Hello
Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. As it does not know and trust that server certifikate for sending email, it disconnects with that generic error. Thunderbird has its own trusted CA store, therefore not using the one from the OS (as Claw-Mail does).
Kind regards, Christian Mack
Am 14.09.22 um 13:14 schrieb Meikel:
Hi folks,
on a Rocky Linux 8.6 based home server I run Dovecot with an account that I use as an archive. Archive means, that from different Thunderbird instances I connect to that Dovecot via IMAPS to move emails there, that I want to keep. Since some days from all Thunderbird instances I can no longer connect to that Dovecot account. In /var/log/maillog of the server I see
Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, lip=192.168.177.13, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<dL1luJvokK3AqLFp>
I found that Openssl alert number 42 might be a problem with the SSL certificate (which certificate?) but also might be an expired SSL certificate (which certificate?). As on the Dovecot installation I work with a self signed certificat. I created a new self signed certificate yesterday with an expiry not before year 2032. That did not help, I see the same messages when I try to connect from Thunderbird.
Just to see how Thunderbird is involved in the problem I installed Claws-Mail. From Claws-Mail I do NOT have those problems, I can access to Dovecot via IMAPS as expected.
I do not understand why all my Thunderbird installations can no longer access Dovecot via IMAPS. This worked fine for about 18 months. I can't prove but I think on beginning of month it worked fine. Something happened meanwhile.
If there is a problem with an SSL certificate (bad certificate: SSL alert number 42), which certificate makes the problem? The certificate used by Dovecot or some certificate used in Thunderbird?
About installation:
cat /etc/redhat-release Rocky Linux release 8.6 (Green Obsidian)
dovecot --version 2.3.16 (7e2e900c1a)
sudo dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux release 8.6 (Green Obsidian) # Hostname: ....... auth_debug = yes auth_mechanisms = plain login auth_verbose = yes first_valid_uid = 1000 mail_debug = yes mail_gid = vmail mail_location = maildir:~/Maildir mail_privileged_group = vmail mail_uid = vmail mbox_write_locks = fcntl namespace { inbox = yes location = mailbox Archives { special_use = \Archive } prefix = INBOX/ separator = / type = private } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { port = 0 } } ssl = required ssl_cert = </etc/dovecot/......crt ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } verbose_proctitle = yes
I used the following command to recreate the SSL certificate for Dovecot:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/dovecot/......key -out /etc/dovecot/......crt
And with the command
openssl s_client -crlf -connect .....:993
I can successfully connect to Dovecot and "simulate" a minimal IMAP-Session:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready a login meikel.archive@..... topsecret a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in a logout * BYE Logging out a OK Logout completed (0.001 + 0.000 secs). closed
I have the problem with different Thunderbird installations on various operating systems (Windows 10, Fedora Linux 36 XFCE).
Regards,
Meikel
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung, Lehre, Infrastruktur 78457 Konstanz +49 7531 88-4416