Bug with 2.2.29-1~auto+25 back to haunt me

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Wed May 31 17:52:02 EEST 2017


After upgrading from 2.2.28-1~auto+45 to 2.2.29-1~auto+25 I'm gettings
this:

May 31 16:44:31 mproxy dovecot: auth: Fatal: passdb imap: Cannot verify certificate without ssl_ca_dir or ssl_ca_file setting
May 31 16:44:31 mproxy dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs
May 31 16:44:31 mproxy dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 2 secs): user=<>, rip=141.42.206.36, lip=141.42.206.11, TLS, session=<ze1A9dJQZ8yNKs4k>

# doveconf -n 
# 2.2.devel (215fd61): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.devel (403042e)
# OS: Linux 4.4.0-71-generic x86_64 Ubuntu 16.04.2 LTS 
auth_mechanisms = plain login
default_vsz_limit = 1 G
imapc_host = exchange-imap.charite.de
imapc_port = 993
imapc_ssl = imaps
imapc_ssl_verify = no
listen = *,::
mail_gid = imapproxy
mail_home = /home/imapproxy/%u
mail_location = imapc:~/imapc
mail_plugins = mail_log notify
mail_uid = imapproxy
passdb {
  args = host=exchange-imap.charite.de port=993 ssl=imaps
  default_fields = userdb_imapc_user=%u userdb_imapc_password=%w userdb_imapc_host=exchange-imap.charite.de userdb_imapc_ssl=imaps userdb_imapc_port=993
  driver = imap
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap
service auth {
  inet_listener {
    address = 127.0.0.1
    port = 12345
  }
}
ssl = required
ssl_ca = </etc/ssl/certs/ca-certificates.crt
ssl_cert = </etc/dovecot/dovecot.pem
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  driver = prefetch
}
verbose_proctitle = yes
  

So I added 
ssl_ca_file = /etc/ssl/certs/ca-certificates.crt

But alas:
May 31 16:50:24 mproxy dovecot: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:36: ssl_ca_file has been replaced by ssl_ca = <file

Gnarf! As you can see I do HAVE ssl_ca in my doveconf -n output!

ssl_ca = </etc/ssl/certs/ca-certificates.crt

So what gives?
  
  
-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | https://www.charite.de
	    


More information about the dovecot mailing list