dovecot - Oct 2019 - Error: SSL_accept() syscall failed

In setting up my new mail server, I am getting the following in the logs:

Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=24.53.79.10, lip=172.26.12.90, *TLS 
handshaking: SSL_accept() syscall failed: Success*, 
session=<B9OokqCUD+UYNU8K>

I have tried various ssl_protocols entries, but for now have defaulted 
back to ssl_protocols = !SSLv3 (the "out of the box" setting).

The certificate (ssl_cert = </etc/ssl/certs/certificate_and_key.crt) is 
valid and the same one used by postfix.? However, I belive the error 
appeared only after removing the self signed certificate and installing 
the one I purchased.

Warning:? though I was a sysadmin a long long time, it has been a 
while!? I have not run a mail server in 15 years, but am moving my mail 
back "in-house" as I approach retirement!? I searched for a forum
where
I could post this issue, but only found this list.



# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-1051-aws x86_64 Ubuntu 18.04.1 LTS
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
 ? inbox = yes
 ? location  ? mailbox Drafts {
 ??? special_use = \Drafts
 ? }
 ? mailbox Junk {
 ??? special_use = \Junk
 ? }
 ? mailbox Sent {
 ??? special_use = \Sent
 ? }
 ? mailbox "Sent Messages" {
 ??? special_use = \Sent
 ? }
 ? mailbox Trash {
 ??? special_use = \Trash
 ? }
 ? prefix }
passdb {
 ? driver = pam
}
plugin {
 ? sieve = ~/.dovecot.sieve
 ? sieve_dir = ~/sieve
}
protocols = " imap sieve pop3"
service auth {
 ? unix_listener /var/spool/postfix/private/dovecot-auth {
 ??? group = postfix
 ??? mode = 0660
 ??? user = postfix
 ? }
}
ssl_cert = </etc/ssl/certs/certificate_and_key.crt
ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIUM
ssl_client_ca_dir = /etc/ssl/certs
ssl_key =? # hidden, use -P to show it
userdb {
 ? driver = passwd
}
protocol lda {
 ? deliver_log_format = msgid=%m: %$
 ? mail_plugins = sieve
 ? postmaster_address = postmaster
 ? quota_full_tempfail = yes
 ? rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
protocol imap {
 ? imap_client_workarounds = delay-newmail
 ? mail_max_userip_connections = 10
}
protocol pop3 {
 ? mail_max_userip_connections = 10
 ? pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20191011/03c55434/attachment.html>

In case it helps, here are the results of testssl.sh:


jervin at MiniUntu:~/testssl/testssl.sh$ ./testssl.sh kumo.kites.org:993

###########################################################
 ??? testssl.sh?????? 3.0rc5 from https://testssl.sh/dev/
 ??? (35c69be 2019-10-02 17:53:37 -- )

 ????? This program is free software. Distribution and
 ???????????? modification under GPLv2 permitted.
 ????? USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

 ?????? Please file bugs @ https://testssl.sh/bugs/

###########################################################

 ?Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
 ?on MiniUntu:./bin/openssl.Linux.x86_64
 ?(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")


 ?Start 2019-10-11 07:28:20??????? -->> 3.222.54.62:993 (kumo.kites.org) 
<<--

 ?rDNS (3.222.54.62):???? kumo.kites.org.
 ?Service detected:?????? IMAP, thus skipping HTTP specific checks


 ?Testing protocols via sockets except NPN+ALPN

 ?SSLv2????? not offered (OK)
 ?SSLv3????? not offered (OK)
 ?TLS 1????? offered (deprecated)
 ?TLS 1.1??? offered (deprecated)
 ?TLS 1.2??? offered (OK)
 ?TLS 1.3??? offered (OK): final
 ?NPN/SPDY?? not offered
 ?ALPN/HTTP2 not offered

 ?Testing cipher categories

 ?NULL ciphers (no encryption)????????????????? not offered (OK)
 ?Anonymous NULL Ciphers (no authentication)??? not offered (OK)
 ?Export ciphers (w/o ADH+NULL)???????????????? not offered (OK)
 ?LOW: 64 Bit + DES, RC[2,4] (w/o export)?????? not offered (OK)
 ?Triple DES Ciphers / IDEA???????????????????? not offered (OK)
 ?Average: SEED + 128+256 Bit CBC ciphers?????? offered
 ?Strong encryption (AEAD ciphers)????????????? offered (OK)


