specify certificate of CA in Dovecot

What you need is a chain certificate. You can create one like this:

cat /etc/ssl/server.pem /etc/ssl/cacert.pem > /etc/ssl/chain.pem

and then use the chain as the server certificate

ssl_cert = </etc/ssl/chain.pem
ssl_key = </etc/ssl/server.key

Now when you connect with openssl s_client, you should get no errors (provided everything else is set up correctly)


In general the server offers to the requesting client the server certificate plus all intermediary certification authorities certificates so that the client can match the top certificate of the chain to one of his trusted (root) certificates. That is true for apache, dovecot and postfix. Dovecot doesn't seem to have a setting for the trust chain, so in this case the trust chain has to be merged with the server certificate and be pointed to by.

ssl_cert = </etc/ssl/server-plus-chain.pem

The order of the certificates is

  1. server cert
  2. intermediary certs

The last intermediary cert is issued by the trusted root cert the client has available.