I confirm that the solution in Thunderbird, was they had to click on the
account's inbox, then click get messages, then click the confirm
security exception button on the server identity pop-up, and that fixes
the issue.? I could see that under Tools > Options > Certificates for
the server section had a self-signed certificate which is active for 1
year, so once the new cert is generated then everyone has to just
confirm the exception of the new self-signed certificate.? It's an easy
fix once you know the solution.
Thanks for your help Aki.
In our case this is an internally used Dovecot Mail server that's used
for mail storage only, not for sending out new email and it's not the
default email account to receive new messages.? The server never touches
the public internet, only inside the LAN traffic.? In this situation are
CA authority certificates worth the expense? Just curious on what
everyone's opinion is of Digital Certs signed by certificate authorities
that are only used inside the LAN. Thoughts?
On 4/12/2021 9:59 AM, Aki Tuomi wrote:>> On 12/04/2021 17:13 Christopher Wensink <cwensink at
five-star-plastics.com> wrote:
>>
>>
>> Dovecot Team,
>>
>> I need a little help.? I came in this morning and it seems like the SSL
>> Certificates expired for dovecot (on an internal mail server) and
nobody
>> can move email into? their folders on this server.? In Thunderbird they
>> just see in the status bar:? HISTORY: checking mail server
capabilities...
>>
>> In /var/log/maillog:
>> --------
>> Apr 12 09:02:26 mario2 dovecot: imap-login: Disconnected (no auth
>> attempts in 0 secs): user=<>, rip=10.5.1.85, lip=10.5.1.17, TLS:
>> SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>> alert bad certificate: SSL alert number 42,
session=<H5iu9sa/Me0KBQFV>
>>
>> I have tried:
>>
>> -Restarting Dovecot
>> -Restarting the whole mail server
>> -Re-creating the .pem files, first moving the old files in
>> /etc/pki/dovecot/certs and /etc/pki/dovecot/private from dovecot.pem to
>> dovecot-old.pem,
>> ? - Re-creating a new dovecot.pem using the mkcert.sh script in the
doc
>> folder in /usr/share/doc/dovecot-2.2.36/,
>> ? - restarting dovecot
>> ? - changing the cert values in dovecot-openssl.cnf
>>
>> I also tried creating new .crt and key files using this tutorial:
>>
https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
>>
>>
>> I need some assistance, thank you for your help.
>>
>> Chris
> Please use real certs if possible. Otherwise you need to install the used
CA certificate, or the self-signed certificate, to all the clients. Or reset the
exception there, and then tell all your users to redo the exception. Using real
certs is easier.
>
> Aki
>
--
Christopher Wensink
IS Administrator
Five Star Plastics, Inc
1339 Continental Drive
Eau Claire, WI 54701
Office: 715-831-1682
Mobile: 715-563-3112
Fax: 715-831-6075
cwensink at five-star-plastics.com
www.five-star-plastics.com