 ?Testing robust (perfect) forward secrecy, (P)FS -- omitting Null 
Authentication/Encryption, 3DES, RC4

 ?PFS is offered (OK)????????? TLS_AES_256_GCM_SHA384 
TLS_CHACHA20_POLY1305_SHA256
 ????????????????????????????? ECDHE-RSA-AES256-GCM-SHA384 
ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
 ????????????????????????????? DHE-RSA-AES256-GCM-SHA384 
ECDHE-RSA-CHACHA20-POLY1305
 ????????????????????????????? DHE-RSA-CHACHA20-POLY1305 
DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM
 ????????????????????????????? DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA 
ECDHE-RSA-CAMELLIA256-SHA384
 ????????????????????????????? DHE-RSA-CAMELLIA256-SHA256 
DHE-RSA-CAMELLIA256-SHA
 ????????????????????????????? DHE-RSA-ARIA256-GCM-SHA384 
ECDHE-ARIA256-GCM-SHA384
 ????????????????????????????? TLS_AES_128_GCM_SHA256 
ECDHE-RSA-AES128-GCM-SHA256
 ????????????????????????????? ECDHE-RSA-AES128-SHA256 
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256
 ????????????????????????????? DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM 
DHE-RSA-AES128-SHA256
 ????????????????????????????? DHE-RSA-AES128-SHA 
ECDHE-RSA-CAMELLIA128-SHA256
 ????????????????????????????? DHE-RSA-CAMELLIA128-SHA256 
DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA
 ????????????????????????????? DHE-RSA-ARIA128-GCM-SHA256 
ECDHE-ARIA128-GCM-SHA256
 ?Elliptic curves offered:???? secp384r1
 ?DH group offered:??????????? Unknown DH group (1024 bits)

 ?Testing server preferences

 ?Has server cipher order????? yes (OK) -- only for < TLS 1.3
 ?Negotiated protocol????????? TLSv1.3
 ?Negotiated cipher??????????? TLS_AES_256_GCM_SHA384, 384 bit ECDH (P-384)
 ?Cipher order
 ??? TLSv1:???? ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA 
DHE-RSA-CAMELLIA256-SHA AES256-SHA
 ?????????????? CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA 
DHE-RSA-SEED-SHA
 ?????????????? DHE-RSA-CAMELLIA128-SHA AES128-SHA SEED-SHA CAMELLIA128-SHA
 ??? TLSv1.1:?? ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA 
DHE-RSA-CAMELLIA256-SHA AES256-SHA
 ?????????????? CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA 
DHE-RSA-SEED-SHA
 ?????????????? DHE-RSA-CAMELLIA128-SHA AES128-SHA SEED-SHA CAMELLIA128-SHA
 ??? TLSv1.2:?? ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA
 ?????????????? DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
DHE-RSA-CHACHA20-POLY1305
 ?????????????? DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM 
DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA
 ?????????????? ECDHE-RSA-CAMELLIA256-SHA384 DHE-RSA-CAMELLIA256-SHA256 
DHE-RSA-CAMELLIA256-SHA
 ?????????????? AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES256-SHA256 
AES256-SHA CAMELLIA256-SHA256
 ?????????????? CAMELLIA256-SHA ARIA256-GCM-SHA384 
DHE-RSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384
 ?????????????? ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 
ECDHE-RSA-AES128-SHA
 ?????????????? DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM8 
DHE-RSA-AES128-CCM AES128-CCM8 AES128-CCM
 ?????????????? DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA 
ECDHE-RSA-CAMELLIA128-SHA256
 ?????????????? DHE-RSA-CAMELLIA128-SHA256 DHE-RSA-SEED-SHA 
DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256
 ?????????????? AES128-SHA256 AES128-SHA CAMELLIA128-SHA256 SEED-SHA 
CAMELLIA128-SHA ARIA128-GCM-SHA256
 ?????????????? DHE-RSA-ARIA128-GCM-SHA256 ECDHE-ARIA128-GCM-SHA256
 ??? TLSv1.3:?? TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 
TLS_AES_128_GCM_SHA256


 ?Testing server defaults (Server Hello)

