Dovecot proxy ignores trusted root certificate store
Alex Bulan
avb at korax.net
Mon Sep 21 05:53:53 UTC 2015
Dovecot v2.2.18
OS: FreeBSD 10.1/amd64
Dovecot in proxy mode ignores the root certificate store and can't verify
the backend's SSL certificate.
I've pointed ssl_client_ca_file to my root certificate store, but I
suspect ssl_client_ca_file is only used in imapc context. It seems to be
ignored in proxy context.
doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
In my password_query I return host set to the backend's IP address,
starttls='yes', proxy='y'.
The backend's certificate chain is correct and it verifies successfully
with "openssl s_client -connect x.x.x.x:110 -starttls pop3 -CAfile
/usr/local/share/certs/ca-root-nss.crt".
But the Dovecot proxy fails to verify the intermediate certificate it
receives from the backend. The inode atime of ca-root-nss.crt is never
updated, either at Dovecot start or when it connects to the backend, so
Dovecot (via the openssl library) never reads the file.
Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: unable to get
local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated
SSL/CN=GeoTrust DV SSL CA - G4
Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: certificate not
trusted: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL
CA - G4
Sep 20 19:59:48 dovecot: pop3-login: Error: proxy: Received invalid SSL
certificate from x.x.x.x:110: unable to get local issuer certificate:
/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4:
user=<xxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x,
session=<lz9YjzYgIADYyWAp>
More information about the dovecot
mailing list