dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

[Martin Johannes Dauser]

Hi,

I recognised some funny behaviour on my server. IMAP clients which
won't send an Server Name Indication (SNI) sometimes get the wrong
certificate. I would expect that those clients always get the default
certificate (of my new domain), instead in about 20 to 50% of
connections the certificate of my old domain will be presented.
(sample rate was 3 times 30 connections)

Clients sending SNI always get the right certificate.

A user informed me that offlineIMAP complains 
'CA Cert verifying failed:
   no matching domain name found in certificate'
So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
there is a newer version upstream though.


I myself checked the server's behaviour with openssl:

$ openssl s_client -showcerts -connect IP-address:993

and

$ openssl s_client -showcerts -connect IP-address:993 -servername
imap.domain


I'm totally clueless about how come.

Best regards
Martin Johannes Dauser




# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
Server release 7.5 (Maipo) 

...

service imap-login {
  inet_listener imap {
    address = 127.0.0.1
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 8
  service_count = 0
}

...

ssl = required
# set default cert
ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-
SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1

ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
ssl_protocols = !SSLv2 !SSLv3

...

# set alternativ cert for old domain
local_name mail.old.domain {
  ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
  ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
local_name imap.old.domain {
  ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
  ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
local_name pop.old.domain {
  ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
  ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}

# set explicit cert for new domain
local_name mail.new.domain {
  ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
  ssl_key = </etc/pki/dovecot/private/mail_new_doman.key
}
local_name imap.new.domain {
  ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
  ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
}
local_name pop.new.domain {
  ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
  ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
}