 ?TLS extensions (standard)??? "renegotiation info/#65281"
"server
name/#0" "EC point formats/#11"
 ????????????????????????????? "session ticket/#35" "supported 
versions/#43" "key share/#51"
 ????????????????????????????? "max fragment length/#1" 
"encrypt-then-mac/#22"
 ????????????????????????????? "extended master secret/#23"
 ?Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems 
to be rotated < daily
 ?SSL Session ID support?????? yes
 ?Session Resumption?????????? Tickets no, ID: no
 ?TLS clock skew?????????????? Random values, no fingerprinting possible
 ?Signature Algorithm????????? SHA256 with RSA
 ?Server key size????????????? RSA 2048 bits
 ?Server key usage???????????? Digital Signature, Key Encipherment
 ?Server extended key usage??? TLS Web Server Authentication, TLS Web 
Client Authentication
 ?Serial / Fingerprints F451FC38110BD0CC08D03E6975C05AC0 / SHA1 
5EB402C1FB4020C1697E48931F68D11145D48F43
 ????????????????????????????? SHA256 
C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0
 ?Common Name (CN)???????????? kumo.kites.org
 ?subjectAltName (SAN)???????? kumo.kites.org www.kumo.kites.org
 ?Issuer?????????????????????? Sectigo RSA Domain Validation Secure 
Server CA (Sectigo Limited from GB)
 ?Trust (hostname)???????????? Ok via SAN and CN (same w/o SNI)
 ?Chain of trust?????????????? Ok
 ?EV cert (experimental)?????? no
 ?ETS/"eTLS", visibility info? not present
 ?Certificate Validity (UTC)?? 364 >= 60 days (2019-10-10 20:00 --> 
2020-10-09 19:59)
 ?# of certificates provided?? 6 (certificate list ordering problem)
 ?Certificate Revocation List? --
 ?OCSP URI???????????????????? http://ocsp.sectigo.com
 ?OCSP stapling??????????????? not offered
 ?OCSP must staple extension?? --
 ?DNS CAA RR (experimental)??? not offered
 ?Certificate Transparency???? yes (certificate extension)


 ?Testing vulnerabilities

 ?Heartbleed (CVE-2014-0160)??????????????? not vulnerable (OK), no 
heartbeat extension
 ?CCS (CVE-2014-0224)?????????????????????? not vulnerable (OK)
 ?Ticketbleed (CVE-2016-9244), experiment.? -- (applicable only for HTTPS)
 ?ROBOT???????????????????????????????????? not vulnerable (OK)
 ?Secure Renegotiation (RFC 5746)?????????? supported (OK)
 ?Secure Client-Initiated Renegotiation???? not vulnerable (OK)
 ?CRIME, TLS (CVE-2012-4929)??????????????? not vulnerable (OK) (not 
using HTTP anyway)
 ?POODLE, SSL (CVE-2014-3566)?????????????? not vulnerable (OK)
 ?TLS_FALLBACK_SCSV (RFC 7507)????????????? Downgrade attack prevention 
supported (OK)
 ?SWEET32 (CVE-2016-2183, CVE-2016-6329)??? not vulnerable (OK)
 ?FREAK (CVE-2015-0204)???????????????????? not vulnerable (OK)
 ?DROWN (CVE-2016-0800, CVE-2016-0703)????? not vulnerable on this host 
and port (OK)
 ?????????????????????????????????????????? make sure you don't use this 
certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0
could help you to find out
 ?LOGJAM (CVE-2015-4000), experimental????? not vulnerable (OK): no DH 
EXPORT ciphers
 ?????????????????????????????????????????? But: Unknown DH group (1024 
bits)
 ?BEAST (CVE-2011-3389)???????????????????? TLS1: ECDHE-RSA-AES256-SHA 
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA
DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA
 ???????????????????????????????????????????????? SEED-SHA CAMELLIA128-SHA
 ?????????????????????????????????????????? VULNERABLE -- but also 
supports higher protocols? TLSv1.1 TLSv1.2 (likely mitigated)
 ?LUCKY13 (CVE-2013-0169), experimental???? potentially VULNERABLE, uses 
cipher block chaining (CBC) ciphers with TLS. Check patches
 ?RC4 (CVE-2013-2566, CVE-2015-2808)??????? no RC4 ciphers detected (OK)


 ?Testing 370 ciphers via OpenSSL plus sockets against the server, 
ordered by encryption strength

Hexcode? Cipher Suite Name (OpenSSL)?????? KeyExch. Encryption? Bits???? 
Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
[redacted to reduce size]


