Dovecot does not send the CA file unless ssl_verify_client_cert is set to yes

Question

I have a Postfix / Dovecot / MySQL email server with user password login configured. Everything works fine except for the fact that Dovecot does not send the chain CA file to the client. I have

ssl_cert = </etc/apache2/ssl/apache.crt
ssl_key = </etc/apache2/ssl/apache.key
ssl_ca = </etc/apache2/ssl/apache.pem

in my /etc/dovecot/conf.d/10-ssl.conf. However, the CA file is not sent.

openssl s_client -connect server.com:143 -starttls imap
CONNECTED(00000003)
depth=0 CN = server.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server.com
verify error:num=21:unable to verify the first certificate
verify return:1
...

If I add ssl_verify_client_cert = yes, everything works fine.

openssl s_client -connect server.com:143 -starttls imap
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 CN = server.com
verify return:1

I am not using client certificate authorization though. Have I misunderstood the Dovecot configuration or is this expected behavior? Should I leave it like this?

user110971 · Accepted Answer · 2021-10-25T05:07:31.803

0

Solved my own problem. You need to merge the certificate with the chain file.

cat apache.crt apache.pem > dovecot.crt

Then you simply have

ssl_cert = </etc/apache2/ssl/dovecot.crt
ssl_key = </etc/apache2/ssl/apache.key

edited Oct 25 '21 at 05:07

answered Oct 25 '21 at 04:59

user110971

101
2

Dovecot does not send the CA file unless ssl_verify_client_cert is set to yes

1 Answers1