Bug 48485 - Dovecot should support multiple SSL certificates with SNI
Dovecot should support multiple SSL certificates with SNI
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Erik Damrose
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-17 14:48 CET by Sönke Schwardt-Krummrich
Modified: 2019-04-10 14:19 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-01-17 14:48:47 CET
Dovecot should support multiple SSL certificates with SNI.

See Bug #48247. This is important in scenarios where let's encrypt is used.


+++ This bug was initially created as a clone of Bug #48247 +++

If the local dovecot system is configured to use the Let's Encrypt certificate:

mail/dovecot/ssl/cafile=/etc/univention/letsencrypt/signed_chain.crt
mail/dovecot/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt
mail/dovecot/ssl/key=/etc/univention/letsencrypt/domain.key

the listener module should also be configured to use the correct cafile while uploading a sieve script for new users:

mail/dovecot/sieve/client/cafile=/etc/ssl/certs/ca-certificates.crt

If this UCR variable is not set, the UCS CA file is used and the sieve upload will fail → new users start without a basic sieve script and spam is placed within the inbox.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2019-01-17 14:50:37 CET
Priority has been taken over from 48448. This bug is the better solution.
Comment 2 Erik Damrose univentionstaff 2019-03-22 15:59:09 CET
37f93386 Add SNI Support to univention-mail-dovecot

Additional fqdns and certificates can be configured with UCRvs
mail/dovecot/ssl/sni/$fqdn/certificate=$path_to_certificate and
mail/dovecot/ssl/sni/$fqdn/key=$path_to_certificate_key

Testcase added: 40_mail/48_check_ssl_sni

3ce9f9c2 changelog
538bb3eb yaml
Comment 3 Daniel Tröder univentionstaff 2019-03-29 12:39:54 CET
OK: code
OK: automated test 40_mail/48_check_ssl_sni fails with univention-mail-dovecot=5.0.1-1 and succeeds with 5.0.1-4
OK: manual test:
# univention-certificate new -name foo2.bar2 -days 2
# ucr set mail/dovecot/ssl/sni/foo2.bar2/certificate=/etc/univention/ssl/foo2.bar2/cert.pem mail/dovecot/ssl/sni/foo2.bar2/key=/etc/univention/ssl/foo2.bar2/private.key
# grep foo2.bar2 /etc/dovecot/conf.d/10-ssl.conf
local_name foo2.bar2 {
  ssl_cert = < /etc/univention/ssl/foo2.bar2/cert.pem
  ssl_key = < /etc/univention/ssl/foo2.bar2/private.key
# service dovecot restart

(my notebook)# echo '10.200.3.141 m141-ox.uni.dtr m141-ox foo2.bar2' >> /etc/hosts

(my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr m141-ox.uni.dtr
Trying to connect to 10.200.3.141/993...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Uni Test GmbH
fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=nZjIOIo7)
fetchmail: Subject CommonName: m141-ox.uni.dtr
fetchmail: Subject Alternative Name: m141-ox.uni.dtr
fetchmail: Subject Alternative Name: m141-ox
fetchmail: m141-ox.uni.dtr key fingerprint: 2D:B2:5A:64:CB:C5:26:6A:9E:69:91:7B:C1:AE:AF:54

(my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr foo2.bar2
Trying to connect to 10.200.3.141/993...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Uni Test GmbH
fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=nZjIOIo7)
fetchmail: Subject CommonName: foo2.bar2
fetchmail: Subject Alternative Name: foo2.bar2
fetchmail: Subject Alternative Name: foo2
fetchmail: foo2.bar2 key fingerprint: BF:C7:A2:D1:15:D5:BF:A1:00:D4:75:08:70:C4:04:21

OK: advisory
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2019-03-29 13:07:28 CET
Do we have to adapt the let's encrypt app, too?
Comment 5 Daniel Tröder univentionstaff 2019-03-29 13:45:36 CET
Yes - it would be great if the LE app would check for u-m-dovecot with version >= 4.0.0-16 (4.3) or 5.0.1-4 (4.4) and would set the UCRVs automatically.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2019-03-31 20:53:09 CEST
(In reply to Daniel Tröder from comment #5)
> Yes - it would be great if the LE app would check for u-m-dovecot with
> version >= 4.0.0-16 (4.3) or 5.0.1-4 (4.4) and would set the UCRVs
> automatically.

Why not always setting the UCR variable?
Comment 7 Erik Damrose univentionstaff 2019-04-10 14:19:06 CEST
<http://errata.software-univention.de/ucs/4.4/45.html>