I’m also getting the same error ‘verify error:num=20:unable to get local issuer certificate’ when testing the Letsencrypt certificate with openssl. I’s also using the fullchain.pem in Dovecot port 993. There seem to be no solution being offered here any more. Has anybody found the solution of this issue. Strangely enough Thunderbird doesn’t complain about the certificate but MS Outlook does. It seems that the Intermediate certificate is not being seen even if it’s in the fullchain.pem. Maybe there is an extra configuration line in the Dovecot configuration that points to the chain.pem only in order to send the Intermediate certs to the IMAPS clients from Dovecot?
Michel
@michelbisson, what’s your domain name? And can you post the relevant part of your Dovecot configuration?
I don’t have a solution, but I do offer a potential “if-all-else-fails” option:
niginx could proxy all the mail related ports.
(installing a cert in nginx is relatively easy)
You may have to get creative to not use the same ports on the same IP.
Can it still proxy TLS for services that speak IMAP instead of HTTP?
Does this answer your question?
(shortened for brevity)
mail { proxy_ctimeout 120000ms; proxy_pass_error_message on; zm_auth_http; proxy_ssl on; imap_greeting ""; pop3_greeting ""; pop3_capabilities "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP"; imap_capabilities "ACL" "BINARY" "CATENATE" ... imap_id "NAME" "Zimbra" "VERSION" ... default_realm ""; sasl_host_from_ip off; sasl_app_name "nginx"; mail_login_ip_max 0; mail_login_ip_ttl 3600000ms; mail_login_ip_rejectmsg "Login rejected from this IP"; mail_login_user_max 0; mail_login_user_ttl 3600000ms; mail_login_user_rejectmsg "Login rejected for this user"; proxy_issue_pop3_xoip on; proxy_issue_imap_id on; imap_auth plain; #imap_auth gssapi; pop3_auth plain; #pop3_auth gssapi; imap_literalauth on; zm_auth_wait 10000ms; ssl_prefer_server_ciphers on; ssl_certificate /opt/zimbra/conf/nginx.crt; ssl_certificate_key /opt/zimbra/conf/nginx.key; ssl_protocols TLSv1.2; ssl_ciphers ... ssl_ecdh_curve prime256v1; include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.imap; include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.imaps; include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.pop3; include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.pop3s; }
server { #listen [::]:993 ipv6only=off; listen 993; #listen [::]:993; ssl_dhparam /opt/zimbra/conf/dhparam.pem; protocol imap; proxy on; timeout 60; proxy_timeout 2100; ssl on; ssl_certificate /opt/zimbra/conf/nginx.crt; ssl_certificate_key /opt/zimbra/conf/nginx.key; sasl_service_name "imap"; }
Huh, nginx is pretty flexible then!
Yes! It can also proxy DNS, RDP, pretty much almost anything.
root@work:/# netstat -pant |grep -i nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 53392/nginx.conf
[edit] To be clear, it can’t “man-in-the-middle” all services.
It can for those things that use TLS; for the rest it can proxy them as streams.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.