Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.
Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.
Thoughts?
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->
reference http://forums.debian.net/viewtopic.php?f=5&t=145849
Hello,
This is a selfsigned cert. Both of the below methods were used.
May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?
The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.
Separately, what are your thoughts as to why evolution works and thunderbird does not?
Thank you,
==1
openssl genrsa -out key.pem 2048
openssl req -new -sha512 -key key.pem -out csr.csr
openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
On 4/30/20 8:11 AM, Aki Tuomi wrote:
On 30/04/2020 14:49 hanasaki@gmail.com <mailto:hanasaki@gmail.com> <hanasaki@gmail.com <mailto:hanasaki@gmail.com>> wrote:
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.
Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.
Thoughts?
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->
reference http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849>
You are missing intermediate certs from your certfile. Put them after cert in order towards root.
Aki Tuomi
I would expect the public cert to be imported as a "server" not an "auth"
The attached image shows that TBird wants an httpS url for a webserver, for the source.
Ages ago, I think it prompted for "do you want to trust this new cert" and YES added it (assuming that is the public key) to the server list. A bit confused by this.
<see attached thunderbird image>
On 4/30/20 2:41 PM, Aki Tuomi wrote:
I see. You need to import the cert into thundebird's trusted ca certs.
Aki
On 30/04/2020 21:36 hanasaki@gmail.com <mailto:hanasaki@gmail.com> <hanasaki@gmail.com <mailto:hanasaki@gmail.com>> wrote:
Hello,
This is a selfsigned cert. Both of the below methods were used.
May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?
The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.
Separately, what are your thoughts as to why evolution works and thunderbird does not?
Thank you,
==1
openssl genrsa -out key.pem 2048
openssl req -new -sha512 -key key.pem -out csr.csr
openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
On 4/30/20 8:11 AM, Aki Tuomi wrote:
On 30/04/2020 14:49 hanasaki@gmail.com <mailto:hanasaki@gmail.com> <mailto:hanasaki@gmail.com <mailto:hanasaki@gmail.com>> <hanasaki@gmail.com <mailto:hanasaki@gmail.com> <mailto:hanasaki@gmail.com <mailto:hanasaki@gmail.com>>> wrote:
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.
Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.
Thoughts?
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->
reference http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849> <http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849>> You are missing intermediate certs from your certfile. Put them after cert in order towards root.
Aki Tuomi
Aki Tuomi
Hi everyone,
I have two servers running dovecot, both at version 2.2.33.2. One is a an mx-backup and they replicate to each other.
I am moving the main server to a new VPS instance, and I'm planning the move carefully, including running dovecot on a container (Docker).
I am basing my container on Ubuntu 20.04, and the dovecot that installs is the 2.3.7.2.
My question is: will replication work ok once configured? Reading the documentation for version upgrade there was nothing on this. I will eventually upgrade the "slave" server, but it might take a few weeks.
Any tips on this would be greatly appreciated.
Best,
Francis
Hi everyone,
I have two servers running dovecot, both at version 2.2.33.2. One is a an mx-backup and they replicate to each other.
I am moving the main server to a new VPS instance, and I'm planning the move carefully, including running dovecot on a container (Docker).
I am basing my container on Ubuntu 20.04, and the dovecot that installs is the 2.3.7.2.
My question is: will replication work ok once configured? Reading the documentation for version upgrade there was nothing on this. I will eventually upgrade the "slave" server, but it might take a few weeks.
Any tips on this would be greatly appreciated.
Best,
Francis
https://stackoverflow.com/questions/61077885/add-thunderbird-security-except...
Perhaps this will help you?
Aki
On 04/05/2020 19:03 hanasaki@gmail.com <hanasaki@gmail.com> wrote:
== resend to list = requested by list owner On 4/30/20 2:47 PM, hanasaki@gmail.com wrote:
I would expect the public cert to be imported as a "server" not an "auth" The attached image shows that TBird wants an httpS url for a webserver, for the source. Ages ago, I think it prompted for "do you want to trust this new cert" and YES added it (assuming that is the public key) to the server list. A bit confused by this.
<see attached thunderbird image>
On 4/30/20 2:41 PM, Aki Tuomi wrote:
I see. You need to import the cert into thundebird's trusted ca certs.
Aki
On 30/04/2020 21:36 hanasaki@gmail.com <hanasaki@gmail.com> wrote:
Hello,
This is a selfsigned cert. Both of the below methods were used.
May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?
The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.
Separately, what are your thoughts as to why evolution works and thunderbird does not?
Thank you,
==1
openssl genrsa -out key.pem 2048
openssl req -new -sha512 -key key.pem -out csr.csr
openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
On 4/30/20 8:11 AM, Aki Tuomi wrote:
On 30/04/2020 14:49 hanasaki@gmail.com <mailto:hanasaki@gmail.com> <hanasaki@gmail.com <mailto:hanasaki@gmail.com>> wrote:
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.
Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.
Thoughts?
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->
reference http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849> You are missing intermediate certs from your certfile. Put them after cert in order towards root.
Aki Tuomi
Aki Tuomi
For internal use I've installed the private CA cert on whatever clients I'm using (Thunderbird, browsers). That way you don't need to make exceptions every time a certificate changes.
Good luck, Reio
On 30.04.2020 21:36, hanasaki@gmail.com wrote:
Hello,
This is a selfsigned cert. Both of the below methods were used.
May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?
The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.
Separately, what are your thoughts as to why evolution works and thunderbird does not?
Thank you,
==1 openssl genrsa -out key.pem 2048 openssl req -new -sha512 -key key.pem -out csr.csr openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
On 4/30/20 8:11 AM, Aki Tuomi wrote:
On 30/04/2020 14:49 hanasaki@gmail.com <mailto:hanasaki@gmail.com> <hanasaki@gmail.com <mailto:hanasaki@gmail.com>> wrote:
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well.
Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird.
Thoughts?
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--->
reference http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849>
You are missing intermediate certs from your certfile. Put them after cert in order towards root.
Aki Tuomi
On Thu, 30 Apr 2020, hanasaki@gmail.com wrote:
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
According to this
https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-sthis error comes about when you specify the client must authenticate with their own certificate. If your Dveocot setup is working with Evolution, have you ported the client certificate to the Thunderbird setup?
Joseph Tam <jtam.home@gmail.com>
Evolution prompted to accept the cert; which I did. Thunderbird used to prompt and allow acceptance; it no longer does... well sorta does. See my other posting for a screenshot where it shows "add server location https:// ...." HTTPS . no way to add from SMTP. Have also tried typing smtp://host:25 and https://host:25
On 4/30/20 5:39 PM, Joseph Tam wrote:
On Thu, 30 Apr 2020, hanasaki@gmail.com wrote:
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
According to this
https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-a...
this error comes about when you specify the client must authenticate with their own certificate. If your Dveocot setup is working with Evolution, have you ported the client certificate to the Thunderbird setup?
Joseph Tam <jtam.home@gmail.com>
On 04 May 2020, at 11:44, hanasaki@gmail.com wrote
Have also tried typing smtp://host:25 and https://host:25
Can’t help you with thunderbird (which I consider one garage above garbage) but port 25 is not a TLS port and will not be sending a cert challenge.
-- "Are you pondering what I'm pondering?" "I think so, Brain, but why does a forklift have to be so big if all it does is lift forks?”
participants (6)
-
@lbutlr
-
Aki Tuomi
-
Francis Augusto Medeiros-Logeay
-
hanasaki@gmail.com
-
Joseph Tam
-
Reio Remma