is signed by my private root
certification authority. Could this be related? Should the
authority
certificate be configured somewhere in dovecot?
Thanks
Marek
stvrtok 20. novembra 2025, 15:42, Marek Gresko
[4]marek.gresko@protonmail.com napisal/a:
Hello,
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded
to version 2.4.
I tweaked the configuration, dovecot starts, but when client
is trying
to connect to imap, I get:
imap-login: Error: Failed to initialize SSL connection:
Couldn't
initialize SSL server context: Can't load SSL certificate
(ssl_server_cert_file setting): error:0A00018F:SSL routines
::ee key too small:
I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to
not use
the dh.pem file (I read somewhere it is not neede any more), I
deleted
/var/lib/dovecot/ssl-parameters.dat file, but still the same
error.
Where should I look next?
My ssl config:
ssl = required
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server {
#ssl_server_dh_file = /etc/dovecot/dh.pem
ssl_server_cert_file = /somewhere/dovecot.pem
ssl_server_key_file = /somewhere/dovecot.pem
prefer_ciphers = server
}
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_verify_client_cert = no
#ssl_prefer_server_ciphers = no
Thanks
Marek
_______________________________________________
dovecot mailing list -- [5]dovecot@dovecot.org
To unsubscribe send an email to [6]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:Marc@f1-outsourcing.eu
- mailto:marek.gresko@protonmail.com
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the _need_ to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
https://doc.dovecot.org/2.4.2/core/config/ssl.htmlif using self-signed certs, you'll end up with something similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd <pgnd@dev-mail.net> napísal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
When trying openssl s_client to port 143
show the command you're using
what's the bit-depth of your self-signed cert?
you are forcing ssl_cipher_list = PROFILE=SYSTEM
on that system, what's the output of
update-crypto-policies --show
?
check whatever policy your system's got defined
grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol
for minimum param size reqt's
openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect redacted.fqdn:143
bit depth of the certificate is 4096. Bit depth of the root ca is 4096, no intermediate ca here.
ssl_cipher_list = PROFILE=SYSTEM
update-crypto-policies --show
DEFAULT:DISABLE-MY-WEAK
the MY-WEAK is:
cipher = -CHACHA20-POLY1305 mac@SSH = -HMAC-SHA1 -UMAC-128 etm@SSH = DISABLE_ETM group = -SECP521R1
But with DEFAULT only it is the same result.
On:
grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol
it seems I am fullfilling all the requirements.
Could it be dovecot is not loading the certificate at all?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:04, pgnd <pgnd@dev-mail.net> napísal/a:
When trying openssl s_client to port 143
show the command you're using
what's the bit-depth of your self-signed cert?
you are forcing
ssl_cipher_list = PROFILE=SYSTEMon that system, what's the output of
update-crypto-policies --show
?
check whatever policy your system's got defined
grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol
for minimum param size reqt's
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[1]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[2]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [3]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS upgrade,
and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[4]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [5]dovecot@dovecot.org
To unsubscribe send an email to [6]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Both these command return same result as the previous I posted. Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi <aki.tuomi@open-xchange.com> napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6]dovecot@dovecot.org
To unsubscribe send an email to [7]dovecot-leave@dovecot.orgReferences
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot <dovecot@dovecot.org> napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot
<[1]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems
dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be
ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
<[2]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[3]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
[4]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
[5]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section
you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [6]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[7]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something
similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [8]dovecot@dovecot.org
To unsubscribe send an email to [9]dovecot-leave@dovecot.org Both
these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[10]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2][11]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3][12]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][13]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5][14]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6][15]dovecot@dovecot.org
To unsubscribe send an email to [7][16]dovecot-leave@dovecot.org
References
Visible links
1. [17]https://proton.me/mail/home
2. mailto:[18]dovecot@dovecot.org
3. mailto:[19]marek.gresko@protonmail.com
4. mailto:[20]pgnd@dev-mail.net
5. [21]https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:[22]dovecot@dovecot.org
7. mailto:[23]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [24]dovecot@dovecot.org
To unsubscribe send an email to [25]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [26]dovecot@dovecot.org
To unsubscribe send an email to [27]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Sure.
M.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot <dovecot@dovecot.org> napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a:
>> after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > >> Should the authority certificate be configured somewhere in dovecot? > > start with a thorough read of > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something similar to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Sure. M. Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi <aki.tuomi@open-xchange.com> napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot
<[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It
seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be
ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
<[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
[5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
[6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients
to present certificates, so I did not create the ssl client
section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot
got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere
in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something
similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [9]dovecot@dovecot.org
To unsubscribe send an email to [10]dovecot-leave@dovecot.org
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6][16]dovecot@dovecot.org
To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
1. [18]https://proton.me/mail/home
2. mailto:[19]dovecot@dovecot.org
3. mailto:[20]marek.gresko@protonmail.com
4. mailto:[21]pgnd@dev-mail.net
5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:[23]dovecot@dovecot.org
7. mailto:[24]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [25]dovecot@dovecot.org
To unsubscribe send an email to [26]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [27]dovecot@dovecot.org
To unsubscribe send an email to [28]dovecot-leave@dovecot.orgReferences
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
štvrtok 20. novembra 2025, 18:55, Marek Greško <marek.gresko@protonmail.com> napísal/a:
Sure.
M.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot <dovecot@dovecot.org> napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a:
> Hello, > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > >>> after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. >> >> imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. >> >>> Should the authority certificate be configured somewhere in dovecot? >> >> start with a thorough read of >> >> https://doc.dovecot.org/2.4.2/core/config/ssl.html >> >> if using self-signed certs, you'll end up with something similar to >> >> ssl = required >> ... >> ssl_server { >> ca_file = /path/to/your_CA.crt.pem >> cert_file = /path/to/your_domain.server.ec.crt.pem >> key_file = /path/to/your_domain.server.ec.key.pem >> ... >> } >> ssl_client { >> ca_file = /path/to/your_CA.crt.pem >> cert_file = /path/to/your_domain.client.ec.crt.pem >> key_file = /path/to/your_domain.client.ec.key.pem >> ... >> }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
OK, while inspecting dovecot I see the problem. doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek stvrtok 20. novembra 2025, 18:55, Marek Gresko <marek.gresko@protonmail.com> napisal/a:
Sure.
