Bug 48247 - Let's Encrypt: configure dovecot listener module correctly
Let's Encrypt: configure dovecot listener module correctly
Status: NEW
Product: UCS
Classification: Unclassified
Component: Let's Encrypt
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on: 41018
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-30 14:31 CET by Sönke Schwardt-Krummrich
Modified: 2020-02-06 17:11 CET (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2018-11-30 14:31:54 CET
If the local dovecot system is configured to use the Let's Encrypt certificate:

mail/dovecot/ssl/cafile=/etc/univention/letsencrypt/signed_chain.crt
mail/dovecot/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt
mail/dovecot/ssl/key=/etc/univention/letsencrypt/domain.key

the listener module should also be configured to use the correct cafile while uploading a sieve script for new users:

mail/dovecot/sieve/client/cafile=/etc/ssl/certs/ca-certificates.crt

If this UCR variable is not set, the UCS CA file is used and the sieve upload will fail → new users start without a basic sieve script and spam is placed within the inbox.
Comment 1 Erik Damrose univentionstaff 2018-12-05 10:36:52 CET
When implementing this make sure to depend on the correct packages, as the UCRv was implemented in bug 41018
Comment 2 Erik Damrose univentionstaff 2018-12-05 10:41:59 CET
I was wrong, mail/dovecot/sieve/client/cafile was introduced in 2015, at the referenced bug UCR mail/dovecot/sieve/client/server was introduced.
Comment 3 Daniel Tröder univentionstaff 2018-12-05 11:15:05 CET
No, you were correct. Bug #41018 is required for this to work: both the CA and the FQDN that the sieve-client uses must fit.
Comment 4 Daniel Tröder univentionstaff 2018-12-05 11:22:00 CET
This bug is about making the let's encrypt app automatically set those UCRVs, isn't it?
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2018-12-20 21:29:06 CET
(In reply to Daniel Tröder from comment #4)
> This bug is about making the let's encrypt app automatically set those
> UCRVs, isn't it?

Yes, that was my initial intention. But as we already noticed, dovecot is also able to use SNI and can therefore handle multiple SSL certificates, which would be the much better approach.
Comment 6 Erik Damrose univentionstaff 2020-02-06 17:11:18 CET
UCS 4.4e45 introduced SNI support for dovecot in bug 48485. The letsencrypt app should configure its certificates via SNI in addition to the default