On Sun, 15 Nov 2020 17:31:07 -0500 Mike Schroeder mikeschroe@gmail.com wrote:

CentOS 7 Dovecot 2.2.36

Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<>

Was working fine for over a year, until the cert expired and I replaced it. I've tried the good cert I have for https and I used the Dovecot.org script to generate a self-signed certificate.

10-ssl.conf ## SSL settings #ssl = required ssl = yes #ssl = no ssl_cert =

# SSL ciphers to use # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: !RC4:!ADH:!LOW@STRENGTH

# Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no

# Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device =

# SSL extra options. Currently supported options are: # no_compression - Disable compression. # no_ticket - Disable SSL session tickets. #ssl_options =

=========================== # openssl x509 -dates -in mydomain.com.crt notBefore=Nov 11 16:31:35 2020 GMT notAfter=Nov 11 16:31:35 2022 GMT -----BEGIN CERTIFICATE----- :

# openssl pkey -in mydomain.com.key -----BEGIN PRIVATE KEY----- :

Thanks for taking a look. Any ideas on what I should do next to debug?

Mike

I remembered this problem was posted and still had the reply post from Viktor. This may or may not be relevant. A search on this text will probably drag up the whole thread.

Specifically, an ECDSA P-256 certificate, but some systems don't (yet?) support ECDSA. You'd need an additional RSA certificate to interoperate with their sending MTA's limited STARTTLS cipher/protocol repertoire.

When this thread went around I looked at my logs and found some no auth complaints on my dovecot log. I believe they were trying to use the sslv3 to hack my server. Or at least see if it is hackable. Since my email server is a personal one and the attack was from a hosting company, I blocked server IP space.

The weird thing I get your error now myself but not consistently. Here is an example.

Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<rXchrDG06qvGx2p9> Nov 16 04:18:37 imap-login: Info: Login: user=me@mydomain.com, method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, session=<DSIjrDG05KvGx2p9>

However the problem isn't present at the moment.