Dovecot dsync certificate errors

Stephan Mending list at md5collisions.eu
Mon Feb 22 00:43:52 EET 2021 

Hi *, 
I've setup two dovecot instances. 
As soon as i send the syncing part of dovecot to work I see the following errors in my maillogs. 

$ cat /var/log/mail.log 
doveadm(inbox at sec-level.domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
doveadm(inbox at sec-level.domain): Error: Disconnected from remote: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames

A little context: The certificates on the servers are issued by a private CA. The public CA-Certificate has been added to the keystore, though. Shouldn't be a problem. 
I can confirm that by connecting using s_client -> 

$ openssl s_client -connect <hostname-of-dovecot-A>:12345
..
...
....

Verify return code: 0 (ok)

So far the certificate seems to be ok. 
**BUT**: As soon as i start dovecot (on the very same  machine I issued the s_client command  above) ... I am receiving the error messages: 

doveadm(inbox at sec-level.domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
doveadm(inbox at sec-level.domain): Error: Disconnected from remote: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames

And yes the SubjectAlternativeName in the certificate matches the configured FQDN in 30-dsync.conf.

My 30-dsync.conf: 

$ cat /etc/dovecot/conf.d/30-dsync.conf

service aggregator {
        fifo_listener replication-notify-fifo {
                user = dovecot
                mode = 0666
        }
        unix_listener replication-notify {
                user = dovecot
                mode = 0666
        }
}

# Configuring the replicator service
service replicator {
        process_min_avail = 1
        unix_listener replicator-doveadm {
                user = dovecot
                mode = 0666
        }
}
service doveadm {
        user = dovecot
        inet_listener {
                port = 12345
                ssl = yes
        }
}

doveadm_port = 12345
doveadm_password = <password>
replication_max_conns = 1

plugin {
        mail_replica = tcps:fqdn.of.system
}

service config {
        unix_listener config {
                user = dovecot
        }
}


I'd love to here the answer to this. 

Thanks alot ! 

Best regards, 
Stephan

More information about the dovecot mailing list