Dovecot proxy ignores trusted root certificate store

Timo Sirainen tss at
Tue Sep 22 11:05:33 UTC 2015

On 22 Sep 2015, at 01:11, Alex Bulan <avb at> wrote:
> On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
>> doveconf -n?
> doveconf -n|grep ssl should suffice:
> ssl = required
> ssl_ca = </usr/local/share/certs/ca-root-nss.crt
> ssl_cert = </path/to/my/file.pem
> ssl_key = </path/to/my/file.pem
> ssl_require_crl = no
> I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for.  It happens to work, at least for now, but this is not a fix.
> ssl_client_ca_file should be used instead, but it has no effect in proxy mode:

Yeah. The ssl_client_ca_file was implemented later than the SSL proxying code. I think this may be something that needs to wait for v2.3 to get fixed. v2.3 hopefully removes the duplicated ssl code and uses lib-ssl-iostream for proxying also, which makes this easier to implement.

More information about the dovecot mailing list