Hi folks,
on a Rocky Linux 8.6 based home server I run Dovecot with an account
that I use as an archive. Archive means, that from different Thunderbird
instances I connect to that Dovecot via IMAPS to move emails there, that
I want to keep. Since some days from all Thunderbird instances I can no
longer connect to that Dovecot account. In /var/log/maillog of the
server I see
Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
Connection closed: SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:
SSL alert number 42, session=<dL1luJvokK3AqLFp>
I found that Openssl alert number 42 might be a problem with the SSL
certificate (which certificate?) but also might be an expired SSL
certificate (which certificate?). As on the Dovecot installation I work
with a self signed certificat. I created a new self signed certificate
yesterday with an expiry not before year 2032. That did not help, I see
the same messages when I try to connect from Thunderbird.
Just to see how Thunderbird is involved in the problem I installed
Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
to Dovecot via IMAPS as expected.
I do not understand why all my Thunderbird installations can no longer
access Dovecot via IMAPS. This worked fine for about 18 months. I can't
prove but I think on beginning of month it worked fine. Something
happened meanwhile.
If there is a problem with an SSL certificate (bad certificate: SSL
alert number 42), which certificate makes the problem? The certificate
used by Dovecot or some certificate used in Thunderbird?
About installation:
cat /etc/redhat-release
Rocky Linux release 8.6 (Green Obsidian)
dovecot --version
2.3.16 (7e2e900c1a)
sudo dovecot -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
release 8.6 (Green Obsidian)
# Hostname: .......
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
mail_debug = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_privileged_group = vmail
mail_uid = vmail
mbox_write_locks = fcntl
namespace {
inbox = yes
location =
mailbox Archives {
special_use = \Archive
}
prefix = INBOX/
separator = /
type = private
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
}
ssl = required
ssl_cert = </etc/dovecot/......crt
ssl_cipher_list = PROFILE=SYSTEM
ssl_key = # hidden, use -P to show it
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
verbose_proctitle = yes
I used the following command to recreate the SSL certificate for Dovecot:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096
-keyout /etc/dovecot/......key -out /etc/dovecot/......crt
And with the command
openssl s_client -crlf -connect .....:993
I can successfully connect to Dovecot and "simulate" a minimal IMAP-Session:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready
a login meikel.archive@..... topsecret
a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE
SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY
SPECIAL-USE] Logged in
a logout
* BYE Logging out
a OK Logout completed (0.001 + 0.000 secs).
closed
I have the problem with different Thunderbird installations on various
operating systems (Windows 10, Fedora Linux 36 XFCE).
Regards,
Meikel
