Dovecot proxy ignores trusted root certificate store
Alex Bulan
avb at korax.net
Mon Sep 21 22:11:12 UTC 2015
On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
> doveconf -n?
doveconf -n|grep ssl should suffice:
ssl = required
ssl_ca = </usr/local/share/certs/ca-root-nss.crt
ssl_cert = </path/to/my/file.pem
ssl_key = </path/to/my/file.pem
ssl_require_crl = no
I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a
temporary workaround, even though this is not what ssl_ca is for. It
happens to work, at least for now, but this is not a fix.
ssl_client_ca_file should be used instead, but it has no effect in proxy
mode:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
This doesn't work either (and the Dovecot Wiki shows it used without "<"):
ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
And "ssl_require_crl = no" to silence "unable to get certificate CRL" log
messages. I don't need it to check CRLs on the backend's certificate
chain.
More information about the dovecot
mailing list