Hi! My new Multiserver Setup is coming together. I trying the mailsetup today and relaised there is an issue with my dsync setup. The servers and config: mail01.xxx.com (DSync) mail02.xxx.com (DSync, Server is mirror of mail01 in ISPConfig) This works fine: Code: mail01> doveadm sync -A tcps:mail02.xxx.com But the other way around not: Code: doveadm sync -A tcps:mail01.xxx.com doveadm([email protected]): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: self signed certificate: /C=DE/ST=Some-State/O=Internet Widgits Pty Ltd (check ssl_client_ca_* settings?) doveadm([email protected]): Error: Disconnected from remote: Received invalid SSL certificate: self signed certificate: /C=DE/ST=Some-State/O=Internet Widgits Pty Ltd (check ssl_client_ca_* settings?) So this seems like an certificate issue, so i've checked the mail01 server, and thats right i forgot to open port 80 in the firewall so the acme challenge for let's encrypt didn't work. I fixed the issue and the cert got created successfully. I've rebooted both machines and testet it again but run into the same issue. The configs in /etc/dovecot/conf.d/99-ispconfig-custom-config.conf seem fine for both. Here for mail01.xxx.com: Code: protocol imap { mail_plugins = $mail_plugins quota imap_quota notify replication } protocol pop3 { mail_plugins = $mail_plugins quota notify replication } protocol lda { mail_plugins = $mail_plugins sieve quota notify replication } protocol lmtp { mail_plugins = $mail_plugins sieve quota notify replication } doveadm_password = XXXX doveadm_port = 7742 replication_max_conns = 50 ssl_client_ca_dir = /etc/ssl/certs # Replicator process should be started at startup, so it can start replicating users immediately: service replicator { process_min_avail = 1 } # The mail processes need to have access to the replication-notify fifo and socket. service aggregator { fifo_listener replication-notify-fifo { user = vmail mode = 0666 } unix_listener replication-notify { user = vmail mode = 0666 } } # Enable doveadm replicator commands service replicator { unix_listener replicator-doveadm { mode = 0666 } } # Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 7742 ssl = yes } } service config { unix_listener config { user = vmail } } plugin { mail_replica = tcps:mail02.xxx.com } And here for the mail02: Code: protocol imap { mail_plugins = $mail_plugins quota imap_quota notify replication } protocol pop3 { mail_plugins = $mail_plugins quota notify replication } protocol lda { mail_plugins = $mail_plugins sieve quota notify replication } protocol lmtp { mail_plugins = $mail_plugins sieve quota notify replication } doveadm_password = XXX doveadm_port = 7742 replication_max_conns = 50 ssl_client_ca_dir = /etc/ssl/certs # Replicator process should be started at startup, so it can start replicating users immediately: service replicator { process_min_avail = 1 } # The mail processes need to have access to the replication-notify fifo and socket. service aggregator { fifo_listener replication-notify-fifo { user = vmail mode = 0666 } unix_listener replication-notify { user = vmail mode = 0666 } } # Enable doveadm replicator commands service replicator { unix_listener replicator-doveadm { mode = 0666 } } # Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 7742 ssl = yes } } service config { unix_listener config { user = vmail } } plugin { mail_replica = tcps:mail01.xxx.com } The /etc/dovecot/conf.d/10-ssl.conf seems fine for both too: Code: ## ## SSL settings ## ssl = yes ssl_cert = </etc/dovecot/private/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.key #ssl_require_crl = yes ssl_client_ca_dir = /etc/ssl/certs I've checked both certificates in /etc/dovecot/private they are both for the correct hosted but self signed. How is this working one way but not the other? And shouldn't there be the correct certificates provided by let's encrypt?
Files in the folder /etc/dovecot/conf.d/ do not get included into the Dovecot config on ISPConfig systems with the exception of 99-ispconfig-custom-config.conf. So anything in the file /etc/dovecot/conf.d/10-ssl.conf gets ignored. The SSL config for dovecot can be found in the file /etc/dovecot/dovecot.conf.
Oh my... Thank you for elaborating. I've checked both and can see the issue now. mail02 has the valid Let's Encrypt cert in /etc/postfix/smtpd.crt which dovecot uses but mail01 dosen't. How can i replace the certificate in /etc/postfix/smtpd with the correct one using ISPConfig, or do i have to do it manually and copy over the cert from /root/.acme.sh/mail01.xxx.com/mail01.xxx.com.cer?
/etc/postfix/smtpd.crt is normally a symlink to the ISPConfig SSL cert which is in /usr/local/ispconfig/interface/ssl/ folder. So most likely your ISPConfig SSL cert is not correct then, the ISPConfig SSL cert can be recreated by using the ISPConfig updater: ispconfig_update.sh --force
Thank you! I've moved the cert files in /usr/local/ispconfig/interface/ssl/ to *.backup and ran the ispconfig_update.sh --force and skip everything and no reconfiguration. The certificate got renewed and after a restart of the dovecot the dsync works! Cheers to you till again for helping so much throughout the entire process of setting up my multiserver setup.