Looks fine from my side, both on pop3s
ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect 103.106.168.105:*995* -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = emu.sbt.net.au verify return:1
Certificate chain 0 s:/CN=emu.sbt.net.au i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3
[...] Start Time: 1614694135 Timeout : 300 (sec) *Verify return code: 0 (ok)*
+OK Dovecot ready. ^C ychaouche#ychaouche-PC 15:09:01 ~ $
and on pop3 with starttls
ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client*-starttls pop3* -connect 103.106.168.105*:pop3* -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = emu.sbt.net.au verify return:1
Certificate chain 0 s:/CN=emu.sbt.net.au i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3
[...] Start Time: 1614694499 Timeout : 300 (sec) Verify return code: 0 (ok)
+OK Dovecot ready. ^C ychaouche#ychaouche-PC 15:15:04 ~ $
Le 3/2/21 à 1:41 PM, Erwan David a écrit :
Le 02/03/2021 à 13:29, Voytek Eymont a écrit :
since a couple of days one of users reported getting expired certificate error in TB, looking at the log, I can see like:
Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired: SSL alert number 45, session=<...>
Here it is the certificate presented on the pop3 port (either port 110 with a STLS command or port 995)
but, looking at server with https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does certbot tool
Here it seems te site tests the smtp server (on port 25), which is not handled by dovecot. You probably have different certificates on both.