Dovecot proxy ignores trusted root certificate store

Alex Bulan avb at
Mon Sep 21 22:11:12 UTC 2015

On Mon, 21 Sep 2015, Edgar Pettijohn wrote:

> doveconf -n?

doveconf -n|grep ssl should suffice:

ssl = required
ssl_ca = </usr/local/share/certs/ca-root-nss.crt
ssl_cert = </path/to/my/file.pem
ssl_key = </path/to/my/file.pem
ssl_require_crl = no

I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a 
temporary workaround, even though this is not what ssl_ca is for.  It 
happens to work, at least for now, but this is not a fix.

ssl_client_ca_file should be used instead, but it has no effect in proxy 

ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

This doesn't work either (and the Dovecot Wiki shows it used without "<"):

ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt

And "ssl_require_crl = no" to silence "unable to get certificate CRL" log 
messages.  I don't need it to check CRLs on the backend's certificate 

More information about the dovecot mailing list