Hi Marcus! Problem looks like java app cannot validate new cert. Check ssl_store for your java based mail gate. Are there CA and Intermediate SSL Certificates for your new 256ssl cert in mail gate ssl store?
> Hi, > > today I changed my SSL certificates to "sha256WithRSAEncryption", > because Thunderbird started complaining about me old SHA1 > certificates. ;) One pop3s client (it's a kind of java based mailgate) > causes a lot of these errors, not at each connect, but on about two of > 140 mailbox connects within 5 minutes: > > > mail log: > ---------- > May 20 23:14:02 mailserv cyrus/pop3s[17825]: accepted connection > May 20 23:14:02 mailserv cyrus/pop3s[17825]: SSL_accept() incomplete -> > wait > May 20 23:14:02 mailserv cyrus/pop3s[17825]: sslv3 alert certificate > unknown in SSL_accept() -> fail > May 20 23:14:02 mailserv cyrus/pop3s[17825]: pop3s failed: > ppp-xx-xx-xx-xx.domain.de [xx.xx.xx.xx] > May 20 23:14:02 mailserv cyrus/pop3s[17825]: Fatal error: > tls_start_servertls() failed > May 20 23:14:02 mailserv cyrus/pop3s[17825]: counts: retr=<0> top=<0> > dele=<0> > ---------- > > error log: > ---------- > May 20 23:12:07 mailserv cyrus/pop3s[17838]: Fatal error: > tls_start_servertls() failed > ---------- > > If I check pop3s with my Thunderbird or other clients everything is > fine. SSL checker e.g. on https://decoder.link/sslchecker doesn't show > any errors and it's only this one pop3 client, which causes this error. > > I didn't changed anything in imap.conf, but replacing cert files and > reload imapd > > tls_cert_file > tls_key_file > tls_ca_file > > tls_cipher_list is unchanged: > tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH > > Is the client sending a client certificate, which my server doesn't > like? But I don't ask for any client certificates. > > System: cyrus 2.4.12 > > Ciao > Marcus > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
smime.p7s
Description: S/MIME cryptographic signature
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus