<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<blockquote type="cite">
<div class="">
<div class="">
Set
</div>
<div class="">
<br class="">
</div>
<div class="">
ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
</div>
</div>
</blockquote>
<div>
<br class="">
</div>
<div>
Can this be the Lets Encrypt cert that we already have? In other words we have:
</div>
<div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</span>
</div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_key = </etc/pki/dovecot/private/dovecot.pem</span>
</div>
</div>
<div>
<br class="">
</div>
<div>
Can those be used?
</div>
</div>
</blockquote>
<div>
<br>
</div>
<div>
Set it to *CA* cert. You can also use
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)
</div>
<div>
<br>
</div>
<div>
or
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_dir=/etc/ssl/certs (on debian based)
</div>
<blockquote type="cite">
<div>
<blockquote type="cite">
<div class="">
<div class="">
Are you using haproxy or something in front of dovecot?
</div>
</div>
</blockquote>
<br class="">
</div>
<div>
No. Just Squirrelmail webmail with sendmail.
</div>
<br class="">
</blockquote>
<div>
Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</blockquote>
<div>
Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with
</div>
<div>
<br>
</div>
<div>
`doveconf auth_policy_request_attributes`
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>