M.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:46, Aki Tuomi <aki.tuomi@open-xchange.com>
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot
<[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It
seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be
ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
<[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
[5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
[6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients
to present certificates, so I did not create the ssl client
section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot
got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere
in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something
similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [9]dovecot@dovecot.org
To unsubscribe send an email to [10]dovecot-leave@dovecot.org
Both these command return same result as the previous I
posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section
you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6][16]dovecot@dovecot.org
To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
1. [18]https://proton.me/mail/home
2. mailto:[19]dovecot@dovecot.org
3. mailto:[20]marek.gresko@protonmail.com
4. mailto:[21]pgnd@dev-mail.net
5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:[23]dovecot@dovecot.org
7. mailto:[24]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [25]dovecot@dovecot.org
To unsubscribe send an email to [26]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [27]dovecot@dovecot.org
To unsubscribe send an email to [28]dovecot-leave@dovecot.orgReferences
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot <dovecot@dovecot.org> napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a:
>> after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > >> Should the authority certificate be configured somewhere in dovecot? > > start with a thorough read of > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something similar to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
OK, while inspecting dovecot I see the problem. doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi <aki.tuomi@open-xchange.com> napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot
<[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It
seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be
ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
<[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
[5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
[6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients
to present certificates, so I did not create the ssl client
section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot
got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere
in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something
similar to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [9]dovecot@dovecot.org
To unsubscribe send an email to [10]dovecot-leave@dovecot.org
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot
<[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
--
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 5 bytes and written 1556 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to
present
it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko
<[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to
present certificates, so I did not create the ssl client section you
proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net
napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got
upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to
significantly change imap config at the same time as an OS
upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in
dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar
to
ssl = required
...
ssl_server {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.server.ec.crt.pem
key_file = /path/to/your_domain.server.ec.key.pem
...
}
ssl_client {
ca_file = /path/to/your_CA.crt.pem
cert_file = /path/to/your_domain.client.ec.crt.pem
key_file = /path/to/your_domain.client.ec.key.pem
...
}
_______________________________________________
dovecot mailing list -- [6][16]dovecot@dovecot.org
To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
1. [18]https://proton.me/mail/home
2. mailto:[19]dovecot@dovecot.org
3. mailto:[20]marek.gresko@protonmail.com
4. mailto:[21]pgnd@dev-mail.net
5. [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
6. mailto:[23]dovecot@dovecot.org
7. mailto:[24]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [25]dovecot@dovecot.org
To unsubscribe send an email to [26]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [27]dovecot@dovecot.org
To unsubscribe send an email to [28]dovecot-leave@dovecot.orgReferences
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot <dovecot@dovecot.org> napísal/a:
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a:
> Hello, > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > start with a thorough read of > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > if using self-signed certs, you'll end up with something similar to > > > > ssl = required > > ... > > ssl_server { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.server.ec.crt.pem > > key_file = /path/to/your_domain.server.ec.key.pem > > ... > > } > > ssl_client { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.client.ec.crt.pem > > key_file = /path/to/your_domain.client.ec.key.pem > > ... > > }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
- [18]https://proton.me/mail/home
- mailto:[19]dovecot@dovecot.org
- mailto:[20]marek.gresko@protonmail.com
- mailto:[21]pgnd@dev-mail.net
- [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:[23]dovecot@dovecot.org
- mailto:[24]dovecot-leave@dovecot.org
dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org
dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.
Aki
On 20/11/2025 20:40 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot <dovecot@dovecot.org> napísal/a:
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
> On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > When trying openssl s_client to port 143, I get: > > no peer certificate available > -- > No client certificate CA names sent > Negotiated TLS1.3 group: <NULL> > --- > SSL handshake has read 5 bytes and written 1556 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Protocol: TLSv1.3 > This TLS version forbids renegotiation. > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > > Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak? > > Marek > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a: > > > Hello, > > > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > > > Any other suggestion? > > > > I still cannot imagine what could be the cause. > > > > Thanks > > > > Marek > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > start with a thorough read of > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > ssl = required > > > ... > > > ssl_server { > > > ca_file = /path/to/your_CA.crt.pem > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > key_file = /path/to/your_domain.server.ec.key.pem > > > ... > > > } > > > ssl_client { > > > ca_file = /path/to/your_CA.crt.pem > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > key_file = /path/to/your_domain.client.ec.key.pem > > > ... > > > } > > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
- [18]https://proton.me/mail/home
- mailto:[19]dovecot@dovecot.org
- mailto:[20]marek.gresko@protonmail.com
- mailto:[21]pgnd@dev-mail.net
- [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:[23]dovecot@dovecot.org
- mailto:[24]dovecot-leave@dovecot.org
dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org
dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Apparently, the file is not ignored, because when I type wrong file name in the config, I immediately get error on startup.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:52, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.
Aki
On 20/11/2025 20:40 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
Both these command return same result as the previous I posted.
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
> either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > > On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > > > When trying openssl s_client to port 143, I get: > > > > no peer certificate available > > -- > > No client certificate CA names sent > > Negotiated TLS1.3 group: <NULL> > > --- > > SSL handshake has read 5 bytes and written 1556 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Protocol: TLSv1.3 > > This TLS version forbids renegotiation. > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > > > Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak? > > > > Marek > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a: > > > > > Hello, > > > > > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > > > > > Any other suggestion? > > > > > > I still cannot imagine what could be the cause. > > > > > > Thanks > > > > > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > > > start with a thorough read of > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > > > ssl = required > > > > ... > > > > ssl_server { > > > > ca_file = /path/to/your_CA.crt.pem > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > ... > > > > } > > > > ssl_client { > > > > ca_file = /path/to/your_CA.crt.pem > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > ... > > > > } > > > > _______________________________________________ > > dovecot mailing list -- dovecot@dovecot.org > > To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6]dovecot@dovecot.org To unsubscribe send an email to [7]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
- [18]https://proton.me/mail/home
- mailto:[19]dovecot@dovecot.org
- mailto:[20]marek.gresko@protonmail.com
- mailto:[21]pgnd@dev-mail.net
- [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:[23]dovecot@dovecot.org
- mailto:[24]dovecot-leave@dovecot.org
dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org
dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
SELinux?
Marek Greško via dovecot <dovecot@dovecot.org> ezt írta (időpont: 2025. nov. 20., Csü 20:25):
Apparently, the file is not ignored, because when I type wrong file name in the config, I immediately get error on startup.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:52, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.
Aki
On 20/11/2025 20:40 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
> Both these command return same result as the previous I posted. > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a: > > > either do > > > > openssl s_client -connect host:993 > > > > or > > > > openssl s_client -connect host:143 -starttls imap > > > > Aki > > > > > On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > > > > > When trying openssl s_client to port 143, I get: > > > > > > no peer certificate available > > > -- > > > No client certificate CA names sent > > > Negotiated TLS1.3 group: <NULL> > > > --- > > > SSL handshake has read 5 bytes and written 1556 bytes > > > Verification: OK > > > --- > > > New, (NONE), Cipher is (NONE) > > > Protocol: TLSv1.3 > > > This TLS version forbids renegotiation. > > > Compression: NONE > > > Expansion: NONE > > > No ALPN negotiated > > > Early data was not sent > > > Verify return code: 0 (ok) > > > > > > Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak? > > > > > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a: > > > > > > > Hello, > > > > > > > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > > > > > > > Any other suggestion? > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > Thanks > > > > > > > > Marek > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > > > > > start with a thorough read of > > > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > > > > > ssl = required > > > > > ... > > > > > ssl_server { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > ... > > > > > } > > > > > ssl_client { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > ... > > > > > } > > > > > > _______________________________________________ > > > dovecot mailing list -- dovecot@dovecot.org > > > To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted. > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com > > napisal/a: > > either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > <[2]dovecot@dovecot.org> wrote: > > When trying openssl s_client to port 143, I get: > > no peer certificate available > -- > No client certificate CA names sent > Negotiated TLS1.3 group: <NULL> > > --- > SSL handshake has read 5 bytes and written 1556 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Protocol: TLSv1.3 > This TLS version forbids renegotiation. > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > > Why there is no certificate present? Because dovecot refuse to present > it since it thinks it is weak? > > Marek > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > <[3]marek.gresko@protonmail.com> napisal/a: > > Hello, > > I added ca_file to the server section. I do not want clients to > present certificates, so I did not create the ssl client section you > proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net > napisal/a: > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to > significantly change imap config at the same time as an OS > upgrade, and 'breaking imap' for lots of folks. > > Should the authority certificate be configured somewhere in > dovecot? > > start with a thorough read of > > [5]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something similar > to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > } > > _______________________________________________ > dovecot mailing list -- [6]dovecot@dovecot.org > To unsubscribe send an email to [7]dovecot-leave@dovecot.org > > References > > Visible links > 1. https://proton.me/mail/home > 2. mailto:dovecot@dovecot.org > 3. mailto:marek.gresko@protonmail.com > 4. mailto:pgnd@dev-mail.net > 5. https://doc.dovecot.org/2.4.2/core/config/ssl.html > 6. mailto:dovecot@dovecot.org > 7. mailto:dovecot-leave@dovecot.org > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
- [18]https://proton.me/mail/home
- mailto:[19]dovecot@dovecot.org
- mailto:[20]marek.gresko@protonmail.com
- mailto:[21]pgnd@dev-mail.net
- [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:[23]dovecot@dovecot.org
- mailto:[24]dovecot-leave@dovecot.org
dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org
dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
SELinux? Marek Gresko via dovecot <[1]dovecot@dovecot.org> ezt irta (ido"pont: 2025. nov. 20., Csue 20:25):
Apparently, the file is not ignored, because when I type wrong file name
in the config, I immediately get error on startup.
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 19:52, Aki Tuomi
<[2]aki.tuomi@open-xchange.com> napisal/a:
> If you are lacking !try_include or !include in your dovecot.conf,
/etc/dovecot/conf.d files are ignored.
>
> Aki
>
> > On 20/11/2025 20:40 EET Marek Gresko via dovecot
[3]dovecot@dovecot.org wrote:
> >
> > It seems copying the pem files to the default location from the
configured one solved the problem. Is it a bug or configuration problem
the files were not searched in configured path?
> >
> > Thanks
> >
> > Marek
> >
> > Odoslane pomocou bezpecneho emailu Proton Mail.
> >
> > stvrtok 20. novembra 2025, 19:13, Marek Gresko via dovecot
[4]dovecot@dovecot.org napisal/a:
> >
> > > OK, while inspecting dovecot I see the problem.
> > >
> > > doveconf -n reports different file paths than 10-ssl.conf file.
> > >
> > > It is:
> > >
> > > ssl_server {
> > > ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem
> > > #ssl_server_dh_file = /etc/dovecot/dh.pem
> > > ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem
> > > ssl_server_key_file = /etc/pki/tls/private/dovecot.pem
> > > #cert_file = /etc/pki/tls/certs/dovecot.pem
> > > #key_file = /etc/pki/tls/private/dovecot.pem
> > > #prefer_ciphers = server
> > > request_client_cert = no
> > > }
> > >
> > > there. The file is definitely read, because when I uncomment this
#ssl_verify_client_cert = no I get suntax error. I cannot understand why
the configuration is not accepted. If there is no meaningful reasoning
on that, I can fix by configuration, I can overwrite the files in
default paths by the wanted files.
> > >
> > > Marek
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 17:46, Aki Tuomi
[5]aki.tuomi@open-xchange.com napisal/a:
> > >
> > > > Can you post doveconf -n output?
> > > >
> > > > Aki
> > > >
> > > > > On 20/11/2025 18:37 EET Marek Gresko via dovecot
[6]dovecot@dovecot.org wrote:
> > > > >
> > > > > I run ls -lu on the key file. It's access time is not updated.
It seems dovecot does not even read it. What is the correct syntax?
> > > > >
> > > > > Should it be in the ssl_server section? Should it be
ssl_server_cert_file or cert file parameter? Or even another?
> > > > >
> > > > > Marek
> > > > >
> > > > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > > > >
> > > > > stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
[7]dovecot@dovecot.org napisal/a:
> > > > >
> > > > > > Both these command return same result as the previous I
posted.
> > > > > >
> > > > > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > > > > >
> > > > > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[8]aki.tuomi@open-xchange.com napisal/a:
> > > > > >
> > > > > > > either do
> > > > > > >
> > > > > > > openssl s_client -connect host:993
> > > > > > >
> > > > > > > or
> > > > > > >
> > > > > > > openssl s_client -connect host:143 -starttls imap
> > > > > > >
> > > > > > > Aki
> > > > > > >
> > > > > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot
[9]dovecot@dovecot.org wrote:
> > > > > > > >
> > > > > > > > When trying openssl s_client to port 143, I get:
> > > > > > > >
> > > > > > > > no peer certificate available
> > > > > > > > --
> > > > > > > > No client certificate CA names sent
> > > > > > > > Negotiated TLS1.3 group: <NULL>
> > > > > > > > ---
> > > > > > > > SSL handshake has read 5 bytes and written 1556 bytes
> > > > > > > > Verification: OK
> > > > > > > > ---
> > > > > > > > New, (NONE), Cipher is (NONE)
> > > > > > > > Protocol: TLSv1.3
> > > > > > > > This TLS version forbids renegotiation.
> > > > > > > > Compression: NONE
> > > > > > > > Expansion: NONE
> > > > > > > > No ALPN negotiated
> > > > > > > > Early data was not sent
> > > > > > > > Verify return code: 0 (ok)
> > > > > > > >
> > > > > > > > Why there is no certificate present? Because dovecot
refuse to present it since it thinks it is weak?
