Re: Dovecot: ssl_ca_path not respected?

To: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: Dovecot: ssl_ca_path not respected?
From: Dan Ritter <dsr@randomstring.org>
Date: Mon, 28 Jun 2021 09:14:07 -0400
Message-id: <[🔎] 20210628131407.axcra2s45xbtzf76@randomstring.org>
In-reply-to: <[🔎] 94fcc811-0a9e-3097-e736-ac6cb61a7042@gmail.com>
References: <[🔎] 94fcc811-0a9e-3097-e736-ac6cb61a7042@gmail.com>

Bagas Sanjaya wrote: 
> Hi,
> 
> I have difficulties setting up Dovecot to connect to remote MariaDB instance
> over TLS.
> 
> So I have two Debian 11 LXD containers spun up, one as mail server with
> Postfix and Dovecot, and one as database instance with MariaDB. The LXD host
> is Ubuntu 20.04.

The first problem is that you have introduced a new point of
failure: if you set up dovecot to use a database, that database
must be functioning for dovecot to work. Putting it into a
different VM or container adds complexity and a source of
failure without gaining you anything at all. And once dovecot
and the database are in the same container/VM, they don't need
SSL to communicate securely.

The second problem is that ssl_ca should point to the CA bundle
for your desired SSL cert -- in this case, your own CA.

It is probably indicative of something that the only mention of 
ssl_ca_path in Dovecot's documentation is in a comment in the config.

-dsr-

Reply to:

Follow-Ups:
- Re: Dovecot: ssl_ca_path not respected?
  - From: Bagas Sanjaya <bagasdotme@gmail.com>

References:
- Dovecot: ssl_ca_path not respected?
  - From: Bagas Sanjaya <bagasdotme@gmail.com>

Prev by Date: Re: how to change terminal (tty) font?
Next by Date: Re: Disappearing shim-signed after failed dist-upgrade
Previous by thread: Dovecot: ssl_ca_path not respected?
Next by thread: Re: Dovecot: ssl_ca_path not respected?
Index(es):
- Date
- Thread