Hi folks,

on a Rocky Linux 8.6 based home server I run Dovecot with an account that I use as an archive. Archive means, that from different Thunderbird instances I connect to that Dovecot via IMAPS to move emails there, that I want to keep. Since some days from all Thunderbird instances I can no longer connect to that Dovecot account. In /var/log/maillog of the server I see

Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, lip=192.168.177.13, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<dL1luJvokK3AqLFp>

I found that Openssl alert number 42 might be a problem with the SSL certificate (which certificate?) but also might be an expired SSL certificate (which certificate?). As on the Dovecot installation I work with a self signed certificat. I created a new self signed certificate yesterday with an expiry not before year 2032. That did not help, I see the same messages when I try to connect from Thunderbird.

Just to see how Thunderbird is involved in the problem I installed Claws-Mail. From Claws-Mail I do NOT have those problems, I can access to Dovecot via IMAPS as expected.

I do not understand why all my Thunderbird installations can no longer access Dovecot via IMAPS. This worked fine for about 18 months. I can't prove but I think on beginning of month it worked fine. Something happened meanwhile.

If there is a problem with an SSL certificate (bad certificate: SSL alert number 42), which certificate makes the problem? The certificate used by Dovecot or some certificate used in Thunderbird?

...
I have the problem with different Thunderbird installations on various operating systems (Windows 10, Fedora Linux 36 XFCE).

Regards,

Meikel

Is this a self signed certificate? In the past I had issues with Firefox and self signed certificates on my servers. They worked in Chromium but not Firefox. Mozilla is a bit more niggling about certificates - I'd expect the same engine in Thunderbird. I had an issue with the X509v3 extension in my certificate and one day Firefox didn't accept these certificates any longer.

If this is the case you can either create new certificates or - if this is a workaround for you - accept the certificate in Thunderbird (you might have to import it manually into Thunderbird first and adopt its trust level). I don't like the latter as it needs to be done on every client and might break trust in future.

--
Cheers
spi