Re: sieve-filter ignores -u argument
I have found the problem auth debug helped me sieve-filter -u test ``` Jan 27 03:38:03 mail dovecot: auth: Debug: master in: USER#0111#011test#011service=sieve-filter Jan 27 03:38:03 mail dovecot: auth: Debug: ldap(t...@domain.tld): Performing userdb lookup Jan 27 03:38:03 mail dovecot: auth: Debug: ldap(t...@domain.tld): user search: base=o=domains,dc=mail,dc=domain,dc=tld scope=subtree filter=(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail)(enabledService=sieve-filter)(|(mail=t...@domain.tld )(&(enabledService=shadowaddress)(shadowAddress=t...@domain.tld fields=mail,mail,homeDirectory,mailboxFormat,mailboxFolder,mailQuota Jan 27 03:38:03 mail dovecot: auth: Debug: ldap(t...@domain.tld): no fields returned by the server Jan 27 03:38:03 mail dovecot: auth: ldap(t...@domain.tld): unknown user Jan 27 03:38:03 mail dovecot: auth: Debug: ldap(t...@domain.tld): Finished userdb lookup Jan 27 03:38:03 mail dovecot: auth: Debug: userdb out: NOTFOUND#0111 ``` doveadm user test ``` Jan 27 03:38:08 mail dovecot: auth: Debug: master in: USER#0111#011test#011service=doveadm#011debug Jan 27 03:38:08 mail dovecot: auth: Debug: ldap(t...@domain.tld): Performing userdb lookup Jan 27 03:38:08 mail dovecot: auth: Debug: ldap(t...@domain.tld): user search: base=o=domains,dc=mail,dc=domain,dc=tld scope=subtree filter=(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail)(enabledService=doveadm)(|(mail=t...@domain.tld )(&(enabledService=shadowaddress)(shadowAddress=t...@domain.tld fields=mail,mail,homeDirectory,mailboxFormat,mailboxFolder,mailQuota Jan 27 03:38:08 mail dovecot: auth: Debug: ldap(t...@domain.tld): result: mail=t...@domain.tld homeDirectory=/var/vmail/vmail1/domain.tld/t/r/a/test-2022.01.21.10.09.47/ mailQuota=1073741824 mailboxFolder=sdbox mailboxFormat=sdbox; mailboxFormat,homeDirectory,mailQuota,mail,mailboxFolder unused Jan 27 03:38:08 mail dovecot: auth: Debug: ldap(t...@domain.tld): Finished userdb lookup Jan 27 03:38:08 mail dovecot: auth: Debug: userdb out: USER#0111#011t...@domain.tld#011master_user=t...@domain.tld #011home=/var/vmail/vmail1/domain.tld/t/r/a/test-2022.01.21.10.09.47/#011mail=sdbox:~/sdbox/#011quota_rule=*:bytes=1073741824 ``` `(enabledService=sieve-filter)` is absent for users by default вт, 25 янв. 2022 г. в 20:21, Андрей Куницын : > Hm, looks like I misunderstood initial error sieve-filter(root): Fatal: > Unknown user > filter-sieve do not understand -u postma...@domain.tld > Where (root) is about who runs the command, not who is not found > > Anyway I've tried > > # cd > /var/vmail/vmail1/domain.tld/t/e/s/test-2022.01.22.05.55.26/sdbox/mailboxes/ > #sieve-filter -c /etc/dovecot/dovecot.conf -v > /var/vmail/sieve/dovecot.sieve INBOX > sieve-filter(root): Error: stat(/root/Maildir/tmp) failed: Permission > denied (euid=2000(vmail) egid=2000(vmail) missing +x perm: /root, dir owned > by 0:0 mode=0700) > sieve-filter(root): Fatal: Couldn't open source mailbox 'INBOX': Internal > error occurred. Refer to server log for more information. [2022-01-25 > 14:46:35] > > sudo -u vmail sieve-filter -c /etc/dovecot/dovecot.conf -v > /var/vmail/sieve/dovecot.sieve INBOX > > sieve-filter(vmail): Info: Mailbox created: INBOX > > /home/vmail/Maildir was created after that and not in the current > directory > > I've tried '-u test', '-u t...@domain.tld', '-u t...@mail.domain.tld' and > passed config '-c /etc/dovecot/dovecot.conf.' > And still got > Fatal: Unknown user > > How do sieve-filters understand virtual users? > > вт, 25 янв. 2022 г. в 18:31, Eric Wood : > >> I read the sieve-filter man page so I'll speculate. Granted, I still >> don't fully understand how sieve and virtual users work as I have never set >> this up. >> >> "postmaster" is an alias of root and "vmail" is probably just a directory >> name. So, from the root's command prompt, the environment variables >> probably aren't totally set up for sieve-filter to understand virtual users. >> >> So, working from the command prompt, you probably have to explicitly >> specify the .sieve path and leave off the -u argument >> >> # cd /location_of_virtual_user_INBOX >> # sieve-filter -v /opt/some_global_rules/sieve/managesieve.sieve INBOX >> >> Would is be great if seive-filter had an argument to understand the >> system's virual user's settings? Of course. I don't know why the >> developer haven't included it. >> >> -Eric >> >> On 1/24/2022 7:59 AM, Андрей Куницын wrote: >> >> Hello >> I try to test my sieve script, but found out that it is impossible to use >> a sieve-filter tool with virtual mail users. It always uses a real user >> name instead of passed via -u argument. >> >> >> # sieve-filter -v -u postmas...