dovecot 2.3.x, ECC and wildcard certificates, any issues

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jul 30 20:49:24 EEST 2018


I don't know how to get both RSA and ECC cert from letsencrypt.

Aki

> On 30 July 2018 at 20:43 David Mehler <dave.mehler at gmail.com> wrote:
> 
> 
> Hello,
> 
> What acme implementation do you use for your letsencrypt certificates?
> If it's acme.sh how do you get both rsa and ecc certificates? What
> configuration options are you using in your configuration of services
> to allow access to both rsa and ecc?
> 
> Thanks.
> Dave.
> 
> 
> On 7/30/18, David Mehler <dave.mehler at gmail.com> wrote:
> > Hello,
> >
> > The client in question is the latest version of AquaMail running on
> > android.
> >
> > Thanks.
> > Dave.
> >
> >
> > On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >> You should, in practice, enable both. This gives best client compability.
> >> It
> >> is possible you have clients that cannot understand ECC certificates? You
> >> can use ssl_alt_cert to provide RSA cert too.
> >>
> >> Aki
> >>
> >>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com> wrote:
> >>>
> >>>
> >>> Hi,
> >>>
> >>> Thanks, good news is that worked. Bad news is it all looks good which
> >>> means I do not know hwhy my remote clients can't get their email,
> >>> looked like from the logs it was that.
> >>>
> >>> Would 143 be better or 993 for the external clients?
> >>>
> >>> Thanks.
> >>> Dave.
> >>>
> >>>
> >>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >>> >
> >>> >> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com> wrote:
> >>> >>
> >>> >>
> >>> >> Hello,
> >>> >>
> >>> >> Does dovecot 2.3.x have any issues recognizing or using certificates
> >>> >> that are ECC and wildcard? I'm trying to switch my letsencrypt
> >>> >> implementation from acme-client which does not support either of
> >>> >> those
> >>> >> capabilities to acme.sh which does. Since then external clients
> >>> >> checking their email has not worked. A manual telnet to
> >>> >> mail.example.com 993 gives a connected message but then nothing no
> >>> >> greeting or capabilities.
> >>> >>
> >>> >> The certificate is for example.com with an alt name of *.example.com
> >>> >> if that's not right let me know, i'm not sure about that one,
> >>> >> connecting to the web sites of these pages seems noticeably slower,
> >>> >> I'm wondering if both of these issues aren't key related?
> >>> >>
> >>> >> Thanks.
> >>> >> Dave.
> >>> >
> >>> > These both should be fine.
> >>> >
> >>> > Port 993 is TLS encrypted, you should use openssl s_client -connect
> >>> > server:993
> >>> >
> >>> > Aki
> >>> >
> >>
> >


More information about the dovecot mailing list