I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL certificate authority provides a bundle containing their CA, plus intermediate CAs, which I configure using the 'ssl_ca' option. The comments in the configuration file say to only set this when you're requiring client certificates, which I'm not, but fetchmail complains with a "Server certificate verification error, Broken certificate chain" error if that setting is not set. This works fine with Dovecot 2.2.34.
After upgrading to 2.3.2.1, fetchmail throws that error whether 'ssl_ca' is set or not. Dovecot 2.3.2.1 reports the error SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 in the logs when attempting the TLS handshake. The permissions on the CA bundle haven't changed and should still be readable by Dovecot. I'm running Gentoo Linux on x86_64 and mail is stored on an ext4 file system. I'm attaching my config files for both Dovecot 2.2.34 and Dovecot 2.3.2.1.
# 2.2.34 (874deae): /etc/dovecot/dovecot.conf # OS: Linux 4.9.95-gentoo x86_64 Gentoo Base System release 2.4.1 # Hostname: hermes.ultramedonline.com mail_access_groups = mail mail_location = mbox:~/mail:INBOX=/var/spool/mail/%n mail_privileged_group = mail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = * driver = pam } passdb { args = scheme=sha512-crypt username_format=%n /etc/mail/passwd driver = passwd-file } ssl_ca = </etc/ssl/local/certs/gd_bundle-g2-g1.crt ssl_cert = </etc/ssl/local/certs/wildcard.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_dh_parameters_length = 4096 ssl_key = # hidden, use -P to show it userdb { driver = passwd } userdb { args = username_format=%n /etc/mail/passwd default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%n driver = passwd-file }
# 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf # OS: Linux 4.9.95-gentoo x86_64 Gentoo Base System release 2.4.1 # Hostname: hermes.ultramedonline.com mail_access_groups = mail mail_location = mbox:~/mail:INBOX=/var/spool/mail/%n mail_privileged_group = mail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = * driver = pam } passdb { args = scheme=sha512-crypt username_format=%n /etc/mail/passwd driver = passwd-file } ssl_ca = </etc/ssl/local/certs/gd_bundle-g2-g1.crt ssl_cert = </etc/ssl/local/certs/wildcard.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } userdb { args = username_format=%n /etc/mail/passwd default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%n driver = passwd-file }