Hello,
for our testing environment, I would like to configure a CA that is trusted by Dovecot when making TLS connections. As you can see below in the config snippets, this is for example used when proxying to itself during a login with credentials for the OIDC provider. The Dovecot documentation (https://doc.dovecot.org/configuration_manual/authentication/proxies/) states: "ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying the remote certificate, although ideally they will be in a future Dovecot version. For now you need to add the trusted remote certificates to ssl_ca."
Configuring a trusted CA via the ssl_ca config option works but is a little bit weird as this option originally is for TLS client authentication.
I added the CA certificate to the system trust store and removed ssl_ca and ssl_client_ca_file, but it seems that Dovecot does not use the system store. Or is there any config option I am missing?
Otherwise, are there any plans when ssl_client_ca_file will be used for remote connections (the documentation mentions that this would ideally be fixed in a later version)? And could I then use the aggregated Debian system trust store (/etc/ssl/certs/ca-certificates.crt) there?
Best regards, Felix
dovecot -n (shortened):
# 2.3.19 (b3ad6004dc): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 6.7.3-arch1-1 x86_64 Debian 11.8
passdb { args = /etc/dovecot/oauth2-token.conf.ext driver = oauth2 mechanisms = xoauth2 oauthbearer } passdb { args = /etc/dovecot/oauth2-password.conf.ext driver = oauth2 mechanisms = plain login }
protocols = imap lmtp service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { inet_listener { port = 24 ssl = no } } ssl = required ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = yes
protocol lmtp { ssl_cert = </etc/dovecot/tls/lmtp-certificate-chain.pem ssl_key = # hidden, use -P to show it } protocol imap { ssl_cert = </etc/dovecot/tls/imap-certificate-chain.pem ssl_key = # hidden, use -P to show it }
oauth2-password.conf.ext:
client_id = ${DOVECOT_OIDC_CLIENT_ID} client_secret = ${DOVECOT_OIDC_CLIENT_SECRET} introspection_mode = local force_introspection = yes username_attribute = preferred_username username_format = %Lu use_grant_password = yes grant_url = ${OIDC_TOKEN_URL} scope = ${DOVECOT_OIDC_SCOPE} issuers = ${OIDC_ISSUER_URL} pass_attrs = host=dovecot port=993 ssl=yes proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:sub} local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt debug = no
Gesellschaft für interkulturelles Zusammenleben gGmbH (GIZ) Felix Auringer IT Reformationsplatz 2 13597 Berlin
Tel: 030/513 0100 00; Fax: 030/513 0100 09 www.giz.berlin; felix.auringer@giz.berlin
Amtsgericht Charlottenburg HRB 200872 B Geschäftsführerin: Dr. Britta Marschke