dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
Aki Tuomi
aki.tuomi at dovecot.fi
Mon Jul 23 10:05:39 EEST 2018
Can you provide some details on what those openssl commands returned?
Aki
On 20.07.2018 12:14, Martin Johannes Dauser wrote:
> Hi,
>
> I recognised some funny behaviour on my server. IMAP clients which
> won't send an Server Name Indication (SNI) sometimes get the wrong
> certificate. I would expect that those clients always get the default
> certificate (of my new domain), instead in about 20 to 50% of
> connections the certificate of my old domain will be presented.
> (sample rate was 3 times 30 connections)
>
> Clients sending SNI always get the right certificate.
>
> A user informed me that offlineIMAP complains
> 'CA Cert verifying failed:
> no matching domain name found in certificate'
> So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
> there is a newer version upstream though.
>
>
> I myself checked the server's behaviour with openssl:
>
> $ openssl s_client -showcerts -connect IP-address:993
>
> and
>
> $ openssl s_client -showcerts -connect IP-address:993 -servername
> imap.domain
>
>
> I'm totally clueless about how come.
>
> Best regards
> Martin Johannes Dauser
>
>
>
>
> # 2.2.10: /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
> Server release 7.5 (Maipo)
>
> ...
>
> service imap-login {
> inet_listener imap {
> address = 127.0.0.1
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> process_min_avail = 8
> service_count = 0
> }
>
> ...
>
> ssl = required
> # set default cert
> ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-
> SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1
>
> ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
> ssl_protocols = !SSLv2 !SSLv3
>
> ...
>
> # set alternativ cert for old domain
> local_name mail.old.domain {
> ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
> ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
> }
> local_name imap.old.domain {
> ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
> ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
> }
> local_name pop.old.domain {
> ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
> ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
> }
>
> # set explicit cert for new domain
> local_name mail.new.domain {
> ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> ssl_key = </etc/pki/dovecot/private/mail_new_doman.key
> }
> local_name imap.new.domain {
> ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
> }
> local_name pop.new.domain {
> ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
> ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
> }
>
>
>
More information about the dovecot
mailing list