@domain.tld ~/sieve/managesieve.sieve >> INBOX >> sieve-filter(root): Fatal: Unknown user >> >> sudo -u vmail sieve-filter -u postmas...@domain.tld >> ~/sieve/managesieve.sieve INBOX >> sieve-filter(vmail): Fatal: Unknown user >
Dovecot installation problem (libssl_iostream_openssl.so is not portable!)
Hi there, i try to install dovecot from source with the following configuration: > ./configure --prefix=/test/core/dovecot --with-ssldir=/test/core/dovecot/tls the configuration runs fine with the following output at the end: > Install prefix . : /test/core/dovecot > File offsets ... : 64bit > I/O polling : epoll > I/O notifys : inotify > SSL : yes (OpenSSL) > GSSAPI . : no > passdbs : static passwd passwd-file shadow checkpassword > : -pam -bsdauth -ldap -sql > userdbs : static prefetch passwd passwd-file checkpassword > : -ldap -sql > CFLAGS . : -std=gnu99 -g -O2 -fstack-protector-strong > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -mfunction-return=keep > -mindirect-branch=keep -Wall -W -Wmissing-prototypes -Wmissing-declarations > -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast > -fno-builtin-strftime -Wstrict-aliasing=2 -I/test/dep/openssl/include > SYSTEMD : notify - /lib/systemd/system/dovecot.service > SQL drivers : > : -pgsql -mysql -sqlite -cassandra > Full text search : squat > : -lucene -solr But when i start to build (make) after a while i get the following error: > *** Warning: Linking the executable test-iostream-ssl against the loadable > module > *** libssl_iostream_openssl.so is not portable! > libtool: link: gcc -std=gnu99 -g -O2 -fstack-protector-strong > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -mfunction-return=keep > -mindirect-branch=keep -Wall -W -Wmissing-prototypes -Wmissing-declarations > -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast > -fno-builtin-strftime -Wstrict-aliasing=2 -I/test/dep/openssl/include -o > .libs/test-iostream-ssl test-iostream-ssl.o > ./.libs/libssl_iostream_openssl.so ./.libs/libssl_iostream.a > ../lib-test/.libs/libtest.a ../lib/.libs/liblib.a -L/test/dep/openssl/lib64 > -lssl -lcrypto -ldl -Wl,-rpath -Wl,/test/core/dovecot/lib/dovecot > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `ERR_free_strings' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `ENGINE_cleanup' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `SSL_library_init' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `OBJ_cleanup' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `CRYPTO_cleanup_all_ex_data' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `OpenSSL_add_all_algorithms' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `SSL_CTX_set_tmp_rsa_callback' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `EVP_cleanup' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `SSL_load_error_strings' > /usr/bin/ld: ./.libs/libssl_iostream_openssl.so: undefined reference to > `SSL_CTX_need_tmp_RSA' > collect2: error: ld returned 1 exit status > make[3]: *** [Makefile:655: test-iostream-ssl] Error 1 > make[3]: Leaving directory '/test/tmp/dovecot-2.3.17.1/src/lib-ssl-iostream' > make[2]: *** [Makefile:573: all-recursive] Error 1 > make[2]: Leaving directory '/test/tmp/dovecot-2.3.17.1/src' > make[1]: *** [Makefile:702: all-recursive] Error 1 > make[1]: Leaving directory '/test/tmp/dovecot-2.3.17.1' > make: *** [Makefile:546: all] Error 2 I've searched for the error and find some posts about set explicitly CPPFLAGS and LDFLAGS and something about missing shared libraries of openssl. My openssl have shared libraries (libcrypto.so libssl.so ...) and the explicit use of CPPFLAGS and LDFLAGS to my openssl hasn't changed anything I use Openssl 3.0 but i've tested also 1.1.1m and 1.1.1g for example, same error! Dovecot is the latest 2.3.17.1 Can anyone help me with this please? Thanks!
