当服务器证书由公共 CA 签名时，如何设置 dovecot 以接受由私有 CA 签名的客户端证书

我已经使用 SSL/TLS 和 Let's Encrypt 颁发的服务器证书运行 postfix/dovecot 邮件服务器好几年了，没有任何问题：

/etc/dovecot/conf.d/10-ssl.conf

ssl = required
# Bundle containing the public server certificate followed by the chain of intermediate Let's encrypt CA certificates
ssl_cert = </etc/ssl/fullchain.pem
ssl_key = </etc/ssl/key.pem

我现在正在尝试修改 dovecot 设置以仅接受客户端证书创建私有 CA因为您可能已经知道，Let's Encrypt 不会颁发客户端证书：

/etc/dovecot/conf.d/10-auth.conf

auth_ssl_require_client_cert = yes

/etc/dovecot/conf.d/10-ssl.conf

ssl_verify_client_cert = yes
# Bundle containing the private CA certificate followed by the matching CRL
ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem

当我尝试使用客户端（evolution）连接到服务器时，出现连接错误：Client did not present valid SSL certificate，但它是有效的：

openssl x509 -enddate -noout -in client.crt
notAfter=Jul 22 16:21:07 2032 GMT

当我尝试手动测试连接时，我收到Verification: OK：

openssl s_client -connect ${fqdn}:993 -cert client.crt -key client_key.pem -CApath /etc/ssl/certs -state -debug
Enter pass phrase for client_key.pem:
CONNECTED(00000003)
SSL_connect:before SSL initialization
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS write change cipher spec
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS write client hello
...
SSL_connect:SSLv3/TLS read server hello
...
SSL_connect:TLSv1.3 read encrypted extensions
...
SSL_connect:SSLv3/TLS read server certificate request
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.<domain>
verify return:1
...
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write certificate verify
...
SSL_connect:SSLv3/TLS write finished
---
Certificate chain
 0 s:CN = *.<domain>
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul  2 10:04:12 2022 GMT; NotAfter: Sep 30 10:04:11 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
...
subject=CN = *.<domain>
issuer=C = US, O = Let's Encrypt, CN = R3
---
Acceptable client certificate CA names
C = <country>, ST = <region>, O = <org>
Requested Signature Algorithms: ...
Shared Requested Signature Algorithms: ...
Peer signing digest: ...
Peer signature type: ...
Server Temp Key: ...
---
SSL handshake has read 5418 bytes and written 2986 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
...
Verify return code: 0 (ok)
...
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
...
---
SSL_connect:SSLv3/TLS read server session ticket
...
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
...
---
SSL_connect:SSLv3/TLS read server session ticket
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Ubuntu) ready.
DONE
...

我是否遗漏了什么？

编辑：

尽管openssl s_client返回Verification: OK，但 dovecot 对客户端证书并不满意：

dovecot: auth: plain(?,<IP address>,<ID>): Client didn't present valid SSL certificate
dovecot: auth: Debug: client passdb out: FAIL#0111#011reason=Client didn't present valid SSL certificate

这与 dovecot 尝试连接时抛出的错误相同：

• openssl
• 进化
• 雷鸟。

我已经能够在本地成功验证 client.crt 的 PKCS#12 等效项：

openssl pkcs12 -info -in client.pfx

我不知道如何使用 openssl 在本地验证客户端证书与自签名 CA 证书。

似乎有一个dovecot 的问题。

是否有人能够成功配置这样的设置——IMAP 服务器的公共证书以及客户端证书的私有自签名 CA？