Dovecot does not send the CA file unless ssl_verify_client_cert is set to yes

user110971

2/25/23, 4:35 AM

I have a Postfix / Dovecot / MySQL email server with user password login configured. Everything works fine except for the fact that Dovecot does not send the chain CA file to the client. I have

ssl_cert = </etc/apache2/ssl/apache.crt
ssl_key = </etc/apache2/ssl/apache.key
ssl_ca = </etc/apache2/ssl/apache.pem

in my /etc/dovecot/conf.d/10-ssl.conf. However, the CA file is not sent.

openssl s_client -connect server.com:143 -starttls imap
CONNECTED(00000003)
depth=0 CN = server.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server.com
verify error:num=21:unable to verify the first certificate
verify return:1
...

If I add ssl_verify_client_cert = yes, everything works fine.

openssl s_client -connect server.com:143 -starttls imap
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 CN = server.com
verify return:1

I am not using client certificate authorization though. Have I misunderstood the Dovecot configuration or is this expected behavior? Should I leave it like this?

0 + 0

debian

dovecot

debian-buster

Score:0

Server

user110971

2/25/23, 4:59 AM

Solved my own problem. You need to merge the certificate with the chain file.

cat apache.crt apache.pem > dovecot.crt

Then you simply have

ssl_cert = </etc/apache2/ssl/dovecot.crt
ssl_key = </etc/apache2/ssl/apache.key

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Dovecot does not send the CA file unless ssl_verify_client_cert is set to yes

TH: Dovecot จะไม่ส่งไฟล์ CA เว้นแต่จะตั้งค่า ssl_verify_client_cert เป็น ใช่

RO: Dovecot nu trimite fișierul CA decât dacă ssl_verify_client_cert este setat la yes

RU: Dovecot не отправляет файл CA, если для ssl_verify_client_cert не установлено значение yes

VI: Dovecot không gửi tệp CA trừ khi ssl_verify_client_cert được đặt thành có

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.