[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Markus Schönhaber
dovecot at list-post.mks-mail.de
Fri Apr 18 20:41:25 UTC 2014
18.04.2014 22:12, Charles Marcus:
> On 4/18/2014 3:57 PM, Charles Marcus <CMarcus at Media-Brokers.com> wrote:
>> Everything seems to be working, BUT... I'm now seeing some of these
>> errors, that were not showing up in the logs before:
>>
>> 2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login:
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read()
>> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>> certificate: SSL alert number 42, rip=24.126.163.180, lport=143
>> 2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login:
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read()
>> failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>> certificate: SSL alert number 42, rip=98.66.176.115, lport=143
>>
>> !2 total in the last 25 minutes since flipping the switch.
>>
>> and there have been two of these:
>>
>> 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login:
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking:
>> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
>> alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
>>
>> Not a huge number, but enough to be concerning...
>
> Ahh... I'm sure we have some older clients that are still configured to
> use a different hostname...
>
> So, if the new certs are for mail.example.com, and a client tries to
> connect using a different hostname, like imap.example.com, would that
> result in these kinds of errors?
The errors indicate that a client didn't like your certificate for some
reason. One of the possible reasons surely is a CN in the certificate
that doesn't match the name of the server the client thinks he's
connecting to.
So the answer to your question is very likely "yes".
--
Regards
mks
More information about the dovecot
mailing list