Am 19.04.2014 03:29, schrieb Joseph Tam:
Charles Marcus CMarcus@Media-Brokers.com wrote:
2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
Not a huge number, but enough to be concerning...
Could this just be from cached junk from some clients, and they will resolve themselves over time?
Short answer: maybe. I got these errors when I switched from a self-signed to CA signed cert, and the client had an open mail session:
Feb 22 02:10:32 imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<w4Lm8vvypgCJUgmg>Not quite the same as your's, but if you call the client up and ask them to restart their mail client, I'm fairly confident these will go away, as for my user.
You might get some weirdness if for some reason the client does not have the intermediate CAs cached. I ran into this problem with our certs -- some RH distributions did have the intermediate CA certs in its store.
you only need to read the documentation, any CA these days has intermediate certs (Thawte, GoDaddy....) and for any service (dovecot, postfix, httpd...) you have to use the config parameter *OR* "cat your.crt chain.crt > new.crt"
http://wiki2.dovecot.org/SSL/DovecotConfiguration
Chained SSL certificates
Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is:
Dovecot's public certificate
TDC SSL Server CA
TDC Internet Root CA
Globalsign Partners CA