18.04.2014 22:12, Charles Marcus:
On 4/18/2014 3:57 PM, Charles Marcus CMarcus@Media-Brokers.com wrote:
Everything seems to be working, BUT... I'm now seeing some of these errors, that were not showing up in the logs before:
2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=24.126.163.180, lport=143 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=98.66.176.115, lport=143
!2 total in the last 25 minutes since flipping the switch.
and there have been two of these:
2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
Not a huge number, but enough to be concerning...
Ahh... I'm sure we have some older clients that are still configured to use a different hostname...
So, if the new certs are for mail.example.com, and a client tries to connect using a different hostname, like imap.example.com, would that result in these kinds of errors?
The errors indicate that a client didn't like your certificate for some reason. One of the possible reasons surely is a CN in the certificate that doesn't match the name of the server the client thinks he's connecting to.
So the answer to your question is very likely "yes".
-- Regards mks