> > > > > > > >
> > > > > > > > Marek
> > > > > > > >
> > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > > > > > > >
> > > > > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko
[10]marek.gresko@protonmail.com napisal/a:
> > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I added ca_file to the server section. I do not want
clients to present certificates, so I did not create the ssl client
section you proposed.
> > > > > > > > >
> > > > > > > > > Any other suggestion?
> > > > > > > > >
> > > > > > > > > I still cannot imagine what could be the cause.
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > >
> > > > > > > > > Marek
> > > > > > > > >
> > > > > > > > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > > > > > > > >
> > > > > > > > > stvrtok 20. novembra 2025, 16:13, pgnd
[11]pgnd@dev-mail.net napisal/a:
> > > > > > > > >
> > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the
dovecot got upgraded to version 2.4.
> > > > > > > > > >
> > > > > > > > > > imo, a sloppy choice on their part, forcing the need
to significantly change imap config at the same time as an OS upgrade,
and 'breaking imap' for lots of folks.
> > > > > > > > > >
> > > > > > > > > > > Should the authority certificate be configured
somewhere in dovecot?
> > > > > > > > > >
> > > > > > > > > > start with a thorough read of
> > > > > > > > > >
> > > > > > > > > >
[12]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > > > > > > > >
> > > > > > > > > > if using self-signed certs, you'll end up with
something similar to
> > > > > > > > > >
> > > > > > > > > > ssl = required
> > > > > > > > > > ...
> > > > > > > > > > ssl_server {
> > > > > > > > > > ca_file = /path/to/your_CA.crt.pem
> > > > > > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem
> > > > > > > > > > key_file = /path/to/your_domain.server.ec.key.pem
> > > > > > > > > > ...
> > > > > > > > > > }
> > > > > > > > > > ssl_client {
> > > > > > > > > > ca_file = /path/to/your_CA.crt.pem
> > > > > > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem
> > > > > > > > > > key_file = /path/to/your_domain.client.ec.key.pem
> > > > > > > > > > ...
> > > > > > > > > > }
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > dovecot mailing list -- [13]dovecot@dovecot.org
> > > > > > > > To unsubscribe send an email to
[14]dovecot-leave@dovecot.org Both these command return same result as
the previous I posted.
> > > > > >
> > > > > > Odoslane pomocou bezpecneho emailu [1]Proton Mail.
> > > > > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi
[15]aki.tuomi@open-xchange.com
> > > > > >
> > > > > > napisal/a:
> > > > > >
> > > > > > either do
> > > > > >
> > > > > > openssl s_client -connect host:993
> > > > > >
> > > > > > or
> > > > > >
> > > > > > openssl s_client -connect host:143 -starttls imap
> > > > > >
> > > > > > Aki
> > > > > >
> > > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot
> > > > > > <[2][16]dovecot@dovecot.org> wrote:
> > > > > >
> > > > > > When trying openssl s_client to port 143, I get:
> > > > > >
> > > > > > no peer certificate available
> > > > > > --
> > > > > > No client certificate CA names sent
> > > > > > Negotiated TLS1.3 group: <NULL>
> > > > > >
> > > > > > ---
> > > > > > SSL handshake has read 5 bytes and written 1556 bytes
> > > > > > Verification: OK
> > > > > > ---
> > > > > > New, (NONE), Cipher is (NONE)
> > > > > > Protocol: TLSv1.3
> > > > > > This TLS version forbids renegotiation.
> > > > > > Compression: NONE
> > > > > > Expansion: NONE
> > > > > > No ALPN negotiated
> > > > > > Early data was not sent
> > > > > > Verify return code: 0 (ok)
> > > > > >
> > > > > > Why there is no certificate present? Because dovecot refuse
to present
> > > > > > it since it thinks it is weak?
> > > > > >
> > > > > > Marek
> > > > > >
> > > > > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > > > > >
> > > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko
> > > > > > <[3][17]marek.gresko@protonmail.com> napisal/a:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I added ca_file to the server section. I do not want clients
to
> > > > > > present certificates, so I did not create the ssl client
section you
> > > > > > proposed.
> > > > > >
> > > > > > Any other suggestion?
> > > > > >
> > > > > > I still cannot imagine what could be the cause.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > Marek
> > > > > >
> > > > > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > > > > >
> > > > > > stvrtok 20. novembra 2025, 16:13, pgnd
[4][18]pgnd@dev-mail.net
> > > > > > napisal/a:
> > > > > >
> > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got
> > > > > > upgraded to version 2.4.
> > > > > >
> > > > > > imo, a sloppy choice on their part, forcing the need to
> > > > > > significantly change imap config at the same time as an OS
> > > > > > upgrade, and 'breaking imap' for lots of folks.
> > > > > >
> > > > > > Should the authority certificate be configured somewhere in
> > > > > > dovecot?
> > > > > >
> > > > > > start with a thorough read of
> > > > > >
> > > > > > [5][19]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > > > >
> > > > > > if using self-signed certs, you'll end up with something
similar
> > > > > > to
> > > > > >
> > > > > > ssl = required
> > > > > > ...
> > > > > > ssl_server {
> > > > > > ca_file = /path/to/your_CA.crt.pem
> > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem
> > > > > > key_file = /path/to/your_domain.server.ec.key.pem
> > > > > > ...
> > > > > > }
> > > > > > ssl_client {
> > > > > > ca_file = /path/to/your_CA.crt.pem
> > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem
> > > > > > key_file = /path/to/your_domain.client.ec.key.pem
> > > > > > ...
> > > > > > }
> > > > > >
> > > > > > _______________________________________________
> > > > > > dovecot mailing list -- [6][20]dovecot@dovecot.org
> > > > > > To unsubscribe send an email to
[7][21]dovecot-leave@dovecot.org
> > > > > >
> > > > > > References
> > > > > >
> > > > > > Visible links
> > > > > > 1. [22]https://proton.me/mail/home
> > > > > > 2. mailto:[23]dovecot@dovecot.org
> > > > > > 3. mailto:[24]marek.gresko@protonmail.com
> > > > > > 4. mailto:[25]pgnd@dev-mail.net
> > > > > > 5. [26]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > > > > 6. mailto:[27]dovecot@dovecot.org
> > > > > > 7. mailto:[28]dovecot-leave@dovecot.org
> > > > > > _______________________________________________
> > > > > > dovecot mailing list -- [29]dovecot@dovecot.org
> > > > > > To unsubscribe send an email to
[30]dovecot-leave@dovecot.org
> > > > >
> > > > > _______________________________________________
> > > > > dovecot mailing list -- [31]dovecot@dovecot.org
> > > > > To unsubscribe send an email to [32]dovecot-leave@dovecot.org
OK, while inspecting dovecot I see the problem.
