Hello,
for our testing environment, I would like to configure a CA that is trusted by
Dovecot when making TLS connections. As you can see below in the config
snippets, this is for example used when proxying to itself during a login with
credentials for the OIDC provider. The Dovecot documentation
(https://doc.dovecot.org/configuration_manual/authentication/proxies/) states:
"ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying
the remote certificate, although ideally they will be in a future Dovecot
version. For now you need to add the trusted remote certificates to ssl_ca."
Configuring a trusted CA via the `ssl_ca` config option works but is a little
bit weird as this option originally is for TLS client authentication.
I added the CA certificate to the system trust store and removed `ssl_ca` and
`ssl_client_ca_file`, but it seems that Dovecot does not use the system store.
Or is there any config option I am missing?
Otherwise, are there any plans when `ssl_client_ca_file` will be used for
remote connections (the documentation mentions that this would ideally be fixed
in a later version)? And could I then use the aggregated Debian system trust
store (/etc/ssl/certs/ca-certificates.crt) there?
Best regards,
Felix
`dovecot -n` (shortened):
# 2.3.19 (b3ad6004dc): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 6.7.3-arch1-1 x86_64 Debian 11.8
passdb {
args = /etc/dovecot/oauth2-token.conf.ext
driver = oauth2
mechanisms = xoauth2 oauthbearer
}
passdb {
args = /etc/dovecot/oauth2-password.conf.ext
driver = oauth2
mechanisms = plain login
}
protocols = imap lmtp
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
inet_listener {
port = 24
ssl = no
}
}
ssl = required
ssl_min_protocol = TLSv1.3
ssl_prefer_server_ciphers = yes
protocol lmtp {
ssl_cert = </etc/dovecot/tls/lmtp-certificate-chain.pem
ssl_key = # hidden, use -P to show it
}
protocol imap {
ssl_cert = </etc/dovecot/tls/imap-certificate-chain.pem
ssl_key = # hidden, use -P to show it
}
`oauth2-password.conf.ext`:
client_id = ${DOVECOT_OIDC_CLIENT_ID}
client_secret = ${DOVECOT_OIDC_CLIENT_SECRET}
introspection_mode = local
force_introspection = yes
username_attribute = preferred_username
username_format = %Lu
use_grant_password = yes
grant_url = ${OIDC_TOKEN_URL}
scope = ${DOVECOT_OIDC_SCOPE}
issuers = ${OIDC_ISSUER_URL}
pass_attrs = host=dovecot port=993 ssl=yes proxy=y proxy_mech=xoauth2
pass=%{oauth2:access_token} user=%{oauth2:sub}
local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
debug = no
---
Gesellschaft für interkulturelles
Zusammenleben gGmbH (GIZ)
Felix Auringer
IT
Reformationsplatz 2
13597 Berlin
Tel: 030/513 0100 00; Fax: 030/513 0100 09
www.giz.berlin; felix.auringer@giz.berlin
Amtsgericht Charlottenburg HRB 200872 B
Geschäftsführerin: Dr. Britta Marschke
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
