It seems that a bug in Dovecot makes it not send the list of accepted CA names in the TLS handshake.
Thanks to Timo Sirainen on the Dovecot mailing-list, there is now a patch available which effectively fixes the problem.
RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v
retrieving revision 1.55
diff -u -r1.55 ssl-proxy-openssl.c
— src/login-common/ssl-proxy-openssl.c 18 Mar 2007 02:51:19 -0000 1.55
+++ src/login-common/ssl-proxy-openssl.c 3 Apr 2007 09:55:23 -0000
@@ -756,6 +756,8 @@
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
Note that if the client only has one client certificate, you will probably not have any use for this. If you do however have multiple client certificates, this is absolutely necessary.
I have a patched Debian/Ubuntu package, but I will not post it if there is no demand for it.