I confirm that the solution in Thunderbird, was they had to click on the account's inbox, then click get messages, then click the confirm security exception button on the server identity pop-up, and that fixes the issue. I could see that under Tools > Options > Certificates for the server section had a self-signed certificate which is active for 1 year, so once the new cert is generated then everyone has to just confirm the exception of the new self-signed certificate. It's an easy fix once you know the solution.
Thanks for your help Aki.
In our case this is an internally used Dovecot Mail server that's used for mail storage only, not for sending out new email and it's not the default email account to receive new messages. The server never touches the public internet, only inside the LAN traffic. In this situation are CA authority certificates worth the expense? Just curious on what everyone's opinion is of Digital Certs signed by certificate authorities that are only used inside the LAN. Thoughts?
On 4/12/2021 9:59 AM, Aki Tuomi wrote:
On 12/04/2021 17:13 Christopher Wensink <cwensink@five-star-plastics.com> wrote:
Dovecot Team,
I need a little help. I came in this morning and it seems like the SSL Certificates expired for dovecot (on an internal mail server) and nobody can move email into their folders on this server. In Thunderbird they just see in the status bar: HISTORY: checking mail server capabilities...
In /var/log/maillog:
Apr 12 09:02:26 mario2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.5.1.85, lip=10.5.1.17, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<H5iu9sa/Me0KBQFV>
I have tried:
-Restarting Dovecot -Restarting the whole mail server -Re-creating the .pem files, first moving the old files in /etc/pki/dovecot/certs and /etc/pki/dovecot/private from dovecot.pem to dovecot-old.pem, - Re-creating a new dovecot.pem using the mkcert.sh script in the doc folder in /usr/share/doc/dovecot-2.2.36/, - restarting dovecot - changing the cert values in dovecot-openssl.cnf
I also tried creating new .crt and key files using this tutorial: https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
I need some assistance, thank you for your help.
Chris Please use real certs if possible. Otherwise you need to install the used CA certificate, or the self-signed certificate, to all the clients. Or reset the exception there, and then tell all your users to redo the exception. Using real certs is easier.
Aki
-- Christopher Wensink IS Administrator Five Star Plastics, Inc 1339 Continental Drive Eau Claire, WI 54701 Office: 715-831-1682 Mobile: 715-563-3112 Fax: 715-831-6075 cwensink@five-star-plastics.com www.five-star-plastics.com