Dovecot dsync tcps sends incomplete certificate chain

Fri Jan 6 08:20:45 UTC 2017

> On January 6, 2017 at 2:34 AM John Fawcett <john at voipsupport.it> wrote:
> 
> 
> On 01/05/2017 08:55 PM, Juri wrote:
> > 5 Gennaio 2017 01:21, "John Fawcett" <john at voipsupport.it> wrote:
> >
> >> On 01/04/2017 08:40 PM, Juri wrote:
> >>
> >>
> > Thank you.
> >
> > In fact I tried both settings, that is
> > |ssl_client_ca_dir = /etc/ssl/certs
> > |ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem
> > but with no luck.
> > Actually, I noticed that with the two settings I get a slightly different error message (it took me
> > quite a bit to notice it!), that is:
> > |Error: sync: Disconnected from remote: Received invalid SSL certificate: unable to get issuer
> > certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> > |Error: sync: Disconnected from remote: Received invalid SSL certificate: unable to get *local*
> > issuer certificate: /CN=mail.dividebyzero.it
> > (emphasis mine).
> > I suppose that in the first case - as the server is sending only the last certificate on the chain
> > - the client is unable to find the intermediate, while in the second case it won't find the root
> > one.
> >
> > I then tried, as you suggested me, to concatenate both the intermediate and the root certificate in
> > a single file, and it finally worked.
> > In any case the original point still stands: in the sync mode - at least on my version (2.2.13) -
> > the server sends only the last cert, so the client has to have the rest of the chain, instead of
> > needing to have only the root certificate.
> >
> > May I ask you which is the version of Dovecot bundled with CentOS, to know if this may be a bug
> > fixed in a newer version?
> >
> > Juri
> 
> Hi Juri
> 
> if you find validation failing when you have only the root certificate
> in the CA file but a chained server+intermediate in the server
> certificate file, then your analysis makes sense and it seems that the
> intermediate certificate is not being sent by the server. That ties in
> with the different error messages between imap and replication. 
> 
> It might be interesting to do a test with -showcerts parameter.
> 
> |openssl s_client -showcerts -connect hostname:|7557
> 
> |openssl s_client -showcerts -connect hostname:993 The bundled version of
> Dovecot on Centos 7 is 2.2.10 but I am not using that version. I am on
> 2.2.26, where I don't have the problem you see and both services send
> the server and intermediate certificate. I was unable to see any
> specific patches to the ssl or doveadm code for this issue, though it
> has undergone a few changes from 2.2.13. John |

You might want to return from passdb following things, if I understood your scenario correctly.

proxy=y host=your-backend-host ssl=any-cert port=993

https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy

Aki