Dovecot SSL certificate -> Cert Hostname DOES NOT VERIFY

Question

thanks in advance for your patience...

I am having trouble to dovecot working with my new wildcard ssl certificate.

I put the following sections in my dovecot config:

ssl_protocols = !SSLv3 !SSLv2 ssl_cipher_list = (long list of ciphers...) ssl_cert = </opt/ssl/__secsolutions_de.chain.crt ssl_key = </opt/ssl/__secsolutions_de.key ssl_ca = </opt/ssl/__secsolutions_de.ca-bundle 

When I do a client perspective test (e.g. with https://www.checktls.com) everything looks good except this:

Cipher in use: ECDHE-RSA-AES256-GCM-SHA384 Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate So email is encrypted but the recipient domain is not verified Cert Hostname DOES NOT VERIFY (mail.secsolutions.de != ) So email is encrypted but the host is not verified cert not revoked by CRL cert not revoked by OCSP 

The value in the round brackets looks weird to me. It seems there is something missing.

Second it is stating the the cert is self signed - but it's not.

Can somebody point me in the right direction ?

THANKS !

Answer 1

It is unclear what you actually checked and what your certificate contains. But the link to www.checktls.com you've provided is for a site which checks the capabilities of the SMTP server, i.e. the mail transport agent (MTA) which is used to receive mail for your domain and deliver mail from your domain.

Software used for MTA are postfix, sendmail, exim, qmail ... - but not dovecot. Dovecot is instead a server which provides a way for the end user to access the delivered mail using the IMAP and POP3 protocols.

So it is likely that you only checked the capabilities of your MTA - which is not dovecot. This means any configuration you do with dovecot don't affect the check you did since you've checked a different software.