Hello,

This is a selfsigned cert. Both of the below methods were used.

May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?

The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.

Separately, what are your thoughts as to why evolution works and thunderbird does not?

Thank you,

==1

openssl genrsa -out key.pem 2048

openssl req -new -sha512 -key key.pem -out csr.csr

openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo

==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem

On 4/30/20 8:11 AM, Aki Tuomi wrote:

...

On 30/04/2020 14:49 hanasaki@gmail.com mailto:hanasaki@gmail.com mailto:hanasaki@gmail.com> wrote:

Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.

Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.

Thoughts?

Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->

reference http://forums.debian.net/viewtopic.php?f=5&t=145849 http://forums.debian.net/viewtopic.php?f=5&t=145849

You are missing intermediate certs from your certfile. Put them after cert in order towards root.

---

Aki Tuomi

I would expect the public cert to be imported as a "server" not an "auth"

The attached image shows that TBird wants an httpS url for a webserver, for the source.

Ages ago, I think it prompted for "do you want to trust this new cert" and YES added it (assuming that is the public key) to the server list.  A bit confused by this.

<see attached thunderbird image>

On 4/30/20 2:41 PM, Aki Tuomi wrote:

I see. You need to import the cert into thundebird's trusted ca certs.

Aki

...

On 30/04/2020 21:36 hanasaki@gmail.com mailto:hanasaki@gmail.com mailto:hanasaki@gmail.com> wrote:

Hello,

This is a selfsigned cert. Both of the below methods were used.

May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?

The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.

Separately, what are your thoughts as to why evolution works and thunderbird does not?

Thank you,

==1

openssl genrsa -out key.pem 2048

openssl req -new -sha512 -key key.pem -out csr.csr

openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo

==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem

On 4/30/20 8:11 AM, Aki Tuomi wrote:

...

...

On 30/04/2020 14:49 hanasaki@gmail.com mailto:hanasaki@gmail.com mailto:hanasaki@gmail.com> mailto:hanasaki@gmail.com mailto:hanasaki@gmail.com>> wrote:

Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.

Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.

Thoughts?

Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->

reference http://forums.debian.net/viewtopic.php?f=5&t=145849 http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849 http://forums.debian.net/viewtopic.php?f=5&t=145849> You are missing intermediate certs from your certfile. Put them after cert in order towards root.

---

Aki Tuomi

---

Aki Tuomi

Hi everyone,

I have two servers running dovecot, both at version 2.2.33.2. One is a an mx-backup and they replicate to each other.

I am moving the main server to a new VPS instance, and I'm planning the move carefully, including running dovecot on a container (Docker).

I am basing my container on Ubuntu 20.04, and the dovecot that installs is the 2.3.7.2.

My question is: will replication work ok once configured? Reading the documentation for version upgrade there was nothing on this. I will eventually upgrade the "slave" server, but it might take a few weeks.

Any tips on this would be greatly appreciated.

Best,

Francis

https://stackoverflow.com/questions/61077885/add-thunderbird-security-except...

Perhaps this will help you?

Aki

On 04/05/2020 19:03 hanasaki@gmail.com hanasaki@gmail.com wrote:

== resend to list = requested by list owner On 4/30/20 2:47 PM, hanasaki@gmail.com wrote:

...

I would expect the public cert to be imported as a "server" not an "auth" The attached image shows that TBird wants an httpS url for a webserver, for the source. Ages ago, I think it prompted for "do you want to trust this new cert" and YES added it (assuming that is the public key) to the server list. A bit confused by this.

<see attached thunderbird image>

On 4/30/20 2:41 PM, Aki Tuomi wrote:

...

I see. You need to import the cert into thundebird's trusted ca certs.

Aki

...

On 30/04/2020 21:36 hanasaki@gmail.com hanasaki@gmail.com wrote:

Hello,

This is a selfsigned cert. Both of the below methods were used.

May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?

The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.

Separately, what are your thoughts as to why evolution works and thunderbird does not?

Thank you,

==1

openssl genrsa -out key.pem 2048

openssl req -new -sha512 -key key.pem -out csr.csr

openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo

==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem

On 4/30/20 8:11 AM, Aki Tuomi wrote:

...

...

On 30/04/2020 14:49 hanasaki@gmail.com mailto:hanasaki@gmail.com mailto:hanasaki@gmail.com> wrote:

Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.

Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.

Thoughts?

Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->

reference http://forums.debian.net/viewtopic.php?f=5&t=145849 http://forums.debian.net/viewtopic.php?f=5&t=145849 You are missing intermediate certs from your certfile. Put them after cert in order towards root.

---

Aki Tuomi

---

Aki Tuomi

On Thu, 30 Apr 2020, hanasaki@gmail.com wrote:

...

...

Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42

According to this

https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s

this error comes about when you specify the client must authenticate with their own certificate. If your Dveocot setup is working with Evolution, have you ported the client certificate to the Thunderbird setup?

Joseph Tam jtam.home@gmail.com

On 04 May 2020, at 11:44, hanasaki@gmail.com wrote

Have also tried typing smtp://host:25 and https://host:25

Can’t help you with thunderbird (which I consider one garage above garbage) but port 25 is not a TLS port and will not be sending a cert challenge.

-- "Are you pondering what I'm pondering?" "I think so, Brain, but why does a forklift have to be so big if all it does is lift forks?”