Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42) [SOLVED]

[Meikel]

Hello,

I switched from self-created SSL certificates to SSL certificates from 
Let's Encrypt. For that I configured


  ssl_cert = 

Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)

[Meikel]

Hello.

Am 14.09.2022 um 13:59 schrieb Christian Mack:

Sound to me, as if Thunderbird does not know the CA used to (self) sign
that server certificate.


Following the documentation at

https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921

I configured

ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and 
at least for one installation of Thunderbird it seems to work again now. 
For the other installations I need to check later at home, but the 
problem seems to be resolved.


Regards,

Meikel

Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)

[Meikel]

Hi folks,

on a Rocky Linux 8.6 based home server I run Dovecot with an account 
that I use as an archive. Archive means, that from different Thunderbird 
instances I connect to that Dovecot via IMAPS to move emails there, that 
I want to keep. Since some days from all Thunderbird instances I can no 
longer connect to that Dovecot account. In /var/log/maillog of the 
server I see


Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: 
Connection closed: SSL_accept() failed: error:14094412:SSL 
routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 
42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, 
lip=192.168.177.13, TLS handshaking: SSL_accept() failed: 
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: 
SSL alert number 42, session=


I found that Openssl alert number 42 might be a problem with the SSL 
certificate (which certificate?) but also might be an expired SSL 
certificate (which certificate?). As on the Dovecot installation I work 
with a self signed certificat. I created a new self signed certificate 
yesterday with an expiry not before year 2032. That did not help, I see 
the same messages when I try to connect from Thunderbird.


Just to see how Thunderbird is involved in the problem I installed 
Claws-Mail. From Claws-Mail I do NOT have those problems, I can access 
to Dovecot via IMAPS as expected.


I do not understand why all my Thunderbird installations can no longer 
access Dovecot via IMAPS. This worked fine for about 18 months. I can't 
prove but I think on beginning of month it worked fine. Something 
happened meanwhile.


If there is a problem with an SSL certificate (bad certificate: SSL 
alert number 42), which certificate makes the problem? The certificate 
used by Dovecot or some certificate used in Thunderbird?


About installation:

cat /etc/redhat-release
Rocky Linux release 8.6 (Green Obsidian)

dovecot --version
2.3.16 (7e2e900c1a)

sudo dovecot -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
 release 8.6 (Green Obsidian)
# Hostname: ...
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
mail_debug = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_privileged_group = vmail
mail_uid = vmail
mbox_write_locks = fcntl
namespace {
  inbox = yes
  location =
  mailbox Archives {
special_use = \Archive
  }
  prefix = INBOX/
  separator = /
  type = private
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = imap
service imap-login {
  inet_listener imap {
port = 0
  }
}
ssl = required
ssl_cert = I have the problem with different Thunderbird installations on various 
operating systems (Windows 10, Fedora Linux 36 XFCE).


Regards,

Meikel