specify certificate of CA in Dovecot
What you need is a chain certificate. You can create one like this:
cat /etc/ssl/server.pem /etc/ssl/cacert.pem > /etc/ssl/chain.pem
and then use the chain as the server certificate
ssl_cert = </etc/ssl/chain.pem
ssl_key = </etc/ssl/server.key
Now when you connect with openssl s_client, you should get no errors (provided everything else is set up correctly)
In general the server offers to the requesting client the server certificate plus all intermediary certification authorities certificates so that the client can match the top certificate of the chain to one of his trusted (root) certificates. That is true for apache, dovecot and postfix. Dovecot doesn't seem to have a setting for the trust chain, so in this case the trust chain has to be merged with the server certificate and be pointed to by.
ssl_cert = </etc/ssl/server-plus-chain.pem
The order of the certificates is
- server cert
- intermediary certs
The last intermediary cert is issued by the trusted root cert the client has available.