`ssl = required` leads to errors in service blocks

[rohieb]

I'm trying to require TLS (with client cert auth) on incoming LMTP connections. https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl mentions the possible settings of ssl = no, ssl = yes, and ssl = required; however when I do:

# /etc/dovecot/conf.d/10-master.conf from line 64:
service lmtp {
  inet_listener lmtp {
    listen = * ::
    port = 24
    ssl = required
  }
}

… I get the error doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-master.conf line 68: ssl: Invalid boolean value: required (use yes or no) from doveconf -a.

In my understanding of the Named Filters and Named List Filters sections, this should effectively evaluate to ssl = required for the LMTP service. But I didn't find any documentation what settings are allowed in this service lmtp {…} block. Apparently it differs from the global settings, but how? https://doc.dovecot.org/2.4.1/core/config/ssl.html#how-to-specify-when-ssl-tls-is-required also mentions ssl = required.

[rohieb]

Furthermore I'm trying to use a different TLS cert on LMTP:

service lmtp {
  inet_listener lmtp {
    listen = * ::
    port = 24
    ssl = yes
    ssl_server_cert_file = /etc/lmtp-ca/local.crt
    ssl_server_key_file = /etc/lmtp-ca/private/local.key
    ssl_server_ca_file = /etc/lmtp-ca/ca.crt
  }
}

dovecot -a has no problems with this config, and parses it as:

[…]
service lmtp {
  inet_listener lmtp {
    port = 24
    ssl = yes
    listen = * ::
    ssl_server {
      ca_file = /etc/lmtp-ca/ca.crt
      cert_file = /etc/lmtp-ca/local.crt
      key_file = /etc/lmtp-ca/private/local.key
    }
  }
}

… but the settings are silently ignored by Dovecot, and instead I get the other cert that I configured for IMAP, instead of the one from /etc/lmtp-ca/local.crt, when I connect to the LMTP port with openssl s_client. How can I find out which settings are accessible in service lmtp {…} blocks at all?

[cmouse]

Hi!

Our community support is via dovecot@dovecot.org mailing list.

[rohieb]

I since found out that when we do service foo { inet_listener foo { ssl = yes } } we're really setting the variable named inet_listener_ssl (which only knows the values yes and no), not ssl.

[sirainen]

That's mentioned somewhere in documentation, but this clarifies further: #1336