Bug 50192

Summary:	Let's encrypt sets mail/dovecot/ssl/cafile, but should not
Product:	UCS	Reporter:	Sönke Schwardt-Krummrich <schwardt>
Component:	Let's Encrypt	Assignee:	UCS maintainers <ucs-maintainers>
Status:	NEW ---	QA Contact:	UCS maintainers <ucs-maintainers>
Severity:	normal
Priority:	P5
Version:	UCS 4.4
Target Milestone:	---
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=50105
What kind of report is it?:	Bug Report	What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains	How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.017	Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:

Description Sönke Schwardt-Krummrich

2019-09-13 16:53:17 CEST

According to 
https://wiki.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication
the option "ssl_ca = < /path/to/ca.crt" is used, to verify CLIENT certificates during client authentication. 
So, I do not see, why the Let's encrypt root CA is defined here (via UCRV "mail/dovecot/ssl/cafile"), since clients usually do not use LE certificates for authentication.

By default, "ssl_verify_client_cert = yes" is automatically set by the UCR template if "mail/dovecot/ssl/cafile" is set, which causes dovecot to ask clients to send a certificate during authentication. 
Luckily, auth_ssl_require_client_cert = yes" is not set by default. Otherwise, no client would be able to connect to dovecot. If a client automatically sends a certificate, I suspect that it will fail with the LE root CA set in the option "ssl_ca".

Due to Bug 50105, the config option "ssl_ca" is currently not correctly filled with a proper root CA, which might prevent problems with certificate-sending clients and LE app on the mailserver.