HenkJan Wolthuis wrote:

Hi Alexander,

...

Thanks for the quick reply; rearranging the certs didn't seem to do much for the setup; I guess I'm getting one thing wrong, which was the cause for my followup. How can I make dovecot only rely on cert and no furhter authentication for giving access to the user, when making dovecot lift the user ID from the client cert?

Hmm, i don't think that's the reason for the "invalid certificate" error. Another question: are the clientcertificates and the servercertificate signed by the same CA?

The root CA has generated the intermediate CA which in turn is used to generate both the client and server certificates. The CA has also generates the ca.crt, which contains the intermediate CA, then the root CA and then the CRL. All in PEM format.

Part of what I'm trying is to make the user virtual, i.e. the user from the client certificate does not exist on the machine, which may also be part of what throws it off?

The same setup works for postfix for relaying without SSL errors.

When testing the same setup with evolution I get this in the log:

Jul 11 10:26:18 friends dovecot: imap-login: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [217.13.24.22]

if that helps any?

In case you want the ssl-verify error in the logfiles:

in src/logincommon/ssl-proxy-openssl.c, line 607

change: i_info("Invalid certificate: %s", buf); to: i_info("Invalid certificate: %s: %s, X509_verify_cert_error_string(ctx->error) ,buf);

should help, (tested on beta8) (don't forget to recompile, install, restart ;-))

success!

I'll patch up my dovecot a bit later, have a grumpy customer to tend to now. :)

Thanks a lot for the quick replies.

-A :)