Am 14.09.22 um 13:14 schrieb Meikel:
Hi folks,
on a Rocky Linux 8.6 based home server I run Dovecot with an account
that I use as an archive. Archive means, that from different
Thunderbird instances I connect to that Dovecot via IMAPS to move
emails there, that I want to keep. Since some days from all
Thunderbird instances I can no longer connect to that Dovecot account.
In /var/log/maillog of the server I see
Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
Connection closed: SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42, session=<dL1luJvokK3AqLFp>
I found that Openssl alert number 42 might be a problem with the SSL
certificate (which certificate?) but also might be an expired SSL
certificate (which certificate?). As on the Dovecot installation I
work with a self signed certificat. I created a new self signed
certificate yesterday with an expiry not before year 2032. That did
not help, I see the same messages when I try to connect from Thunderbird.
Just to see how Thunderbird is involved in the problem I installed
Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
to Dovecot via IMAPS as expected.
I do not understand why all my Thunderbird installations can no longer
access Dovecot via IMAPS. This worked fine for about 18 months. I
can't prove but I think on beginning of month it worked fine.
Something happened meanwhile.
If there is a problem with an SSL certificate (bad certificate: SSL
alert number 42), which certificate makes the problem? The certificate
used by Dovecot or some certificate used in Thunderbird?
...
I have the problem with different Thunderbird installations on various
operating systems (Windows 10, Fedora Linux 36 XFCE).
Regards,
Meikel
Is this a self signed certificate? In the past I had issues with Firefox
and self signed certificates on my servers. They worked in Chromium but
not Firefox. Mozilla is a bit more niggling about certificates - I'd
expect the same engine in Thunderbird. I had an issue with the X509v3
extension in my certificate and one day Firefox didn't accept these
certificates any longer.
If this is the case you can either create new certificates or - if this
is a workaround for you - accept the certificate in Thunderbird (you
might have to import it manually into Thunderbird first and adopt its
trust level). I don't like the latter as it needs to be done on every
client and might break trust in future.
--
Cheers
spi
