Dovecot proxy ignores trusted root certificate store

Alex Bulan avb at
Mon Sep 21 17:45:45 UTC 2015

On Mon, 21 Sep 2015, Andrew McN wrote:

>> (quote)
>> The client must be able to verify that the SSL certificate is valid, so
>> you need to specify the directory containing valid SSL CA roots:
>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
>> (end quote)
> Suggesting that on Redhat you should specify "the directory containing
> valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
> Sounds like setting a file instead.  So that bit of documentation should
> be treated as rather suspect.
> Regards,
> Andrew

In some environments, root certs are stored in a hashed directory, in 
other environments they're stored in one file.  One would typically use 
one setting or the other.

I think ssl_client_ca_file was implemented later than ssl_client_ca_dir. 
The comment just needs to be updated.

More information about the dovecot mailing list