Dovecot SNI presents wrong certificate

Discussion in 'Installation/Configuration' started by Nap, Mar 11, 2016.

  1. Nap

    Nap Member

    I have added
    Code:
    local_name domain1.com {
      ssl_cert = </etc/letsencrypt/live/domain1.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/domain1.com/privkey.pem
    }
    
    local_name domain2.com {
      ssl_cert = </etc/letsencrypt/live/domain2.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/domain2.com/privkey.pem
    }
    
    
    to my /etc/dovcote.conf file. However when I use:
    Code:
    openssl s_client -tls1 -starttls smtp -connect domain2.com:587 -servername domain2.com
    to test the setup, the certificate is from domain1.com, not domain2.com. When I connect from my Outlook 2007 client, I have the same problem, and I get the 'do you trust cert' warning.

    I've searched everywhere but can't find any advice on how to fix this problem. What have I missed in my /etc/dovcote.conf file?
     
  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Did you try other Mail clients? I'm not sure but I doubt Outlook 2007 already supports SNI
     
  3. Nap

    Nap Member

    I tried with OSX Mail (El Capitan) and it didn't work either. Gave me the default certificate for the server.
     
  4. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    I'm sorry, I kinda misread your test result for the openssl command, thought it did work with that.
    Basically you're doing it right, the issue could be that the certs are either not readable or have too wide chmods.
    I'd suggest making dovecot a lil more verbose on the logs, restart and look what it says.

    Edit: Just read
    check
    $doveconf -n

    Set
    verbose_ssl = yes
     
    Last edited: Mar 11, 2016
  5. Nap

    Nap Member

    Thanks for the tip ztk.me, I'll check the logs and hopefully it will lead me to the problem.
     

Share This Page