Re: doveadm stateful backup
Hi all, just wanted to mention that the backup process described below seems to work. The 100 files gap is still about the same and I further investigated the cause. It is related to the meta information like indices and caches that are present in some but not all folders. Counting only files that contain the sequence ,S= and even summing all file sizes led to the same number and the exactly same size of raw mail data. I also didn't receive any notification about really failed backups, therefore I believe that the backup works correctly. Regards Christian On 09.01.2022 21:57, Christian wrote: Hi all, first: I'm using version 2.3.4.1 I manage some rather large imap mailboxes which I want to backup on a regular basis. Some of them have relatively heavy traffic and one of them is greater than 30GB in size. I studied the docs for doveadm backup (https://wiki2.dovecot.org/Tools/Doveadm/Sync) and even did some code research to better understand the process. The docs state that using stateful synchronization is the most efficient way to synchronize mailboxes, therefore I chose this approach. Highlevel overview: - store a copy of the whole maildir in a separate directory (/var/vmail/backup) - backup to this directory once a minute (trying to make most use of transaction logs) using the last state stored within a file - create a backup once a day using tar (full, differential and incremental ones) blocking the backup process of the before mentioned step I quite often receive notifications that doveadm backup returned an exit code of 2, which should be quite normal. These notifications look like that: dsync(another_address@my.domain): Warning: Failed to do incremental sync for mailbox INBOX, retry with a full sync (Modseq 171631 no longer in transaction log (highest=177818, last_common_uid=177308, nextuid=177309)) dsync(another_address@my.domain): Warning: Mailbox changes caused a desync. You may want to run dsync again: Remote lost mailbox GUID e9149d0ae4e02d53250526ca4352 (maybe it was just deleted?) Synced another_address@my.domain successfully but missing some changes. Took 3 seconds. Starting retry 1... The first message seems to point out that the transaction log got rolled and no more contains the messages from the backup dir, right? I thought about setting mail_index_log_rotate_min_age to 1hour to prevent rolling transaction logs too often, but abandoned this thought and increased the backup interval to once a minute. The warnings still appear so maybe my thoughts about transactions logs are wrong. The second message seems less alarming to me. How does doeveadm backup behave in such situations? Does it directly fall back to a less efficient way of syncing mails? Does the state store the information "retry with a full sync" and the next run uses this mode? To investigate on this I simply measured runtimes an saw that the second/retry run takes a bit longer (up to about 15 seconds) to sync the dir. I'm afraid of losing messages using my approach. Is it safe to always use doveadm backup -s $state? Simply counting one maildirs files within the live directory and the backup copy shows a 100 fewer files within the backup dir although the script runs only since a few days. For reference, see my backup script below. Regards Christian #!/bin/bash # * * * * * /root/bin/backup.sh --sync-only # 12 2 1-7 * * test $(date +\%u) -eq 6 && /root/bin/backup.sh --full # 12 2 8-31 * * test $(date +\%u) -eq 6 && /root/bin/backup.sh --differential # 12 2 * * * test $(date +\%u) -ne 6 && /root/bin/backup.sh synconly=0 differential=0 fullbackup=0 if [ $# -gt 0 ] ; then if [ "$1" == "--sync-only" ] ; then synconly=1 elif [ "$1" == "--differential" ] ; then differential=1 elif [ "$1" == "--full" ] ; then fullbackup=1 fi fi basedir="/var/vmail/backup" targetdir="/var/vmail/backup/done" mailaddresses="one_address@my.domain another_address@my.domain yet_another@my.domain" if [ ! -d "$basedir" ] ; then mkdir -p "$basedir" chown vmail:vmail "$basedir" fi if [ ! -d "$targetdir" ] ; then mkdir -p "$targetdir" chown vmail:vmail "$targetdir" fi for mailaddr in ${mailaddresses} ; do #echo "Creating backup for $mailaddr." domainpart=${mailaddr#*@} localpart=${mailaddr%%@*} lockfile="$basedir/$mailaddr.lock" statefile="$basedir/$mailaddr.state" backupdir="$domainpart/$localpart/Maildir" snapshotfile_full="$basedir/$mailaddr.full.snar" snapshotfile="$basedir/$mailaddr.snar" backup_basename="$basedir/${mailaddr}_$(date '+%Y%m%d_%H%M%S')" ( if [ $synconly -eq 1 ] ; then flock -xn 200 if [ $? -eq 1 ] ; then # failed to acquire lock. Skip mailbox silently. exit fi fi # try to acquire exclusive lock for one minute flock -xw 60 200 if [ $? -eq 1 ] ; then echo "Failed to acquire write lock within 60 seconds. Skipping $mailaddr." exit fi retri
How to use virtual "All" and "Flagged" mailbox?
