Thanks for your help.

I was able to 'confirm' the certificate in Thunderbird.

 

I looked at the certificate in Thunderbird. As I knew, it is a chain of multiple domains, all set up on our VPS.

Under Issuer Name it says: Common Name    R3

It appears that I'm able to connect to the mailbox now but I can’t receive or send email.

Thunderbird says:
Wrong Site The certificate belongs to a different site, which could mean that someone is trying to impersonate this site.

In Thunderbird I can  Confirm Security Exception  but I’d much rather fix the problem.

 

The certificate is for a 'chain' of domains, 5 as of now, with the primary domain being aecperformance.com (not sizzelicks.com).

The certificate as shown in Thunderbird says: Common Name    aecperformance.com

The certificate does show a list of all the domains in the chain.

 

Our VPS hosts multiple domains (5 right now) all of which receive and send email.

The websites on the VPS all work fine under ssl using the same certificate chain set up in postfix/dovecot config.

 

When I install postfix and dovecot the configuration includes paths for 1 certificate.

The certificate files I have set in postfix & dovecot config are the letsencrypt files for the websites.

 

How should I set up the certificates for the domains that postfix/dovecot handles?

How can I fix the problem Thunderbird is having with the certificate chain of multiple domains?

 

 

-----Original Message-----
From: dovecot <dovecot-bounces@dovecot.org> On Behalf Of Robert L Mathews
Sent: Tuesday, December 7, 2021 7:46 PM
To: dovecot@dovecot.org
Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help please

 

On 12/7/21 2:49 PM, Alexander Dalloz wrote:

 

> Use a not expired certificate.

>

> $ openssl s_client -connect 194.163.45.150:993

> CONNECTED(00000003)

> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify

> error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT

 

That error's happening because you (Alexander) are using an old openssl version that has the problem described on:

 

  https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

 

That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:

 

https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049

 

https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/

 

In any case, this works fine with OpenSSL 1.1 or later:

 

  $ openssl s_client -connect mail.sizzelicks.com:993

  ...

  * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE

LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

 

--

Robert L Mathews, Tiger Technologies, http://www.tigertech.net/