There are two ssl issues here that I can discern. First, I note that, since rc17, Gentoo is relocating the ssl cert/key files as follows: /etc/ssl/certs/dovecot.pem -> /etc/ssl/dovecot/server.pem /etc/ssl/private/dovecot.pem -> /etc/ssl/dovecot/server.key That's fine, but note that the in-place edit of the /etc/dovecot/dovecot.conf config file to affect these changes leaves the new locations as comments, specifically: # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf #ssl_cert_file = /etc/ssl/dovecot/server.pem #ssl_key_file = /etc/ssl/dovecot/server.key The problem here is that these comments, as altered by Gentoo, do not reflect the actual defaults dovecot uses in the event those keys are left commented out. The old defaults are used. I am suggesting that, in addition to changing these locations, you must also patch the file src/master/master-settings.c: MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem", MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem", and change these hard-coded default locations to the Gentoo defaults, OR, more simply, uncomment the ssl_cert_file and ssl_key_file entries in the config file so the altered defaults are seen and used. The other ssl problem is with the generation of the ssl cert/key files using the supplied doc/mkcert.sh. You really need to edit the doc/dovecot-openssl.cnf file and change the domain CN=imap.example.com to something meaningful, i.e. the actual server, otherwise the certificates produced will be invalid and clients such as t-bird will pop-up a message rejecting the invalid or corrupt cert. Also, when testing, make a point of deleting the old /etc/ssl/{certs,private}/dovecot.pem files because, if they still exist, you might be lured into thinking the above things are ok when they are not. Reproducible: Always
(In reply to comment #0) > The other ssl problem is with the generation of the ssl cert/key files using > the supplied doc/mkcert.sh. > You really need to edit the > doc/dovecot-openssl.cnf file and change the domain CN=imap.example.com to > something meaningful, i.e. the actual server, otherwise the certificates > produced will be invalid and clients such as t-bird will pop-up a message > rejecting the invalid or corrupt cert. Err, not our business exactly; we only install certificates for testing purposes using ssl-cert eclass. If you want a real one, then generate one yourself as needed.
(In reply to comment #1) > Err, not our business exactly; we only install certificates for testing > purposes using ssl-cert eclass. If you want a real one, then generate one > yourself as needed. # Let's not make a new certificate if we already have one if ! [[ -e "${ROOT}"/etc/ssl/dovecot/server.pem && \ -e "${ROOT}"/etc/ssl/dovecot/server.key ]]; then SSL_ORGANIZATION="${SSL_ORGANIZATION:-Dovecot IMAP Server}" insinto "${ROOT}"/etc/ssl/dovecot docert server fowners dovecot:mail /etc/ssl/dovecot/server.{key,pem} fi This ebuild code makes no mention that 'docert server' will dump an invalid cert/key pair onto the filesystem and that we are supposed to correct it ourselves. Furthermore, the doc/ files that dovecot does provide to generate a valid self-signed certificate and key are not installed (doc/mkcert.sh and doc/dovecot-openssl.cnf). I had to fish those files out of the tarball manually, create the valid files and then relocate them to the Gentoo locations.
The ssl_*_file directives are now uncommented. If you feel that the docert command should provide a valid self signed cert then please open another bug, referencing this one if you need to. Thanks
