SSL Configuration

For more details see:

• SSL

• Dovecot SSL configuration

• auth_allow_cleartext

ssl_cert = </etc/dovecot/dovecot.crt
ssl_key = </etc/dovecot/dovecot.key

SSL certificate and SSL secret key files. You must use the < prefix so Dovecot reads the cert/key from the file. (Without < Dovecot assumes that the certificate is directly included in the dovecot.conf.) For using different SSL certificates for different IP addresses you can put them inside local {} blocks:

local 10.0.0.1 {
ssl_cert = </etc/dovecot/dovecot.crt
ssl_key = </etc/dovecot/dovecot.key
 }
 local 10.0.0.2 {
 ssl_cert = </etc/dovecot/dovecot2.crt
 ssl_key = </etc/dovecot/dovecot2.key
}

If you need different SSL certificates for IMAP and POP3 protocols, you can put them inside protocol {} blocks :

 local 10.0.0.1 {
 protocol imap {
     ssl_cert = </etc/dovecot/dovecot-imap.crt
     ssl_key = </etc/dovecot/dovecot-imap.key
 }
 protocol pop3 {
     ssl_cert = </etc/dovecot/dovecot-pop3.crt
     ssl_key = </etc/dovecot/dovecot-pop3.key
 }
}

Dovecot supports also using TLS SNI extension for giving different SSL certificates based on the server name when using only a single IP address, but the TLS SNI isn’t yet supported by all clients so that may not be very useful.

It’s anyway possible to configure it by using local_name imap.example.com {} blocks.

JA3 identifier

New in version 2.4.0 (CE).

New in version 3.0.0 (Pro).

Dovecot supports calculating JA3 hash for checking client TLS implementation. This adds ssl_ja3 and ssl_ja3_hash to login variables, to be used with login_log_format_elements and ssl_ja3_hash for authentication variables, to be used with e.g. Authentication policy support.

To get JA3 values, you will need to use OpenSSL 1.1 or newer.

Common JA3 hash databases usually use values provided by HTTP clients. Since IMAP, POP3 etc. do not currently use some of these extensions, you should not use these. They will not match.

Some examples for demonstration purposes only.

Mutt 2.2.9, TLS1.3, GnuTLS
   ja3=771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23-24-25-29-30-256-257-258-259-260,0
   ja3_hash=b7e9d913d85c071f5b806d59601e9b96

OpenSSL 1.1.1n, TLS1.3
   ja3=771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2
   ja3_hash=c34a54599a1fbaf1786aa6d633545a60

Thunderbird 102.4.2+build2-0ubuntu0.22.04.1, TLS1.3
   ja3=771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-5-51-43-13-45-21,29-23-24-25-256-257,0
   ja3_hash=3ed71a458200f4af79031644408b8e58