Dovecot 2.3.0 TLS

Thu Jan 11 13:20:36 EET 2018

On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
> Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

Worked fine with 2.2.x, 2.3 gives

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
   i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%

-- 
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344