Univention Bugzilla – Bug 48485
Dovecot should support multiple SSL certificates with SNI
Last modified: 2019-04-10 14:19:06 CEST
Dovecot should support multiple SSL certificates with SNI. See Bug #48247. This is important in scenarios where let's encrypt is used. +++ This bug was initially created as a clone of Bug #48247 +++ If the local dovecot system is configured to use the Let's Encrypt certificate: mail/dovecot/ssl/cafile=/etc/univention/letsencrypt/signed_chain.crt mail/dovecot/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt mail/dovecot/ssl/key=/etc/univention/letsencrypt/domain.key the listener module should also be configured to use the correct cafile while uploading a sieve script for new users: mail/dovecot/sieve/client/cafile=/etc/ssl/certs/ca-certificates.crt If this UCR variable is not set, the UCS CA file is used and the sieve upload will fail → new users start without a basic sieve script and spam is placed within the inbox.
Priority has been taken over from 48448. This bug is the better solution.
37f93386 Add SNI Support to univention-mail-dovecot Additional fqdns and certificates can be configured with UCRvs mail/dovecot/ssl/sni/$fqdn/certificate=$path_to_certificate and mail/dovecot/ssl/sni/$fqdn/key=$path_to_certificate_key Testcase added: 40_mail/48_check_ssl_sni 3ce9f9c2 changelog 538bb3eb yaml
OK: code OK: automated test 40_mail/48_check_ssl_sni fails with univention-mail-dovecot=5.0.1-1 and succeeds with 5.0.1-4 OK: manual test: # univention-certificate new -name foo2.bar2 -days 2 # ucr set mail/dovecot/ssl/sni/foo2.bar2/certificate=/etc/univention/ssl/foo2.bar2/cert.pem mail/dovecot/ssl/sni/foo2.bar2/key=/etc/univention/ssl/foo2.bar2/private.key # grep foo2.bar2 /etc/dovecot/conf.d/10-ssl.conf local_name foo2.bar2 { ssl_cert = < /etc/univention/ssl/foo2.bar2/cert.pem ssl_key = < /etc/univention/ssl/foo2.bar2/private.key # service dovecot restart (my notebook)# echo '10.200.3.141 m141-ox.uni.dtr m141-ox foo2.bar2' >> /etc/hosts (my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr m141-ox.uni.dtr Trying to connect to 10.200.3.141/993...connected. fetchmail: Server certificate: fetchmail: Issuer Organization: Uni Test GmbH fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=nZjIOIo7) fetchmail: Subject CommonName: m141-ox.uni.dtr fetchmail: Subject Alternative Name: m141-ox.uni.dtr fetchmail: Subject Alternative Name: m141-ox fetchmail: m141-ox.uni.dtr key fingerprint: 2D:B2:5A:64:CB:C5:26:6A:9E:69:91:7B:C1:AE:AF:54 (my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr foo2.bar2 Trying to connect to 10.200.3.141/993...connected. fetchmail: Server certificate: fetchmail: Issuer Organization: Uni Test GmbH fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=nZjIOIo7) fetchmail: Subject CommonName: foo2.bar2 fetchmail: Subject Alternative Name: foo2.bar2 fetchmail: Subject Alternative Name: foo2 fetchmail: foo2.bar2 key fingerprint: BF:C7:A2:D1:15:D5:BF:A1:00:D4:75:08:70:C4:04:21 OK: advisory
Do we have to adapt the let's encrypt app, too?
Yes - it would be great if the LE app would check for u-m-dovecot with version >= 4.0.0-16 (4.3) or 5.0.1-4 (4.4) and would set the UCRVs automatically.
(In reply to Daniel Tröder from comment #5) > Yes - it would be great if the LE app would check for u-m-dovecot with > version >= 4.0.0-16 (4.3) or 5.0.1-4 (4.4) and would set the UCRVs > automatically. Why not always setting the UCR variable?
<http://errata.software-univention.de/ucs/4.4/45.html>