<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 07/08/2019 00:37 Joseph Tam via dovecot <
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On Tue, 6 Aug 2019, telsch wrote:
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X
</div>
<div>
ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
</div>
</blockquote>
<div>
In the words of Montoya, "I do not think it means what you think it
</div>
<div>
means", referring to "ssl_ca". That file is not used to to establish
</div>
<div>
the trust chain to your server certificate, but rather, to your client's
</div>
<div>
certificates (e.g. if you run a local CA to issue user certificate
</div>
<div>
for mutual authentication, you would put your local CA certificate here).
</div>
<div>
<br>
</div>
<div>
(Maybe this config variable should be renamed "ssl_client_ca".)
</div>
</blockquote>
<div>
<br>
</div>
<div>
... except there already is ssl_client_ca_* settings used to validate connections from dovecot.
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div></div>
<div>
Appending intermediate and server certificates is what you're supposed
</div>
<div>
to do.
</div>
<div>
<br>
</div>
<div>
Joseph Tam <
<a href="mailto:jtam.home@gmail.com">jtam.home@gmail.com</a>>
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>