Package: dovecot-core
Version: 1:2.2.13-12~deb8u1
Hi,
when configuring a doveadm listener service on a TCP port with SSL enabled,
the server sends only the last certificate on the chain, instead of the
complete chain.
The same server, when being contacted on IMAPS port, correctly sends the whole
chain.
This issue is not present on the same upstream version (2.2.13), nor in the
Debian jessie-backport version (1:2.2.26.0-4~bpo8+1), and impacts services as
dsync mailbox replication (it complains about being unable to get issuer or
local issuer certificate, depending on the certificate the sync client
compares against).
Sample output from openssl s_client (the real domains are obfuscated for
privacy reasons):
(doveadm port [15015]):
|$ openssl s_client -connect server.fqdn:15015
|CONNECTED(00000003)
|depth=0 CN = mail.server.fqdn
|verify error:num=20:unable to get local issuer certificate
|verify return:1
|depth=0 CN = mail.server.fqdn
|verify error:num=21:unable to verify the first certificate
|verify return:1
|---
|Certificate chain
| 0 s:/CN=mail.server.fqdn
| i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
|---
...
|(IMAPS port [993]):
|$ openssl s_client -connect server.fqdn:993
|CONNECTED(00000003)
|depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
|verify return:1
|depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
|verify return:1
|depth=0 CN = mail.server.fqdn
|verify return:1
|---
|Certificate chain
| 0 s:/CN=mail.server.fqdn
| i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
| 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
| i:/O=Digital Signature Trust Co./CN=DST Root CA X3
|---
...
This is the relevant output of dovecot -n:
|$ dovecot -n
|# 2.2.13: /etc/dovecot/dovecot.conf
|# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
|auth_default_realm = server.fqdn
|auth_mechanisms = plain login
|doveadm_password = (redacted)
|doveadm_port = 15015
|mail_location = maildir:~/Maildir
|mail_plugins = " notify replication"
|namespace inbox { (removed) }
|passdb {
| driver = pam
|}
|passdb {
| args = username_format=%n /etc/vmail/%d/passwd
| driver = passwd-file
|}
|plugin {
| mail_replica = tcps:other.server.fqdn
|}
|protocols = " imap"
|service aggregator {
| fifo_listener replication-notify-fifo {
| mode = 0666
| user = dovecot
| }
| unix_listener replication-notify {
| mode = 0666
| user = dovecot
| }
|}
|service auth {
| unix_listener auth-client {
| group = Debian-exim
| mode = 0660
| }
|}
|service doveadm {
| inet_listener {
| port = 15015
| ssl = yes
| }
|}
|service imap-login {
| inet_listener imap {
| port = 143
| }
| inet_listener imaps {
| port = 993
| ssl = yes
| }
|}
|service replicator {
| process_min_avail = 1
| unix_listener replicator-doveadm {
| mode = 0600
| }
|}
|ssl = required
|ssl_cert = </etc/letsencrypt/live/mail.server.fqdn/fullchain.pem
|ssl_client_ca_file = /etc/dovecot/certs.pem
|ssl_key = </etc/letsencrypt/live/mail.server.fqdn/privkey.pem
|userdb {
| driver = passwd
|}
|userdb {
| args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n
| driver = static
|}
(As a workaround, the file /etc/dovecot/certs.pem contains the relevant root
certificate and the missing intermediate one, cat'ed together).
Regards,
Juri Vitali
