[Dovecot] SSL/TLS with Outlook client

Nikolay Shopik shopik at inblock.ru
Wed Nov 14 07:52:40 EET 2007


Agree with Hugo most root CA have intermidate certificates which should supplied with your server certificate. Otherwise chain won't work and any client don't trust it.

- original message -
Subject:	Re: [Dovecot] SSL/TLS with Outlook client
From:	Hugo Monteiro <hugo.monteiro at fct.unl.pt>
Date:		14/11/2007 00:14

Eli Sand wrote:
> Hugo Monteiro wrote:
>   
>> Ah ... wildcard certs .. from what i recall, certs issued like
>> *.example.com were not very well accepted by M$ clients. You should
>> test against non wildcard certs and see how it behaves.
>>     
>
> Already have and no luck :(  My domain is elisand.com and I have tried
> *.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if
> not, whatever it is is what I tried) and mail.elisand.com which is the
> smtp/imap server name I use in Outlook.  All three yield the same result :(
>
> Eli.
>
>
>   

I have taken the liberty to connect to your server, using openssl, i've 
seen the following:

$ openssl s_client -CApath /usr/share/ca-certificates/cacert.org/ 
-connect mail.elisand.com:993
CONNECTED(00000003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support at cacert.org
verify return:1
depth=0 /CN=*.elisand.com
verify return:1
---
Certificate chain
 0 s:/CN=*.elisand.com
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support at cacert.org
---

i believe you should change two things. If the name you wish to use on 
your clients is mail.alisand.com, then the certificate should read 
CN=mail.elisand.com. Furthermore, it's always a good idea to provide the 
chaining certificate path on dovecots side. Try using the ssl_ca_file 
directive on dovecot's configuration.

Regards,

Hugo Monteiro.


-- 
ci.fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro at fct.unl.pt
Telefone : +351 212948300 Ext.15307

Centro de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.ci.fct.unl.pt	      apoio at fct.unl.pt

ci.fct.unl.pt:~# _




More information about the dovecot mailing list