dovecot - Sep 2022 - Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)

Hi folks,

on a Rocky Linux 8.6 based home server I run Dovecot with an account 
that I use as an archive. Archive means, that from different Thunderbird 
instances I connect to that Dovecot via IMAPS to move emails there, that 
I want to keep. Since some days from all Thunderbird instances I can no 
longer connect to that Dovecot account. In /var/log/maillog of the 
server I see

Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: 
Connection closed: SSL_accept() failed: error:14094412:SSL 
routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 
42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, 
lip=192.168.177.13, TLS handshaking: SSL_accept() failed: 
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: 
SSL alert number 42, session=<dL1luJvokK3AqLFp>

I found that Openssl alert number 42 might be a problem with the SSL 
certificate (which certificate?) but also might be an expired SSL 
certificate (which certificate?). As on the Dovecot installation I work 
with a self signed certificat. I created a new self signed certificate 
yesterday with an expiry not before year 2032. That did not help, I see 
the same messages when I try to connect from Thunderbird.

Just to see how Thunderbird is involved in the problem I installed 
Claws-Mail. From Claws-Mail I do NOT have those problems, I can access 
to Dovecot via IMAPS as expected.

I do not understand why all my Thunderbird installations can no longer 
access Dovecot via IMAPS. This worked fine for about 18 months. I can't 
prove but I think on beginning of month it worked fine. Something 
happened meanwhile.

If there is a problem with an SSL certificate (bad certificate: SSL 
alert number 42), which certificate makes the problem? The certificate 
used by Dovecot or some certificate used in Thunderbird?

About installation:

	cat /etc/redhat-release
	Rocky Linux release 8.6 (Green Obsidian)

	dovecot --version
	2.3.16 (7e2e900c1a)

	sudo dovecot -n
	# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
	# OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
		 release 8.6 (Green Obsidian)
	# Hostname: .......
	auth_debug = yes
	auth_mechanisms = plain login
	auth_verbose = yes
	first_valid_uid = 1000
	mail_debug = yes
	mail_gid = vmail
	mail_location = maildir:~/Maildir
	mail_privileged_group = vmail
	mail_uid = vmail
	mbox_write_locks = fcntl
	namespace {
	  inbox = yes
	  location 	  mailbox Archives {
		special_use = \Archive
	  }
	  prefix = INBOX/
	  separator = /
	  type = private
	}
	passdb {
	  args = scheme=CRYPT username_format=%u /etc/dovecot/users
	  driver = passwd-file
	}
	protocols = imap
	service imap-login {
	  inet_listener imap {
		port = 0
	  }
	}
	ssl = required
	ssl_cert = </etc/dovecot/......crt
	ssl_cipher_list = PROFILE=SYSTEM
	ssl_key = # hidden, use -P to show it
	userdb {
	  args = username_format=%u /etc/dovecot/users
	  driver = passwd-file
	}
	verbose_proctitle = yes

I used the following command to recreate the SSL certificate for Dovecot:

	sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096
	 -keyout /etc/dovecot/......key -out /etc/dovecot/......crt

And with the command

	openssl s_client -crlf -connect .....:993

I can successfully connect to Dovecot and "simulate" a minimal
IMAP-Session:

	* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
		 IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready
	a login meikel.archive at ..... topsecret
	a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
		 IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
		 THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
		 UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
		 I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
		 WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE
		 SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY
		 SPECIAL-USE] Logged in
	a logout
	* BYE Logging out
	a OK Logout completed (0.001 + 0.000 secs).
	closed

I have the problem with different Thunderbird installations on various 
operating systems (Windows 10, Fedora Linux 36 XFCE).

Regards,

Meikel

Am 14.09.22 um 13:14 schrieb Meikel:
> Hi folks,
>
> on a Rocky Linux 8.6 based home server I run Dovecot with an account
> that I use as an archive. Archive means, that from different
> Thunderbird instances I connect to that Dovecot via IMAPS to move
> emails there, that I want to keep. Since some days from all
> Thunderbird instances I can no longer connect to that Dovecot account.
> In /var/log/maillog of the server I see
>
> Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
> Connection closed: SSL_accept() failed: error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
> 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
> lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
> error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
> certificate: SSL alert number 42, session=<dL1luJvokK3AqLFp>
>
> I found that Openssl alert number 42 might be a problem with the SSL
> certificate (which certificate?) but also might be an expired SSL
> certificate (which certificate?). As on the Dovecot installation I
> work with a self signed certificat. I created a new self signed
> certificate yesterday with an expiry not before year 2032. That did
> not help, I see the same messages when I try to connect from Thunderbird.
>
> Just to see how Thunderbird is involved in the problem I installed
> Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
> to Dovecot via IMAPS as expected.
>
> I do not understand why all my Thunderbird installations can no longer
> access Dovecot via IMAPS. This worked fine for about 18 months. I
> can't prove but I think on beginning of month it worked fine.
> Something happened meanwhile.
>
> If there is a problem with an SSL certificate (bad certificate: SSL
> alert number 42), which certificate makes the problem? The certificate
> used by Dovecot or some certificate used in Thunderbird?
>
> ...
> I have the problem with different Thunderbird installations on various
> operating systems (Windows 10, Fedora Linux 36 XFCE).
>
> Regards,
>
> Meikel
>
Is this a self signed certificate? In the past I had issues with Firefox
and self signed certificates on my servers. They worked in Chromium but
not Firefox. Mozilla is a bit more niggling about certificates - I'd
expect the same engine in Thunderbird. I had an issue with the X509v3
extension in my certificate and one day Firefox didn't accept these
certificates any longer.