Hello, I'm trying to use the virtual "All" and "Flagged" mailboxes as described in 15-mailboxes.conf. The information here ( https://doc.dovecot.org/configuration_manual/virtual_plugin/) doesn't really touch on how to actually interact with the virtual mailboxes. My presumption is that when I mark an email message in the Inbox as FLAGGED (and I can confirm the \Flagged flag has been set) then I should then be able to either (1) see a copy of that message in the virtual.Flagged folder, or (2) when I use an imap command to get the message nums or whatever from the virtual.Flagged folder/mailbox, it should return the message that is flagged in the inbox as a result. Additionally, I'm presuming that for each new user that automatically gets added, I would have to create my own script that would add the dovecot-virtual file, dovecot doesn't do that on its own. When I view the user's directory I see these folders were created: --- [snippet] drwxrwx---. 5 vmail vmail 135 Jan 25 17:01 .virtual.All/ drwxrwx---. 5 vmail vmail 158 Jan 25 17:14 .virtual.Flagged/ [.virtual.Flagged]# ll total 20 drwxrwx---. 5 vmail vmail 158 Jan 25 17:14 ./ drwxrwx---. 20 vmail vmail 4096 Jan 25 17:33 ../ drwxrwx---. 2 vmail vmail6 Jan 25 16:58 cur/ -rw-rw. 1 vmail vmail 868 Jan 25 16:58 dovecot.index.cache -rw-rw. 1 vmail vmail 384 Jan 25 17:01 dovecot.index.log -rw-rw. 1 vmail vmail 51 Jan 25 17:01 dovecot-uidlist -rw-r--r--. 1 vmail vmail8 Jan 25 17:14 dovecot-virtual -rw-rw. 1 vmail vmail0 Jan 25 16:58 maildirfolder drwxrwx---. 2 vmail vmail6 Jan 25 16:58 new/ drwxrwx---. 2 vmail vmail6 Jan 25 16:58 tmp [.virtual.Flagged]# cat dovecot-virtual * flagged --- Side note: This set-up uses the php-imap library to interact with Dovecot. Any help, or just concept of how the virtual/All virtual/Flagged directories work would be really appreciated. CONFIGURATION: dovecot -n # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf # OS: Linux 4.18.0-348.2.1.el8_5.x86_64 x86_64 CentOS Linux release 8.5.2111 xfs # Hostname: [DOMAIN REDACTED] auth_debug = yes auth_verbose = yes auth_verbose_passwords = yes first_valid_uid = 1000 lda_mailbox_autocreate = yes log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:/home/vmail/%d/%n/Maildir mail_plugins = " quota" mbox_write_locks = fcntl namespace { location = virtual:/home/vmail/%d/%n/Maildir/virtual:LAYOUT=maildir++ prefix = virtual. separator = . type = private } namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } mailbox virtual.All { auto = create comment = All my messages special_use = \All } mailbox virtual.Flagged { auto = create comment = All my flagged messages special_use = \Flagged } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } passdb { driver = pam } plugin { quota = maildir:User quota quota_grace = 10%% quota_max_mail_size = 30M quota_rule = *:storage=100M quota_rule2 = INBOX.Trash:storage=+10M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO } protocols = imap pop3 service auth-worker { user = root } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { mode = 0600 user = vmail } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 12340 } } service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } ssl = required ssl_cert =
Errors: Failed to map transaction log, Corrupted transaction log, imeout (180s) while waiting for lock for transaction log
Hi all, I am using dovecot-2.3.17_1 on FreeBSD system. This server offers webmail, pop3 and imap access for users. Today I am receiving several complaints from users about slowness and/or access issues. I checked on my /var/log/maillog and I see lots of: Error: Timeout (180s) while waiting for lock for transaction log file /var/domains/domain.it/username/Maildir/dovecot.list.index.log (WRITE lock held by pid 84939) Error: Corrupted transaction log file /var/domains/domain.it/otherusername/Maildir/dovecot.list.index.log seq 2: indexid changed: 1643184505 -> 1643205059 (sync_offset=0) Error: Transaction log file /var/domains/otherdomain.net/otheruser/Maildir/dovecot.list.index.log: marked corrupted Not all users seem affected. My mailbox, for example, is working fine. I checked on my