On 2022-06-29 22:00, Jürgen Echter wrote:
Am Mittwoch, Juni 29, 2022 21:24 CEST, schrieb Maurizio Caloro
<mau...@gmx.ch>:
on postfix now this seems to run, and with dovecot i need also handle
this two domains,
but appairing this error messages. like:
Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth
attempts in 0 secs): user=<>,
rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed:
error:14094416:SSL routines:
ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46,
session=<FdklDjkdfrkfi>
Running with Debian Buster
# dovecot --version
2.3.4.1 (f79e8e7e4)
# nmail.caloro.ch
local_name nmail.caloro.ch {
ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem
ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem
}
# nmail.calm-ness.ch
local_name nmail.calm-ness.ch {
ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem
ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem
}
thanks for possible help
Hi,
the config says "You will still need a top-level default ssl_key and
ssl_cert as well, or you will receive errors."
I don't know if this is also a must have for SNI, as it is noted for
multipe certifcates per IP.
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#dovecot-ssl-configuration
This is also true for SNI.
From the config snippet above, configure the cert/key for
nmail.caloro.ch as default ssl_cert / ssl_key, so without the local_name
nmail.caloro.ch.
The nmail.calm-ness.ch can stay as is and will be served when requested
through SNI.
--
Christian Kivalo