> > >
> > > doveconf -n reports different file paths than 10-ssl.conf file.
> > > It is:
> > > ssl_server {
> > > ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem
> > > #ssl_server_dh_file = /etc/dovecot/dh.pem
> > > ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem
> > > ssl_server_key_file = /etc/pki/tls/private/dovecot.pem
> > > #cert_file = /etc/pki/tls/certs/dovecot.pem
> > > #key_file = /etc/pki/tls/private/dovecot.pem
> > > #prefer_ciphers = server
> > > request_client_cert = no
> > > }
> > > there. The file is definitely read, because when I uncomment
> > > this #ssl_verify_client_cert = no I get suntax error. I cannot
understand
> > > why the configuration is not accepted. If there is no meaningful
reasoning
> > > on that, I can fix by configuration, I can overwrite the files in
default
> > > paths by the wanted files.
> > > Marek
> > > Odoslane pomocou bezpecneho emailu [1]Proton Mail.
> > > stvrtok 20. novembra 2025, 17:46, Aki Tuomi
[33]aki.tuomi@open-xchange.com
> > >
> > > napisal/a:
> > >
> > > Can you post doveconf -n output?
> > >
> > > Aki
> > >
> > > On 20/11/2025 18:37 EET Marek Gresko via dovecot
> > > <[2][34]dovecot@dovecot.org> wrote:
> > >
> > > I run ls -lu on the key file. It's access time is not updated. It
> > > seems dovecot does not even read it. What is the correct syntax?
> > >
> > > Should it be in the ssl_server section? Should it be
> > > ssl_server_cert_file or cert file parameter? Or even another?
> > >
> > > Marek
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot
> > > <[3][35]dovecot@dovecot.org> napisal/a:
> > >
> > > Both these command return same result as the previous I posted.
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi
> > > [4][36]aki.tuomi@open-xchange.com napisal/a:
> > >
> > > either do
> > >
> > > openssl s_client -connect host:993
> > >
> > > or
> > >
> > > openssl s_client -connect host:143 -starttls imap
> > >
> > > Aki
> > >
> > > On 20/11/2025 17:49 EET Marek Gresko via dovecot
> > > [5][37]dovecot@dovecot.org wrote:
> > >
> > > When trying openssl s_client to port 143, I get:
> > >
> > > no peer certificate available
> > > --
> > > No client certificate CA names sent
> > > Negotiated TLS1.3 group: <NULL>
> > >
> > > ---
> > > SSL handshake has read 5 bytes and written 1556 bytes
> > > Verification: OK
> > > ---
> > > New, (NONE), Cipher is (NONE)
> > > Protocol: TLSv1.3
> > > This TLS version forbids renegotiation.
> > > Compression: NONE
> > > Expansion: NONE
> > > No ALPN negotiated
> > > Early data was not sent
> > > Verify return code: 0 (ok)
> > >
> > > Why there is no certificate present? Because dovecot refuse to
> > > present it since it thinks it is weak?
> > >
> > > Marek
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 16:45, Marek Gresko
> > > [6][38]marek.gresko@protonmail.com napisal/a:
> > >
> > > Hello,
> > >
> > > I added ca_file to the server section. I do not want clients
> > > to present certificates, so I did not create the ssl client
> > > section you proposed.
> > >
> > > Any other suggestion?
> > >
> > > I still cannot imagine what could be the cause.
> > >
> > > Thanks
> > >
> > > Marek
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 16:13, pgnd [7][39]pgnd@dev-mail.net
> > > napisal/a:
> > >
> > > after upgrading from Fedora 42 to Fedora 43 the dovecot
> > > got upgraded to version 2.4.
> > >
> > > imo, a sloppy choice on their part, forcing the need to
> > > significantly change imap config at the same time as an OS
> > > upgrade, and 'breaking imap' for lots of folks.
> > >
> > > Should the authority certificate be configured somewhere
> > > in dovecot?
> > >
> > > start with a thorough read of
> > >
> > > [8][40]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > >
> > > if using self-signed certs, you'll end up with something
> > > similar to
> > >
> > > ssl = required
> > > ...
> > > ssl_server {
> > > ca_file = /path/to/your_CA.crt.pem
> > > cert_file = /path/to/your_domain.server.ec.crt.pem
> > > key_file = /path/to/your_domain.server.ec.key.pem
> > > ...
> > > }
> > > ssl_client {
> > > ca_file = /path/to/your_CA.crt.pem
> > > cert_file = /path/to/your_domain.client.ec.crt.pem
> > > key_file = /path/to/your_domain.client.ec.key.pem
> > > ...
> > > }
> > >
> > > _______________________________________________
> > > dovecot mailing list -- [9][41]dovecot@dovecot.org
> > > To unsubscribe send an email to [10][42]dovecot-leave@dovecot.org
> > > Both these command return same result as the previous I posted.
> > >
> > > Odoslane pomocou bezpecneho emailu [1]Proton Mail.
> > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi
> > > [11][43]aki.tuomi@open-xchange.com
> > >
> > > napisal/a:
> > >
> > > either do
> > >
> > > openssl s_client -connect host:993
> > >
> > > or
> > >
> > > openssl s_client -connect host:143 -starttls imap
> > >
> > > Aki
> > >
> > > On 20/11/2025 17:49 EET Marek Gresko via dovecot
> > > <[2][12][44]dovecot@dovecot.org> wrote:
> > >
> > > When trying openssl s_client to port 143, I get:
> > >
> > > no peer certificate available
> > > --
> > > No client certificate CA names sent
> > > Negotiated TLS1.3 group: <NULL>
> > >
> > > ---
> > > SSL handshake has read 5 bytes and written 1556 bytes
> > > Verification: OK
> > > ---
> > > New, (NONE), Cipher is (NONE)
> > > Protocol: TLSv1.3
> > > This TLS version forbids renegotiation.
> > > Compression: NONE
> > > Expansion: NONE
> > > No ALPN negotiated
> > > Early data was not sent
> > > Verify return code: 0 (ok)
> > >
> > > Why there is no certificate present? Because dovecot refuse to
> > > present
> > > it since it thinks it is weak?
> > >
> > > Marek
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 16:45, Marek Gresko
> > > <[3][13][45]marek.gresko@protonmail.com> napisal/a:
> > >
> > > Hello,
> > >
> > > I added ca_file to the server section. I do not want clients to
> > > present certificates, so I did not create the ssl client section
you
> > > proposed.
> > >
> > > Any other suggestion?
> > >
> > > I still cannot imagine what could be the cause.
> > >
> > > Thanks
> > >
> > > Marek
> > >
> > > Odoslane pomocou bezpecneho emailu Proton Mail.
