specify certificate of CA in Dovecot

In Postfix, I have specified my private key, my certificate, and the certificate of my CA

smtpd_tls_CAfile     = /etc/ssl/cacert.pem
smtpd_tls_key_file   = /etc/ssl/server.key
smtpd_tls_cert_file  = /etc/ssl/server.pem

In dovecot, there are only options to specify my key and my cert:

ssl_cert = </etc/ssl/server.pem
ssl_key = </etc/ssl/server.key

How do I specify the certificate of my CA ?


The problem is, when I connect with client to my port 993, I get certificate error. Using openssl s_client -connect server:993 I get this error:

verify return:1
verify error_num=27:certificate not trusted
verify return:1
verify error_num=21:unable to verify the first certificate
verify return:1

I don’t get this error when I connect to port 465 (Postfix):

openssl s_client -connect server:465
Asked By: Martin Vegter


Certificate and key are needed if the application works as a SSL server, e.g. the certificate is the one presented to the client.
A list of trusted CA is needed if the application works as an SSL client and thus needs to verify the certificate presented by the server.

While postfix works as both server (accepting mails) and client (delivering mail to another mail server) dovecot is only a server and thus does not need a list of trusted CAs.

Answered By: Steffen Ullrich

What you need is a chain certificate. You can create one like this:

cat /etc/ssl/server.pem /etc/ssl/cacert.pem > /etc/ssl/chain.pem

and then use the chain as the server certificate

ssl_cert = </etc/ssl/chain.pem
ssl_key = </etc/ssl/server.key

Now when you connect with openssl s_client, you should get no errors (provided everything else is set up correctly)

Answered By: user1968963

In general the server offers to the requesting client the server certificate plus all intermediary certification authorities certificates so that the client can match the top certificate of the chain to one of his trusted (root) certificates. That is true for apache, dovecot and postfix. Dovecot doesn’t seem to have a setting for the trust chain, so in this case the trust chain has to be merged with the server certificate and be pointed to by.

ssl_cert = </etc/ssl/server-plus-chain.pem

The order of the certificates is

  1. server cert
  2. intermediary certs

The last intermediary cert is issued by the trusted root cert the client has available.

Answered By: Hubert Schumacher

CA certificates if you have multiple files, it is possible to solve follows

ssl_verify_client_cert = yes
ssl_ca = </etc/ssl/myssl/startssl.pem 
ssl_ca = </etc/ssl/myssl/sub.class2.server.ca.pem
Answered By: Pavel Laupe Dvorak
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.