Univention Bugzilla – Bug 41018
Using own SSL certificate for dovecot results in missing sieve script
Last modified: 2018-12-05 14:39:02 CET
Using an own SSL certificate as described and adopted from the wiki results in a bug in user creation. After setting mail/dovecot/ssl/certificate and mail/dovecot/ssl/key to own files, adding a new user on command line or from UI gives the following in /var/log/univention/listener.log: STARTTLS promotion failed: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed STARTTLS promotion failed: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 07.04.16 11:26:57.779 LISTENER ( PROCESS ) : dovecot: Added mail account 'test@DOMAIN'. The corresponding mailbox in /var/log/dovecot/private/DOMAIN/test is not created. This may be due to the fact, that the certificate has a different name from the hostname of the system, which is perfectly fine as the name is resolved via DNS. The first login via Horde creates all needed directories. A possible solution is specifying the original certificate in /etc/dovecot/conf.d/10-ssl (or better in the template) for connections to sieve from localhost: local 127.0.1.1 { protocol sieve { ssl_cert = </etc/univention/ssl/DOMAIN/cert.pem ssl_key = </etc/univention/ssl/DOMAIN/private.key } } This solution results in these log messages: Sieve/IMAP Password: Sieve/IMAP Password: 07.04.16 11:39:55.048 LISTENER ( PROCESS ) : dovecot: Added mail account 'test@DOMAIN'. What does the user creation script do there, login via sieve and set some filters?
(In reply to robert.evert from comment #0) > The corresponding mailbox in /var/log/dovecot/private/DOMAIN/test is not > created. This may be due to the fact, that the certificate has a different > name from the hostname of the system, which is perfectly fine as the name is > resolved via DNS. The first login via Horde creates all needed directories. You are right. The system's FQDN is used for the sieve connection. If the FQDN does not fit to the SSL certificate, the connection will fail. Btw: the mailbox is located at /var/spool/dovecot/private/DOMAIN/LOCALPART/. > What does the user creation script do there, login via sieve and set some > filters? The listener module uploads an initial sieve script. During this action, the mailbox is automatically created by dovecot. Daniel and I have decided that it makes more sense to customize UCS to handle third-party certificates throughout. If the Dovecot system uses a different certificate for connections from localhost, this a) causes confusion and b) can cause new errors. I added a new UCR variable mail/dovecot/sieve/client/server for specifying the external FQDN (that matches the SSL certificate). d6170d9933 Bug #41018: Merge branch 'sschwardt/41018/4.3/sieve-and-foreign-certificates' into 4.3-2 43f4d56806 Bug #41018: add advisory 5f18c30672 Bug #41018: add changelog entry 3018b3f1a9 Bug #41018: added UCR variable mail/dovecot/sieve/client/server Package: univention-mail-dovecot Version: 4.0.0-12A~4.3.0.201811231221 Branch: ucs_4.3-0 Scope: errata4.3-2
Something seems to be wrong with letsencrypt certs.
(In reply to Sönke Schwardt-Krummrich from comment #2) > Something seems to be wrong with letsencrypt certs. The CA file for sieve-connect was not correctly configured. The correct setting is: mail/dovecot/sieve/client/cafile=/etc/ssl/certs/ca-certificates.crt But this is not part of this bug → back to RESOLVED.
49ad68c41c Bug #41018: update UCR variable descriptions Package: univention-mail-dovecot Version: 4.0.0-13A~4.3.0.201812041012 Branch: ucs_4.3-0 Scope: errata4.3-2
3eea982be8 Bug #41018: update advisory
OK: manual test with different UCSV combinations OK: texts
<http://errata.software-univention.de/ucs/4.3/360.html>