Thanks Markus and Oscar...
On 4/18/2014 3:29 PM, Markus Schönhaber <dove...@list-post.mks-mail.de>
wrote:
Aside from the missing indirection (use ... = </etc/... as you did
before) the documentation indicates that ssl_ca is only used for
client certificate verification and has nothing to do with the
certificate chain of your server certificate.
Yeah, the < was in the config, dunno how it got stripped from my post -
or maybe I manually typed those - yeah, I think I did...
Instead, cat your new server certificate together with the CA
certificates into one file and point ssl_cert to this file (see
"Chained SSL certificates" in
http://wiki2.dovecot.org/SSL/DovecotConfiguration ).
Ok, did that and made the config change and restarted dovecot.
Everything seems to be working, BUT... I'm now seeing some of these
errors, that were not showing up in the logs before:
2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login:
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read()
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate: SSL alert number 42, rip=24.126.163.180, lport=143
2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login:
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read()
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate: SSL alert number 42, rip=98.66.176.115, lport=143
!2 total in the last 25 minutes since flipping the switch.
and there have been two of these:
2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login:
Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
Not a huge number, but enough to be concerning...
Could this just be from cached junk from some clients, and they will
resolve themselves over time?
--
Best regards,
Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax
