Univention Bugzilla – Bug 50192
Let's encrypt sets mail/dovecot/ssl/cafile, but should not
Last modified: 2019-09-13 16:54:19 CEST
According to https://wiki.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication the option "ssl_ca = < /path/to/ca.crt" is used, to verify CLIENT certificates during client authentication. So, I do not see, why the Let's encrypt root CA is defined here (via UCRV "mail/dovecot/ssl/cafile"), since clients usually do not use LE certificates for authentication. By default, "ssl_verify_client_cert = yes" is automatically set by the UCR template if "mail/dovecot/ssl/cafile" is set, which causes dovecot to ask clients to send a certificate during authentication. Luckily, auth_ssl_require_client_cert = yes" is not set by default. Otherwise, no client would be able to connect to dovecot. If a client automatically sends a certificate, I suspect that it will fail with the LE root CA set in the option "ssl_ca". Due to Bug 50105, the config option "ssl_ca" is currently not correctly filled with a proper root CA, which might prevent problems with certificate-sending clients and LE app on the mailserver.