> > >
> > > stvrtok 20. novembra 2025, 16:13, pgnd
[4][14][46]pgnd@dev-mail.net
> > > napisal/a:
> > >
> > > after upgrading from Fedora 42 to Fedora 43 the dovecot got
> > > upgraded to version 2.4.
> > >
> > > imo, a sloppy choice on their part, forcing the need to
> > > significantly change imap config at the same time as an OS
> > > upgrade, and 'breaking imap' for lots of folks.
> > >
> > > Should the authority certificate be configured somewhere in
> > > dovecot?
> > >
> > > start with a thorough read of
> > >
> > > [5][15][47]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > >
> > > if using self-signed certs, you'll end up with something similar
> > > to
> > >
> > > ssl = required
> > > ...
> > > ssl_server {
> > > ca_file = /path/to/your_CA.crt.pem
> > > cert_file = /path/to/your_domain.server.ec.crt.pem
> > > key_file = /path/to/your_domain.server.ec.key.pem
> > > ...
> > > }
> > > ssl_client {
> > > ca_file = /path/to/your_CA.crt.pem
> > > cert_file = /path/to/your_domain.client.ec.crt.pem
> > > key_file = /path/to/your_domain.client.ec.key.pem
> > > ...
> > > }
> > >
> > > _______________________________________________
> > > dovecot mailing list -- [6][16][48]dovecot@dovecot.org
> > > To unsubscribe send an email to
[7][17][49]dovecot-leave@dovecot.org
> > >
> > > References
> > >
> > > Visible links
> > > 1. [18][50]https://proton.me/mail/home
> > > 2. mailto:[19][51]dovecot@dovecot.org
> > > 3. mailto:[20][52]marek.gresko@protonmail.com
> > > 4. mailto:[21][53]pgnd@dev-mail.net
> > > 5. [22][54]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > 6. mailto:[23][55]dovecot@dovecot.org
> > > 7. mailto:[24][56]dovecot-leave@dovecot.org
> > > _______________________________________________
> > > dovecot mailing list -- [25][57]dovecot@dovecot.org
> > > To unsubscribe send an email to [26][58]dovecot-leave@dovecot.org
> > >
> > > _______________________________________________
> > > dovecot mailing list -- [27][59]dovecot@dovecot.org
> > > To unsubscribe send an email to [28][60]dovecot-leave@dovecot.org
> > >
> > > References
> > >
> > > Visible links
> > > 1. [61]https://proton.me/mail/home
> > > 2. mailto:[62]dovecot@dovecot.org
> > > 3. mailto:[63]dovecot@dovecot.org
> > > 4. mailto:[64]aki.tuomi@open-xchange.com
> > > 5. mailto:[65]dovecot@dovecot.org
> > > 6. mailto:[66]marek.gresko@protonmail.com
> > > 7. mailto:[67]pgnd@dev-mail.net
> > > 8. [68]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > 9. mailto:[69]dovecot@dovecot.org
> > > 10. mailto:[70]dovecot-leave@dovecot.org
> > > 11. mailto:[71]aki.tuomi@open-xchange.com
> > > 12. mailto:[72]dovecot@dovecot.org
> > > 13. mailto:[73]marek.gresko@protonmail.com
> > > 14. mailto:[74]pgnd@dev-mail.net
> > > 15. [75]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > 16. mailto:[76]dovecot@dovecot.org
> > > 17. mailto:[77]dovecot-leave@dovecot.org
> > > 18. [78]https://proton.me/mail/home
> > > 19. mailto:[79]dovecot@dovecot.org
> > > 20. mailto:[80]marek.gresko@protonmail.com
> > > 21. mailto:[81]pgnd@dev-mail.net
> > > 22. [82]https://doc.dovecot.org/2.4.2/core/config/ssl.html
> > > 23. mailto:[83]dovecot@dovecot.org
> > > 24. mailto:[84]dovecot-leave@dovecot.org
> > > 25. mailto:[85]dovecot@dovecot.org
> > > 26. mailto:[86]dovecot-leave@dovecot.org
> > > 27. mailto:[87]dovecot@dovecot.org
> > > 28. mailto:[88]dovecot-leave@dovecot.org
> > > _______________________________________________
> > > dovecot mailing list -- [89]dovecot@dovecot.org
> > > To unsubscribe send an email to [90]dovecot-leave@dovecot.org
> > > _______________________________________________
> > > dovecot mailing list -- [91]dovecot@dovecot.org
> > > To unsubscribe send an email to [92]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [93]dovecot@dovecot.org
To unsubscribe send an email to [94]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Is it possible that it's mentioned later on some other file?
Aki
On 20/11/2025 21:22 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:
Apparently, the file is not ignored, because when I type wrong file name in the config, I immediately get error on startup.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:52, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.
Aki
On 20/11/2025 20:40 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
> Both these command return same result as the previous I posted. > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a: > > > either do > > > > openssl s_client -connect host:993 > > > > or > > > > openssl s_client -connect host:143 -starttls imap > > > > Aki > > > > > On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > > > > > When trying openssl s_client to port 143, I get: > > > > > > no peer certificate available > > > -- > > > No client certificate CA names sent > > > Negotiated TLS1.3 group: <NULL> > > > --- > > > SSL handshake has read 5 bytes and written 1556 bytes > > > Verification: OK > > > --- > > > New, (NONE), Cipher is (NONE) > > > Protocol: TLSv1.3 > > > This TLS version forbids renegotiation. > > > Compression: NONE > > > Expansion: NONE > > > No ALPN negotiated > > > Early data was not sent > > > Verify return code: 0 (ok) > > > > > > Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak? > > > > > > Marek > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a: > > > > > > > Hello, > > > > > > > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > > > > > > > Any other suggestion? > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > Thanks > > > > > > > > Marek > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > > > > > start with a thorough read of > > > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > > > > > ssl = required > > > > > ... > > > > > ssl_server { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > ... > > > > > } > > > > > ssl_client { > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > ... > > > > > } > > > > > > _______________________________________________ > > > dovecot mailing list -- dovecot@dovecot.org > > > To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted. > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com > > napisal/a: > > either do > > openssl s_client -connect host:993 > > or > > openssl s_client -connect host:143 -starttls imap > > Aki > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > <[2]dovecot@dovecot.org> wrote: > > When trying openssl s_client to port 143, I get: > > no peer certificate available > -- > No client certificate CA names sent > Negotiated TLS1.3 group: <NULL> > > --- > SSL handshake has read 5 bytes and written 1556 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Protocol: TLSv1.3 > This TLS version forbids renegotiation. > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > > Why there is no certificate present? Because dovecot refuse to present > it since it thinks it is weak? > > Marek > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > <[3]marek.gresko@protonmail.com> napisal/a: > > Hello, > > I added ca_file to the server section. I do not want clients to > present certificates, so I did not create the ssl client section you > proposed. > > Any other suggestion? > > I still cannot imagine what could be the cause. > > Thanks > > Marek > > Odoslane pomocou bezpecneho emailu Proton Mail. > > stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net > napisal/a: > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > upgraded to version 2.4. > > imo, a sloppy choice on their part, forcing the need to > significantly change imap config at the same time as an OS > upgrade, and 'breaking imap' for lots of folks. > > Should the authority certificate be configured somewhere in > dovecot? > > start with a thorough read of > > [5]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > if using self-signed certs, you'll end up with something similar > to > > ssl = required > ... > ssl_server { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.server.ec.crt.pem > key_file = /path/to/your_domain.server.ec.key.pem > ... > } > ssl_client { > ca_file = /path/to/your_CA.crt.pem > cert_file = /path/to/your_domain.client.ec.crt.pem > key_file = /path/to/your_domain.client.ec.key.pem > ... > } > > _______________________________________________ > dovecot mailing list -- [6]dovecot@dovecot.org > To unsubscribe send an email to [7]dovecot-leave@dovecot.org > > References > > Visible links > 1. https://proton.me/mail/home > 2. mailto:dovecot@dovecot.org > 3. mailto:marek.gresko@protonmail.com > 4. mailto:pgnd@dev-mail.net > 5. https://doc.dovecot.org/2.4.2/core/config/ssl.html > 6. mailto:dovecot@dovecot.org > 7. mailto:dovecot-leave@dovecot.org > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
- [18]https://proton.me/mail/home
- mailto:[19]dovecot@dovecot.org
- mailto:[20]marek.gresko@protonmail.com
- mailto:[21]pgnd@dev-mail.net
- [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:[23]dovecot@dovecot.org
- mailto:[24]dovecot-leave@dovecot.org
dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org
dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Aki you are a king. Absolutely true. I was going over all the files in the /etc/dovecot/conf.d, but I missed the /etc/dovecot/dovecot.conf itself and it was there.
