<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Black";
panose-1:2 11 10 4 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoPlainText>Thanks for your help.<o:p></o:p></p><p class=MsoPlainText>I was able to 'confirm' the certificate in Thunderbird.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I looked at the certificate in Thunderbird. As I knew, it is a chain of multiple domains, all set up on our VPS.<o:p></o:p></p><p class=MsoPlainText>Under Issuer Name it says: <b><span style='font-size:10.0pt;font-family:"Courier New"'>Common Name R3</span></b><o:p></o:p></p><p class=MsoPlainText><b><span style='color:#C00000'>It appears that I'm able to connect to the mailbox now but I can’t receive or send email.<o:p></o:p></span></b></p><p class=MsoPlainText>Thunderbird says:<br><b><span style='font-size:10.0pt;font-family:"Courier New"'>Wrong Site</span></b><span style='font-size:10.0pt;font-family:"Courier New"'> The certificate belongs to a different site, which could mean that someone is trying to impersonate this site.</span><o:p></o:p></p><p class=MsoPlainText>In Thunderbird I can <span style='font-size:9.0pt;font-family:"Arial Black",sans-serif;background:silver;mso-highlight:silver'>Confirm Security Exception</span> but I’d much rather fix the problem.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The certificate is for a 'chain' of domains, 5 as of now, with the primary domain being aecperformance.com (not sizzelicks.com).<o:p></o:p></p><p class=MsoPlainText>The certificate as shown in Thunderbird says: <b><span style='font-size:10.0pt;font-family:"Courier New"'>Common Name aecperformance.com<o:p></o:p></span></b></p><p class=MsoPlainText>The certificate does show a list of all the domains in the chain.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Our VPS hosts multiple domains (5 right now) all of which receive and send email.<o:p></o:p></p><p class=MsoPlainText>The websites on the VPS all work fine under ssl using the same certificate chain set up in postfix/dovecot config.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>When I install postfix and dovecot the configuration includes paths for 1 certificate.<o:p></o:p></p><p class=MsoPlainText>The certificate files I have set in postfix & dovecot config are the letsencrypt files for the websites.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><b><span style='color:#C00000'>How should I set up the certificates for the domains that postfix/dovecot handles?<o:p></o:p></span></b></p><p class=MsoPlainText><b><span style='color:#C00000'>How can I fix the problem Thunderbird is having with the certificate chain of multiple domains?<o:p></o:p></span></b></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: dovecot <dovecot-bounces@dovecot.org> On Behalf Of Robert L Mathews<br>Sent: Tuesday, December 7, 2021 7:46 PM<br>To: dovecot@dovecot.org<br>Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help please</p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On 12/7/21 2:49 PM, Alexander Dalloz wrote:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>> Use a not expired certificate.<o:p></o:p></p><p class=MsoPlainText>> <o:p></o:p></p><p class=MsoPlainText>> $ openssl s_client -connect 194.163.45.150:993<o:p></o:p></p><p class=MsoPlainText>> CONNECTED(00000003)<o:p></o:p></p><p class=MsoPlainText>> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify <o:p></o:p></p><p class=MsoPlainText>> error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>That error's happening because you (Alexander) are using an old openssl version that has the problem described on:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> <a href="https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/"><span style='color:windowtext;text-decoration:none'>https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText><a href="https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049"><span style='color:windowtext;text-decoration:none'>https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText><a href="https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/"><span style='color:windowtext;text-decoration:none'>https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>In any case, this works fine with OpenSSL 1.1 or later:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> $ openssl s_client -connect mail.sizzelicks.com:993<o:p></o:p></p><p class=MsoPlainText> ...<o:p></o:p></p><p class=MsoPlainText> * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE <o:p></o:p></p><p class=MsoPlainText>LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>--<o:p></o:p></p><p class=MsoPlainText>Robert L Mathews, Tiger Technologies, <a href="http://www.tigertech.net/"><span style='color:windowtext;text-decoration:none'>http://www.tigertech.net/</span></a><o:p></o:p></p></div></body></html>