Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)

Meikel meikel at fn.de
Wed Sep 14 11:14:51 UTC 2022 

Hi folks,

on a Rocky Linux 8.6 based home server I run Dovecot with an account 
that I use as an archive. Archive means, that from different Thunderbird 
instances I connect to that Dovecot via IMAPS to move emails there, that 
I want to keep. Since some days from all Thunderbird instances I can no 
longer connect to that Dovecot account. In /var/log/maillog of the 
server I see

Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: 
Connection closed: SSL_accept() failed: error:14094412:SSL 
routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 
42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, 
lip=192.168.177.13, TLS handshaking: SSL_accept() failed: 
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: 
SSL alert number 42, session=<dL1luJvokK3AqLFp>

I found that Openssl alert number 42 might be a problem with the SSL 
certificate (which certificate?) but also might be an expired SSL 
certificate (which certificate?). As on the Dovecot installation I work 
with a self signed certificat. I created a new self signed certificate 
yesterday with an expiry not before year 2032. That did not help, I see 
the same messages when I try to connect from Thunderbird.

Just to see how Thunderbird is involved in the problem I installed 
Claws-Mail. From Claws-Mail I do NOT have those problems, I can access 
to Dovecot via IMAPS as expected.

I do not understand why all my Thunderbird installations can no longer 
access Dovecot via IMAPS. This worked fine for about 18 months. I can't 
prove but I think on beginning of month it worked fine. Something 
happened meanwhile.

If there is a problem with an SSL certificate (bad certificate: SSL 
alert number 42), which certificate makes the problem? The certificate 
used by Dovecot or some certificate used in Thunderbird?

About installation:

	cat /etc/redhat-release
	Rocky Linux release 8.6 (Green Obsidian)

	dovecot --version
	2.3.16 (7e2e900c1a)

	sudo dovecot -n
	# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
	# OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
		 release 8.6 (Green Obsidian)
	# Hostname: .......
	auth_debug = yes
	auth_mechanisms = plain login
	auth_verbose = yes
	first_valid_uid = 1000
	mail_debug = yes
	mail_gid = vmail
	mail_location = maildir:~/Maildir
	mail_privileged_group = vmail
	mail_uid = vmail
	mbox_write_locks = fcntl
	namespace {
	  inbox = yes
	  location =
	  mailbox Archives {
		special_use = \Archive
	  }
	  prefix = INBOX/
	  separator = /
	  type = private
	}
	passdb {
	  args = scheme=CRYPT username_format=%u /etc/dovecot/users
	  driver = passwd-file
	}
	protocols = imap
	service imap-login {
	  inet_listener imap {
		port = 0
	  }
	}
	ssl = required
	ssl_cert = </etc/dovecot/......crt
	ssl_cipher_list = PROFILE=SYSTEM
	ssl_key = # hidden, use -P to show it
	userdb {
	  args = username_format=%u /etc/dovecot/users
	  driver = passwd-file
	}
	verbose_proctitle = yes

I used the following command to recreate the SSL certificate for Dovecot:

	sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096
	 -keyout /etc/dovecot/......key -out /etc/dovecot/......crt

And with the command

	openssl s_client -crlf -connect .....:993

I can successfully connect to Dovecot and "simulate" a minimal IMAP-Session:

	* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
		 IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready
	a login meikel.archive at ..... topsecret
	a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
		 IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
		 THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
		 UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
		 I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
		 WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE
		 SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY
		 SPECIAL-USE] Logged in
	a logout
	* BYE Logging out
	a OK Logout completed (0.001 + 0.000 secs).
	closed

I have the problem with different Thunderbird installations on various 
operating systems (Windows 10, Fedora Linux 36 XFCE).

Regards,

Meikel

More information about the dovecot mailing list