Thank you very much.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 20:48, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:
Is it possible that it's mentioned later on some other file?
Aki
On 20/11/2025 21:22 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
Apparently, the file is not ignored, because when I type wrong file name in the config, I immediately get error on startup.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:52, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
If you are lacking !try_include or !include in your dovecot.conf, /etc/dovecot/conf.d files are ignored.
Aki
On 20/11/2025 20:40 EET Marek Greško via dovecot dovecot@dovecot.org wrote:
It seems copying the pem files to the default location from the configured one solved the problem. Is it a bug or configuration problem the files were not searched in configured path?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 19:13, Marek Greško via dovecot dovecot@dovecot.org napísal/a:
OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file.
It is:
ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no }
there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com napísal/a:
Can you post doveconf -n output?
Aki
> On 20/11/2025 18:37 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax? > > Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another? > > Marek > > Odoslané pomocou bezpečného emailu Proton Mail. > > štvrtok 20. novembra 2025, 17:26, Marek Greško via dovecot dovecot@dovecot.org napísal/a: > > > Both these command return same result as the previous I posted. > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > štvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com napísal/a: > > > > > either do > > > > > > openssl s_client -connect host:993 > > > > > > or > > > > > > openssl s_client -connect host:143 -starttls imap > > > > > > Aki > > > > > > > On 20/11/2025 17:49 EET Marek Greško via dovecot dovecot@dovecot.org wrote: > > > > > > > > When trying openssl s_client to port 143, I get: > > > > > > > > no peer certificate available > > > > -- > > > > No client certificate CA names sent > > > > Negotiated TLS1.3 group: <NULL> > > > > --- > > > > SSL handshake has read 5 bytes and written 1556 bytes > > > > Verification: OK > > > > --- > > > > New, (NONE), Cipher is (NONE) > > > > Protocol: TLSv1.3 > > > > This TLS version forbids renegotiation. > > > > Compression: NONE > > > > Expansion: NONE > > > > No ALPN negotiated > > > > Early data was not sent > > > > Verify return code: 0 (ok) > > > > > > > > Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak? > > > > > > > > Marek > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > štvrtok 20. novembra 2025, 16:45, Marek Greško marek.gresko@protonmail.com napísal/a: > > > > > > > > > Hello, > > > > > > > > > > I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed. > > > > > > > > > > Any other suggestion? > > > > > > > > > > I still cannot imagine what could be the cause. > > > > > > > > > > Thanks > > > > > > > > > > Marek > > > > > > > > > > Odoslané pomocou bezpečného emailu Proton Mail. > > > > > > > > > > štvrtok 20. novembra 2025, 16:13, pgnd pgnd@dev-mail.net napísal/a: > > > > > > > > > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4. > > > > > > > > > > > > imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks. > > > > > > > > > > > > > Should the authority certificate be configured somewhere in dovecot? > > > > > > > > > > > > start with a thorough read of > > > > > > > > > > > > https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > > > > > > > > > if using self-signed certs, you'll end up with something similar to > > > > > > > > > > > > ssl = required > > > > > > ... > > > > > > ssl_server { > > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > > cert_file = /path/to/your_domain.server.ec.crt.pem > > > > > > key_file = /path/to/your_domain.server.ec.key.pem > > > > > > ... > > > > > > } > > > > > > ssl_client { > > > > > > ca_file = /path/to/your_CA.crt.pem > > > > > > cert_file = /path/to/your_domain.client.ec.crt.pem > > > > > > key_file = /path/to/your_domain.client.ec.key.pem > > > > > > ... > > > > > > } > > > > > > > > _______________________________________________ > > > > dovecot mailing list -- dovecot@dovecot.org > > > > To unsubscribe send an email to dovecot-leave@dovecot.org Both these command return same result as the previous I posted. > > > > Odoslane pomocou bezpecneho emailu [1]Proton Mail. > > stvrtok 20. novembra 2025, 17:07, Aki Tuomi aki.tuomi@open-xchange.com > > > > napisal/a: > > > > either do > > > > openssl s_client -connect host:993 > > > > or > > > > openssl s_client -connect host:143 -starttls imap > > > > Aki > > > > On 20/11/2025 17:49 EET Marek Gresko via dovecot > > <[2]dovecot@dovecot.org> wrote: > > > > When trying openssl s_client to port 143, I get: > > > > no peer certificate available > > -- > > No client certificate CA names sent > > Negotiated TLS1.3 group: <NULL> > > > > --- > > SSL handshake has read 5 bytes and written 1556 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Protocol: TLSv1.3 > > This TLS version forbids renegotiation. > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > > > Why there is no certificate present? Because dovecot refuse to present > > it since it thinks it is weak? > > > > Marek > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 16:45, Marek Gresko > > <[3]marek.gresko@protonmail.com> napisal/a: > > > > Hello, > > > > I added ca_file to the server section. I do not want clients to > > present certificates, so I did not create the ssl client section you > > proposed. > > > > Any other suggestion? > > > > I still cannot imagine what could be the cause. > > > > Thanks > > > > Marek > > > > Odoslane pomocou bezpecneho emailu Proton Mail. > > > > stvrtok 20. novembra 2025, 16:13, pgnd [4]pgnd@dev-mail.net > > napisal/a: > > > > after upgrading from Fedora 42 to Fedora 43 the dovecot got > > upgraded to version 2.4. > > > > imo, a sloppy choice on their part, forcing the need to > > significantly change imap config at the same time as an OS > > upgrade, and 'breaking imap' for lots of folks. > > > > Should the authority certificate be configured somewhere in > > dovecot? > > > > start with a thorough read of > > > > [5]https://doc.dovecot.org/2.4.2/core/config/ssl.html > > > > if using self-signed certs, you'll end up with something similar > > to > > > > ssl = required > > ... > > ssl_server { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.server.ec.crt.pem > > key_file = /path/to/your_domain.server.ec.key.pem > > ... > > } > > ssl_client { > > ca_file = /path/to/your_CA.crt.pem > > cert_file = /path/to/your_domain.client.ec.crt.pem > > key_file = /path/to/your_domain.client.ec.key.pem > > ... > > } > > > > _______________________________________________ > > dovecot mailing list -- [6]dovecot@dovecot.org > > To unsubscribe send an email to [7]dovecot-leave@dovecot.org > > > > References > > > > Visible links > > 1. https://proton.me/mail/home > > 2. mailto:dovecot@dovecot.org > > 3. mailto:marek.gresko@protonmail.com > > 4. mailto:pgnd@dev-mail.net > > 5. https://doc.dovecot.org/2.4.2/core/config/ssl.html > > 6. mailto:dovecot@dovecot.org > > 7. mailto:dovecot-leave@dovecot.org > > _______________________________________________ > > dovecot mailing list -- dovecot@dovecot.org > > To unsubscribe send an email to dovecot-leave@dovecot.org > > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-leave@dovecot.org OK, while inspecting dovecot I see the problem.
doveconf -n reports different file paths than 10-ssl.conf file. It is: ssl_server { ssl_server_ca_file = /etc/pki/tls/certs/cacert.pem #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /etc/pki/tls/certs/dovecot.pem ssl_server_key_file = /etc/pki/tls/private/dovecot.pem #cert_file = /etc/pki/tls/certs/dovecot.pem #key_file = /etc/pki/tls/private/dovecot.pem #prefer_ciphers = server request_client_cert = no } there. The file is definitely read, because when I uncomment this #ssl_verify_client_cert = no I get suntax error. I cannot understand why the configuration is not accepted. If there is no meaningful reasoning on that, I can fix by configuration, I can overwrite the files in default paths by the wanted files. Marek Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:46, Aki Tuomi aki.tuomi@open-xchange.com
napisal/a:
Can you post doveconf -n output?
Aki
On 20/11/2025 18:37 EET Marek Gresko via dovecot <[2]dovecot@dovecot.org> wrote:
I run ls -lu on the key file. It's access time is not updated. It seems dovecot does not even read it. What is the correct syntax?
Should it be in the ssl_server section? Should it be ssl_server_cert_file or cert file parameter? Or even another?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:26, Marek Gresko via dovecot <[3]dovecot@dovecot.org> napisal/a:
Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 17:07, Aki Tuomi [4]aki.tuomi@open-xchange.com napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot [5]dovecot@dovecot.org wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko [6]marek.gresko@protonmail.com napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [7]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[8]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org Both these command return same result as the previous I posted.
Odoslane pomocou bezpecneho emailu [1]Proton Mail. stvrtok 20. novembra 2025, 17:07, Aki Tuomi [11]aki.tuomi@open-xchange.com
napisal/a:
either do
openssl s_client -connect host:993
or
openssl s_client -connect host:143 -starttls imap
Aki
On 20/11/2025 17:49 EET Marek Gresko via dovecot <[2][12]dovecot@dovecot.org> wrote:
When trying openssl s_client to port 143, I get:
no peer certificate available
No client certificate CA names sent Negotiated TLS1.3 group: <NULL>
SSL handshake has read 5 bytes and written 1556 bytes Verification: OK
New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Why there is no certificate present? Because dovecot refuse to present it since it thinks it is weak?
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:45, Marek Gresko <[3][13]marek.gresko@protonmail.com> napisal/a:
Hello,
I added ca_file to the server section. I do not want clients to present certificates, so I did not create the ssl client section you proposed.
Any other suggestion?
I still cannot imagine what could be the cause.
Thanks
Marek
Odoslane pomocou bezpecneho emailu Proton Mail.
stvrtok 20. novembra 2025, 16:13, pgnd [4][14]pgnd@dev-mail.net napisal/a:
after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.
imo, a sloppy choice on their part, forcing the need to significantly change imap config at the same time as an OS upgrade, and 'breaking imap' for lots of folks.
Should the authority certificate be configured somewhere in dovecot?
start with a thorough read of
[5][15]https://doc.dovecot.org/2.4.2/core/config/ssl.html
if using self-signed certs, you'll end up with something similar to
ssl = required ... ssl_server { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.server.ec.crt.pem key_file = /path/to/your_domain.server.ec.key.pem ... } ssl_client { ca_file = /path/to/your_CA.crt.pem cert_file = /path/to/your_domain.client.ec.crt.pem key_file = /path/to/your_domain.client.ec.key.pem ... }
dovecot mailing list -- [6][16]dovecot@dovecot.org To unsubscribe send an email to [7][17]dovecot-leave@dovecot.org
References
Visible links
- [18]https://proton.me/mail/home
- mailto:[19]dovecot@dovecot.org
- mailto:[20]marek.gresko@protonmail.com
- mailto:[21]pgnd@dev-mail.net
- [22]https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:[23]dovecot@dovecot.org
- mailto:[24]dovecot-leave@dovecot.org
dovecot mailing list -- [25]dovecot@dovecot.org To unsubscribe send an email to [26]dovecot-leave@dovecot.org
dovecot mailing list -- [27]dovecot@dovecot.org To unsubscribe send an email to [28]dovecot-leave@dovecot.org
References
Visible links
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:aki.tuomi@open-xchange.com
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- https://proton.me/mail/home
- mailto:dovecot@dovecot.org
- mailto:marek.gresko@protonmail.com
- mailto:pgnd@dev-mail.net
- https://doc.dovecot.org/2.4.2/core/config/ssl.html
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (5)
-
Aki Tuomi
-
Marc
-
Marek Greško
-
pgnd
-
Péter Márton