If this is the case you can either create new certificates or - if this
is a workaround for you - accept the certificate in Thunderbird (you
might have to import it manually into Thunderbird first and adopt its
trust level). I don't like the latter as it needs to be done on every
client and might break trust in future.

--
Cheers
spi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220914/a5551d2c/attachment.htm>

Hello

Sound to me, as if Thunderbird does not know the CA used to (self) sign
that server certificate.
As it does not know and trust that server certifikate for sending email,
it disconnects with that generic error.
Thunderbird has its own trusted CA store, therefore not using the one
from the OS (as Claw-Mail does).


Kind regards,
Christian Mack

Am 14.09.22 um 13:14 schrieb Meikel:
> Hi folks,
> 
> on a Rocky Linux 8.6 based home server I run Dovecot with an account
> that I use as an archive. Archive means, that from different Thunderbird
> instances I connect to that Dovecot via IMAPS to move emails there, that
> I want to keep. Since some days from all Thunderbird instances I can no
> longer connect to that Dovecot account. In /var/log/maillog of the
> server I see
> 
> Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
> Connection closed: SSL_accept() failed: error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
> 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
> lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
> error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:
> SSL alert number 42, session=<dL1luJvokK3AqLFp>
> 
> I found that Openssl alert number 42 might be a problem with the SSL
> certificate (which certificate?) but also might be an expired SSL
> certificate (which certificate?). As on the Dovecot installation I work
> with a self signed certificat. I created a new self signed certificate
> yesterday with an expiry not before year 2032. That did not help, I see
> the same messages when I try to connect from Thunderbird.
> 
> Just to see how Thunderbird is involved in the problem I installed
> Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
> to Dovecot via IMAPS as expected.
> 
> I do not understand why all my Thunderbird installations can no longer
> access Dovecot via IMAPS. This worked fine for about 18 months. I can't
> prove but I think on beginning of month it worked fine. Something
> happened meanwhile.
> 
> If there is a problem with an SSL certificate (bad certificate: SSL
> alert number 42), which certificate makes the problem? The certificate
> used by Dovecot or some certificate used in Thunderbird?
> 
> About installation:
> 
> ????cat /etc/redhat-release
> ????Rocky Linux release 8.6 (Green Obsidian)
> 
> ????dovecot --version
> ????2.3.16 (7e2e900c1a)
> 
> ????sudo dovecot -n
> ????# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
> ????# OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
> ???????? release 8.6 (Green Obsidian)
> ????# Hostname: .......
> ????auth_debug = yes
> ????auth_mechanisms = plain login
> ????auth_verbose = yes
> ????first_valid_uid = 1000
> ????mail_debug = yes
> ????mail_gid = vmail
> ????mail_location = maildir:~/Maildir
> ????mail_privileged_group = vmail
> ????mail_uid = vmail
> ????mbox_write_locks = fcntl
> ????namespace {
> ????? inbox = yes
> ????? location > ????? mailbox Archives {
> ??????? special_use = \Archive
> ????? }
> ????? prefix = INBOX/
> ????? separator = /
> ????? type = private
> ????}
> ????passdb {
> ????? args = scheme=CRYPT username_format=%u /etc/dovecot/users
> ????? driver = passwd-file
> ????}
> ????protocols = imap
> ????service imap-login {
> ????? inet_listener imap {
> ??????? port = 0
> ????? }
> ????}
> ????ssl = required
> ????ssl_cert = </etc/dovecot/......crt
> ????ssl_cipher_list = PROFILE=SYSTEM
> ????ssl_key = # hidden, use -P to show it
> ????userdb {
> ????? args = username_format=%u /etc/dovecot/users
> ????? driver = passwd-file
> ????}
> ????verbose_proctitle = yes
> 
> I used the following command to recreate the SSL certificate for Dovecot:
> 
> ????sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096
> ???? -keyout /etc/dovecot/......key -out /etc/dovecot/......crt
> 
> And with the command
> 
> ????openssl s_client -crlf -connect .....:993
> 
> I can successfully connect to Dovecot and "simulate" a minimal
> IMAP-Session:
> 
> ????* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
> ???????? IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready
> ????a login meikel.archive at ..... topsecret
> ????a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
> ???????? IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
> ???????? THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
> ???????? UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
> ???????? I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
> ???????? WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE
> ???????? SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY
> ???????? SPECIAL-USE] Logged in
> ????a logout
> ????* BYE Logging out
> ????a OK Logout completed (0.001 + 0.000 secs).
> ????closed
> 
> I have the problem with different Thunderbird installations on various
> operating systems (Windows 10, Fedora Linux 36 XFCE).
> 
> Regards,
> 
> Meikel
> 

-- 
Christian Mack
Universit?t Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung, Lehre, Infrastruktur
78457 Konstanz
+49 7531 88-4416
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6007 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220914/067b0293/attachment-0001.bin>

Hello,

I switched from self-created SSL certificates to SSL certificates from 
Let's Encrypt. For that I configured

   ssl_cert = </etc/letsencrypt/live/...../fullchain.pem
   ssl_key = </etc/letsencrypt/live/...../privkey.pem

and did a restart of Dovecot. That solved the problem.

Regards,

Meikel