 ?Running client simulations via sockets

 ?Android 8.1 (native)???????? TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 
bit ECDH (P-384)
 ?Android 9.0 (native)???????? TLSv1.3 TLS_AES_128_GCM_SHA256, 384 bit 
ECDH (P-384)
 ?Java 6u45??????????????????? TLSv1.0 AES128-SHA, No FS
 ?Java 7u25??????????????????? TLSv1.0 ECDHE-RSA-AES128-SHA, 384 bit 
ECDH (P-384)
 ?Java 8u161?????????????????? TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit 
ECDH (P-384)
 ?Java 11.0.2 (OpenJDK)??????? TLSv1.3 TLS_AES_128_GCM_SHA256, 384 bit 
ECDH (P-384)
 ?Java 12.0.1 (OpenJDK)??????? TLSv1.3 TLS_AES_128_GCM_SHA256, 384 bit 
ECDH (P-384)
 ?OpenSSL 1.0.1l?????????????? TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 
bit ECDH (P-384)
 ?OpenSSL 1.0.2e?????????????? TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 
bit ECDH (P-384)
 ?OpenSSL 1.1.0j (Debian)????? TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 
bit ECDH (P-384)
 ?OpenSSL 1.1.1b (Debian)????? TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit 
ECDH (P-384)
 ?Thunderbird (60.6)?????????? TLSv1.3 TLS_AES_128_GCM_SHA256, 384 bit 
ECDH (P-384)

 ?Done 2019-10-11 07:31:08 [ 170s] -->> 3.222.54.62:993 (kumo.kites.org) 
<<--


On 10/11/19 7:22 AM, C. James Ervin via dovecot wrote:
>
> In setting up my new mail server, I am getting the following in the logs:
>
> Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=24.53.79.10, lip=172.26.12.90, *TLS
> handshaking: SSL_accept() syscall failed: Success*, 
> session=<B9OokqCUD+UYNU8K>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20191011/793965de/attachment-0001.html>

Am 11.10.2019 um 13:22 schrieb C. James Ervin via
dovecot:
> In setting up my new mail server, I am getting the following in the logs:
> 
> Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=24.53.79.10, lip=172.26.12.90, *TLS
> handshaking: SSL_accept() syscall failed: Success*, 
> session=<B9OokqCUD+UYNU8K>
Unless you meanwhile managed to solve your issue I see none from my 
side. Should be client side else.

