Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
spi
spi at nurfuerspam.de
Wed Sep 14 11:57:45 UTC 2022
Am 14.09.22 um 13:14 schrieb Meikel:
> Hi folks,
>
> on a Rocky Linux 8.6 based home server I run Dovecot with an account
> that I use as an archive. Archive means, that from different
> Thunderbird instances I connect to that Dovecot via IMAPS to move
> emails there, that I want to keep. Since some days from all
> Thunderbird instances I can no longer connect to that Dovecot account.
> In /var/log/maillog of the server I see
>
> Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
> Connection closed: SSL_accept() failed: error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
> 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
> lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
> error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
> certificate: SSL alert number 42, session=<dL1luJvokK3AqLFp>
>
> I found that Openssl alert number 42 might be a problem with the SSL
> certificate (which certificate?) but also might be an expired SSL
> certificate (which certificate?). As on the Dovecot installation I
> work with a self signed certificat. I created a new self signed
> certificate yesterday with an expiry not before year 2032. That did
> not help, I see the same messages when I try to connect from Thunderbird.
>
> Just to see how Thunderbird is involved in the problem I installed
> Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
> to Dovecot via IMAPS as expected.
>
> I do not understand why all my Thunderbird installations can no longer
> access Dovecot via IMAPS. This worked fine for about 18 months. I
> can't prove but I think on beginning of month it worked fine.
> Something happened meanwhile.
>
> If there is a problem with an SSL certificate (bad certificate: SSL
> alert number 42), which certificate makes the problem? The certificate
> used by Dovecot or some certificate used in Thunderbird?
>
> ...
> I have the problem with different Thunderbird installations on various
> operating systems (Windows 10, Fedora Linux 36 XFCE).
>
> Regards,
>
> Meikel
>
Is this a self signed certificate? In the past I had issues with Firefox
and self signed certificates on my servers. They worked in Chromium but
not Firefox. Mozilla is a bit more niggling about certificates - I'd
expect the same engine in Thunderbird. I had an issue with the X509v3
extension in my certificate and one day Firefox didn't accept these
certificates any longer.
If this is the case you can either create new certificates or - if this
is a workaround for you - accept the certificate in Thunderbird (you
might have to import it manually into Thunderbird first and adopt its
trust level). I don't like the latter as it needs to be done on every
client and might break trust in future.
--
Cheers
spi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220914/a5551d2c/attachment.htm>
More information about the dovecot
mailing list