Dovecot dsync tcps sends incomplete certificate chain

Juri juri+dovecot at dividebyzero.it
Wed Jan 4 19:40:23 UTC 2017


Hi,
I'm trying to configure a Dovecot dsync service between two servers, using a tcp+ssl connection and
a valid Let's Encrypt certificate.
I followed the guide on the wiki (http://wiki.dovecot.org/Replication) using the tcps method, but
when I launch the replication it fails writing on the log (/var/log/mail.err):
(Server 1 - sync "client" )| Error: sync: Disconnected from remote: Received invalid SSL
certificate: unable to get local issuer certificate: /CN=mail.dividebyzero.it
(Server 2 - sync "server")| Error: doveadm client disconnected before handshake: <no error>

If I try to connect to the server using openssl s_client, on the port 993 (imaps) the server
correctly sends the full chain:
$ openssl s_client -connect server1.fqdn:993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.dividebyzero.it
verify return:1
---
Certificate chain
0 s:/CN=mail.dividebyzero.it
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
...

while on the doveadm port it fails:
$ openssl s_client -connect server1.fqdn:7557
CONNECTED(00000003)
depth=0 CN = mail.dividebyzero.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mail.dividebyzero.it
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=mail.dividebyzero.it
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...

I run Dovecot 2.2.13 on Debian 8.6:
$ dovecot -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
auth_default_realm = dividebyzero.it
auth_mechanisms = plain login
doveadm_password = (redacted)
doveadm_port = 7557
mail_location = maildir:~/Maildir
mail_plugins = " notify replication"
namespace inbox { (removed) }
passdb {
driver = pam
}
passdb {
args = username_format=%n /etc/vmail/%d/passwd
driver = passwd-file
}
plugin {
mail_replica = tcps:otherserver.fqdn
}
protocols = " imap lmtp"
service aggregator {
fifo_listener replication-notify-fifo {
user = dovecot
}
unix_listener replication-notify {
user = dovecot
}
}
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
unix_listener auth-userdb {
user = vmail
}
}
service doveadm {
inet_listener {
port = 7557
ssl = yes
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.dividebyzero.it/fullchain.pem
ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem
ssl_key = </etc/letsencrypt/live/mail.dividebyzero.it/privkey.pem
userdb {
driver = passwd
}
userdb {
args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n
driver = static
}

Is it a known problem, or has it been resolved in a subsequent version?
If it is not, can you suggest me a workaround in the meantime?
Thank you.


More information about the dovecot mailing list