disks (this is a ZFS volume) and I didn't find errors/warnings. Any suggestion? This is my dovecot configuration: # dovecot -n # 2.3.17 (e2aa53df5b): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 13.0-RELEASE-p6 amd64 zfs # Hostname: mailserver.domain.it auth_debug = yes auth_mechanisms = plain login auth_verbose = yes default_client_limit = 2000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no first_valid_gid = 125 first_valid_uid = 125 imap_id_log = * mail_gid = 1003 mail_location = maildir:/mail/domains mail_privileged_group = postfix mail_uid = 1003 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = postfix mode = 0600 user = postfix } } service imap { process_limit = 1536 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert =
Re: Sync via ssh fails when ssl is active
I have set privileges to 755 for letsencrypt/live and letsencrypt/archive and sync now seems to function properly. BUT, I shouldn't have to change privileges as it's a serious SECURITY issue. My *private* keys becomes visible to any user in the system. Dovecot obviously can access the cert when it comes to imap/ssl, then why does sync between dovecot servers require extended privileges to the same certs the server is already using? /Johan Pålsson Den 2022-01-25 kl. 14:35, skrev Christian Mack: Hello Am 20.01.22 um 16:32 schrieb Johan: Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied Check permission on /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem Kind regards, Christian Mack
Re: Sync via ssh fails when ssl is active
I realize I forgot some information... Im running Debian 11 on both servers and dovecot is installed using debian-packages, version 2.3.13 (89f716dc2) /Johan Pålsson Den 2022-01-20 kl. 16:32, skrev Johan: I have computers at two different locations and one computer running dovecot at each place. I sync my emails between these two servers using ssh and I haven't had any problems with this lately until I upgraded dovecot recently. I now get the following error at location "alfa" when trying to sync with dovecot at location "delta" Jan 20 16:13:09 doveadm: Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/letsencrypt/live/delta.oxyl.net/fullchain.pem: Permission denied Jan 20 16:13:09 dsync-local(jo...@oxyl.net): Error: read(vmail@192.168.119.12) failed: EOF (version not received) Jan 20 16:13:09 dsync-local(jo...@oxyl.net): Error: Remote command returned error 89: ssh -q -p 22 -o StrictHostKeyChecking=no -i /datastorage/epost/vmail/.ssh/id_ecdsa -lvmail 192.168.119.12 doveadm dsync-server -ujo...@oxyl.net Trying to sync from "delta" i get the same error but the domain is changed in the error-message to 'alfa.oxyl.net' I can read mail at both locations using STARTTLS. There is no error in dovecot.log when I restart the service. If I disable ssl and comment out ssl_cert/ssl_key in 10-ssl.conf I have no trouble performing sync between servers. If I run the ssh-command in the error-message as user vmail I get the same ssl-error as above. Any ideas how to solve this? /Johan Pålsson
Re: Received invalid SSL certificate: unable to get certificate CRL
Hi Laura, On Wed, 26 Jan 2022 at 12:09:04AM +, Laura Smith wrote: ‐‐‐ Original Message ‐‐‐ I thought that ssl_ca = Does ssl_ca even apply to dsync/imapc ? as I wrote: I cannot test your scenario and the link to the documentation I sent was only a rough idea. Looking at the docs its all about client certificate authentication ? Something which does not apply to my environment, and even if it did, it would not apply to dsync/imapc because I am initiating the connection, not the remote end ? In my understanding this parameter is not only about client certificate authentication. If you want, then please have a look at this: https://doc.dovecot.org/settings/core/#core_setting-ssl_ca [...] These CAs are also used by some processes for validating outgoing SSL connections, i.e. performing the same function as ssl_client_ca_file. [...] And that's why I wrote: it's worth a try (it takes only two minutes to test it ...). IMHO of course. If you don't want to test it, OK. But I have no further ideas, sorry. Regards, Markus