[Dovecot] replicator/dsync over tcp

Timo Sirainen tss at iki.fi
Sun Mar 24 23:30:58 EET 2013

On 24.3.2013, at 23.07, Michael Grimm <trashcan at odo.in-berlin.de> wrote:

> First of all I did need to extend http://wiki2.dovecot.org/Replication to get dsync over tcp running without ssl:
> | dovecot: doveadm(test): Error: doveadm_password not set, can't authenticate to remote server

Updated http://master.wiki2.dovecot.org/Replication with it.

> 1. Question: may one include "secret" from a file?
> Well, that runs like a charm!

name = </path/file works for all settings.

> Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm' (see above) and adding ...
> | # used by replicator/dsync over tcp
> | #
> | ssl_client_ca_dir = /<path-to>/ssl/certs
> ... and ...
> | mail_replica = tcps:SERVER-A.TLD
> But, this didn't work (logfile at remote server):
> | dovecot: doveadm(test): Invalid certificate: self signed certificate: /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmaster at OTHER-NAME.TLD
> | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL certificate
> | dovecot: doveadm(test): Error: sync: Disconnected from remote
> The OTHER-NAME.TLD is served by my additional settings used by my MUAs:
> | ssl_cert = </<path-to>/ssl/certs/OTHER-NAME.TLD.pem
> | ssl_key = </<path-to>/ssl/private/OTHER-NAME.TLD.pem
> I did supply SERVER-A.TLD certs and private certificates at both servers as well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync instead :-(

The SERVER-A.TLD needs to have a certificate that is signed by one of the CAs in ssl_client_ca_dir. ssl_cert/key settings are irrelevant here. You can't use a self-signed cert, unless you put it into the CA dir (I don't know how exactly that works).

More information about the dovecot mailing list