18.04.2014 22:12, Charles Marcus: > On 4/18/2014 3:57 PM, Charles Marcus <cmar...@media-brokers.com> wrote: >> Everything seems to be working, BUT... I'm now seeing some of these >> errors, that were not showing up in the logs before: >> >> 2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: >> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() >> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> certificate: SSL alert number 42, rip=24.126.163.180, lport=143 >> 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: >> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() >> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> certificate: SSL alert number 42, rip=98.66.176.115, lport=143 >> >> !2 total in the last 25 minutes since flipping the switch. >> >> and there have been two of these: >> >> 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: >> Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: >> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 >> alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143 >> >> Not a huge number, but enough to be concerning... > > Ahh... I'm sure we have some older clients that are still configured to > use a different hostname... > > So, if the new certs are for mail.example.com, and a client tries to > connect using a different hostname, like imap.example.com, would that > result in these kinds of errors?
The errors indicate that a client didn't like your certificate for some reason. One of the possible reasons surely is a CN in the certificate that doesn't match the name of the server the client thinks he's connecting to. So the answer to your question is very likely "yes". -- Regards mks