dovecot - Dec 2021 - Mailbox connection fails: Connection closed (No commands sent) Help please

On 12/7/21 2:49 PM, Alexander Dalloz wrote:
> Use a not expired certificate.
> 
> $ openssl s_client -connect 194.163.45.150:993
> CONNECTED(00000003)
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl 
version that has the problem described on:

  https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

That's not the problem that the original poster is having unless 
Thunderbird also has the same problem, which it may; see:

 
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049

 
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/

In any case, this works fine with OpenSSL 1.1 or later:

  $ openssl s_client -connect mail.sizzelicks.com:993
  ...
  * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/

Thanks for your help.

I was able to 'confirm' the certificate in Thunderbird.

 

I looked at the certificate in Thunderbird. As I knew, it is a chain of multiple
domains, all set up on our VPS.

Under Issuer Name it says: Common Name    R3

It appears that I'm able to connect to the mailbox now but I can?t receive
or send email.

Thunderbird says:
Wrong Site The certificate belongs to a different site, which could mean that
someone is trying to impersonate this site.

In Thunderbird I can  Confirm Security Exception  but I?d much rather fix the
problem.

 

The certificate is for a 'chain' of domains, 5 as of now, with the
primary domain being aecperformance.com (not sizzelicks.com).

The certificate as shown in Thunderbird says: Common Name    aecperformance.com

The certificate does show a list of all the domains in the chain.

 

Our VPS hosts multiple domains (5 right now) all of which receive and send
email.

The websites on the VPS all work fine under ssl using the same certificate chain
set up in postfix/dovecot config.

 

When I install postfix and dovecot the configuration includes paths for 1
certificate.

The certificate files I have set in postfix & dovecot config are the
letsencrypt files for the websites.

 

How should I set up the certificates for the domains that postfix/dovecot
handles?

How can I fix the problem Thunderbird is having with the certificate chain of
multiple domains?

 

 

-----Original Message-----
From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of Robert L
Mathews
Sent: Tuesday, December 7, 2021 7:46 PM
To: dovecot at dovecot.org
Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help
please

 

On 12/7/21 2:49 PM, Alexander Dalloz wrote:

 
> Use a not expired certificate.
> 
> $ openssl s_client -connect 194.163.45.150:993
> CONNECTED(00000003)
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify 
> error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
 

That error's happening because you (Alexander) are using an old openssl
version that has the problem described on:

 

  
<https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/>
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

 

That's not the problem that the original poster is having unless Thunderbird
also has the same problem, which it may; see:

 

 <https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049>
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049

 

 <https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/>
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/

 

In any case, this works fine with OpenSSL 1.1 or later:

 

  $ openssl s_client -connect mail.sizzelicks.com:993

  ...

  * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 

LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

 

--

Robert L Mathews, Tiger Technologies,  <http://www.tigertech.net/>
http://www.tigertech.net/

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20211208/6128838b/attachment.htm>

OK I'm confused. It looks like I'm connected to the mailbox but when I
try to 'Get Messages' now it says that the server has disconnected.

In the mail.log file I see this (again):

Dec 8 12:55:43 softlinksys dovecot: imap-login: Login: user=, method=PLAIN,
rip=67.8.3.170, lip=194.163.45.150, mpid=67110, TLS, session
Dec 8 12:55:43 softlinksys dovecot: imap-login: Login: user=, method=PLAIN,
rip=67.8.3.170, lip=194.163.45.150, mpid=67111, TLS, session
Dec 8 12:55:43 softlinksys dovecot: imap(smoker1 at
sizzelicks.com)<67110>: Connection closed (No commands sent) in=0 out=387
deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

Dec 8 12:55:43 softlinksys dovecot: imap(smoker1 at
sizzelicks.com)<67111>: Connection closed (No commands sent) in=0 out=388
deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

 

Please help me.

How can I fix this problem?

 

-----Original Message-----
From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of Robert L
Mathews
Sent: Tuesday, December 7, 2021 7:46 PM
To: dovecot at dovecot.org
Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help
please

 

On 12/7/21 2:49 PM, Alexander Dalloz wrote:

 
> Use a not expired certificate.
> 
> $ openssl s_client -connect 194.163.45.150:993
> CONNECTED(00000003)
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify 
> error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
 

That error's happening because you (Alexander) are using an old openssl
version that has the problem described on:

 

  
<https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/>
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

 

That's not the problem that the original poster is having unless Thunderbird
also has the same problem, which it may; see:

 

 <https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049>
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049

 

 <https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/>
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/

 

In any case, this works fine with OpenSSL 1.1 or later:

 

  $ openssl s_client -connect mail.sizzelicks.com:993

  ...

  * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 

LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

 

--

Robert L Mathews, Tiger Technologies,  <http://www.tigertech.net/>
http://www.tigertech.net/

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20211208/11026216/attachment.htm>

Am 08.12.2021 um 01:46 schrieb Robert L Mathews:
> On 12/7/21 2:49 PM, Alexander Dalloz wrote:
> 
>> Use a not expired certificate.
>>
>> $ openssl s_client -connect 194.163.45.150:993
>> CONNECTED(00000003)
>> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
>> verify error:num=10:certificate has expired
>> notAfter=Sep 30 14:01:15 2021 GMT
> 
> That error's happening because you (Alexander) are using an old openssl
> version that has the problem described on:
> 
>  ?https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
> 
> That's not the problem that the original poster is having unless 
> Thunderbird also has the same problem, which it may; see:
> 
> 
>
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049
> 
> 
> 
>
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/
> 
> 
> In any case, this works fine with OpenSSL 1.1 or later:
> 
>  ?$ openssl s_client -connect mail.sizzelicks.com:993
>  ?...
>  ?* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
> LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
> 
Confirmed, my fault.

# openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = aecperformance.com
verify return:1
---
Certificate chain
  0 s:CN = aecperformance.com
    i:C = US, O = Let's Encrypt, CN = R3
  1 s:C = US, O = Let's Encrypt, CN = R3
    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
    i:O = Digital Signature Trust Co., CN = DST Root CA X3

Alexander