# openssl s_client -connect 3.222.54.62:993
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN 
= AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST 
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo 
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = kumo.kites.org
verify return:1
---
Certificate chain
  0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=kumo.kites.org
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo 
RSA Domain Validation Secure Server CA
  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo 
RSA Domain Validation Secure Server CA
    i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST 
Network/CN=USERTrust RSA Certification Authority
  2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST 
Network/CN=USERTrust RSA Certification Authority
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
  3 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=kumo.kites.org
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo 
RSA Domain Validation Secure Server CA
  4 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo 
RSA Domain Validation Secure Server CA
    i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST 
Network/CN=USERTrust RSA Certification Authority
  5 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST 
Network/CN=USERTrust RSA Certification Authority
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+DCCBOCgAwIBAgIRAPRR/DgRC9DMCNA+aXXAWsAwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTEwMTEwMDAwMDBaFw0yMDEwMDkyMzU5NTlaMFIxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV
BgNVBAMTDmt1bW8ua2l0ZXMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAviqQmCB6So+K7jj8CIBb7MWZgnI6Ha8zvV1wbwo/giUSdOaVQ9OEg7NA
yEP24RcnEDi8j9WnJyazMhthMWssGEVJVmaqg11nnJ4GzN36uJJ/b3tsXupKMgQt
P3iR8gtuB5gVdH1t1jc6M4WORnhNL/k41eRDLv2zJZjxy4089SnAJn2uR2xiYSo0
Jr7HIuQcyISFOpvy9Qq2KLmkZxghEEnNHraFx0S5qlrj62DBa5TTPx1PCe43dXyn
Tmid4TfTua700xt7daYS2UQc9GSi0vEDj0XAvY1+GPiSkmrgNGa7DahZ7pywUiq0
5i3lUNW0ZHWAPkQrCdWbgslmf6QBvwIDAQABo4ICiTCCAoUwHwYDVR0jBBgwFoAU
jYxexFStiuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFBiQDmP7BWEXR/MzWmB7Xnvi
RyUoMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYI
KwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYI
KwYBBQUHAQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29t
L1NlY3RpZ29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMG
CCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAtBgNVHREEJjAkgg5r
dW1vLmtpdGVzLm9yZ4ISd3d3Lmt1bW8ua2l0ZXMub3JnMIIBAwYKKwYBBAHWeQIE
AgSB9ASB8QDvAHYAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFt
uCloHAAABAMARzBFAiEAqj3ij29JbFtVe1zPiWxe0kHeqBausXJxHTEeF91WbIAC
IE+21ysv6L9xRKqdJGztqwNCjMkDCnvFuqGiIxnXJU4jAHUAXqdz+d9WwOe1Nkh9
0EngMnqRmgyEoRIShBh1loFxRVgAAAFtuCloFAAABAMARjBEAiBpLGo6/j/q3101
QmCQqAdTed7ZGdskysaHKDEDfmsGEQIgWH1U74bH8ajaWqpcJ+PCngLG49BJOYv3
WYrWq+9Hc9EwDQYJKoZIhvcNAQELBQADggEBAJH4RYgEfcVP8oP0Xa3HeC3u8EdG
XnvFjYSGTcEoaZXJOlAB8i7ZwzWUwkn6+A6LPQjkPf4yOJhP4iHYuYsKG4IHfSlJ
9DKy7X9kHgd3DiYPQ7j1FrOChL1/Zav+pr3M9N0CxCuveY/Z04W9DcqiychlCKAx
5jX28jkmAd+MFp8DB29vHqgbqJ/Dkbx8cnAbm4eragXZ3in+xACsfSkgfwkS4djG
aKP6Jx0dIlMtsKaQVwMNOSMapcGe2tFmrV8WR9uByo6wGOAu1KWu6YrhQTwjSoNP
9RWUpMPNAtrM69r+kkUc3cdE+SrJHzKwnivigKuzNkxiQO7sxJ2ria06vpU-----END
CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=kumo.kites.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo 
Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 9689 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 
D70E66B01EDEAAF0C03188CF83AFCA71EAA6A3D56F0FA1F13281374E5E29506F
     Session-ID-ctx:
     Master-Key: 
1B1283187F21E890095893F8A3308A277F5DAB34471EF25DAC2135C08D6631ABA13035DCA24658399181CB42465F968E
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - 84 e1 ef 09 30 b9 bc 58-e6 36 0f dd 32 7b 10 03 
....0..X.6..2{..
     0010 - 03 5d 1a a2 d8 a0 dc 3b-36 ee b8 76 da 21 ff 0e 
.].....;6..v.!..
     0020 - 30 29 e0 d4 19 fd 1e 84-09 c7 f5 24 fa 8d 7c 02 
0).........$..|.
     0030 - 77 b0 9d a9 8a 51 16 0a-6e 33 d8 90 87 ca a3 a9 
w....Q..n3......
     0040 - 87 ed 0e 3c 05 95 06 f3-e1 70 86 8a 3f 4a b5 98 
...<.....p..?J..
     0050 - da 53 7c dd 8c 77 c9 eb-3a 13 6e 77 d4 db 3c 0f 
.S|..w..:.nw..<.
     0060 - 2c 53 4d d2 f9 fa 31 15-e7 98 91 36 74 9e 4e 92 
,SM...1....6t.N.
     0070 - 7e 35 b1 73 a6 43 df e8-3e d4 4c 82 c3 1f cc 12 
~5.s.C..>.L.....
     0080 - a7 aa 7a 8a 36 6d 39 d6-1b 0d 93 52 c8 f6 24 23 
..z.6m9....R..$#
     0090 - 48 f5 f4 c3 17 fa 2d 3e-e5 ab 48 a1 9f 4c 48 f9 
H.....->..H..LH.

     Start Time: 1570825213
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
QUIT
DONE


Alexander

Sir, I believe you are right as the log entries stopped upon going to work
today.  Thank you for the sanity check.  At home I was connected with
Thunderbird running on my Linux system and at work I have the account added to
my desktop Mac with Apple Mail.  I do think it is a client issue at this point.
> On Oct 11, 2019, at 4:21 PM, Alexander Dalloz via dovecot <dovecot at
dovecot.org> wrote:
> 
> Am 11.10.2019 um 13:22 schrieb C. James Ervin via dovecot:
>> In setting up my new mail server, I am getting the following in the
logs:
>> Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=24.53.79.10, lip=172.26.12.90, *TLS
handshaking: SSL_accept() syscall failed: Success*,
session=<B9OokqCUD+UYNU8K>
> 
> Unless you meanwhile managed to solve your issue I see none from my side.
Should be client side else.
> 
> # openssl s_client -connect 3.222.54.62:993
> CONNECTED(00000003)
> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA