dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
Martin Johannes Dauser
mdauser at cs.sbg.ac.at
Fri Jul 20 12:14:21 EEST 2018
Hi,
I recognised some funny behaviour on my server. IMAP clients which
won't send an Server Name Indication (SNI) sometimes get the wrong
certificate. I would expect that those clients always get the default
certificate (of my new domain), instead in about 20 to 50% of
connections the certificate of my old domain will be presented.
(sample rate was 3 times 30 connections)
Clients sending SNI always get the right certificate.
A user informed me that offlineIMAP complains
'CA Cert verifying failed:
no matching domain name found in certificate'
So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
there is a newer version upstream though.
I myself checked the server's behaviour with openssl:
$ openssl s_client -showcerts -connect IP-address:993
and
$ openssl s_client -showcerts -connect IP-address:993 -servername
imap.domain
I'm totally clueless about how come.
Best regards
Martin Johannes Dauser
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
Server release 7.5 (Maipo)
...
service imap-login {
inet_listener imap {
address = 127.0.0.1
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
process_min_avail = 8
service_count = 0
}
...
ssl = required
# set default cert
ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-
SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1
ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
ssl_protocols = !SSLv2 !SSLv3
...
# set alternativ cert for old domain
local_name mail.old.domain {
ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
local_name imap.old.domain {
ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
local_name pop.old.domain {
ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
# set explicit cert for new domain
local_name mail.new.domain {
ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
ssl_key = </etc/pki/dovecot/private/mail_new_doman.key
}
local_name imap.new.domain {
ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
}
local_name pop.new.domain {
ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
}
More information about the dovecot
mailing list