Re: Dovecot mail-crypt webmail can't read encrypted messages
> On 14/09/2022 19:34 EEST Serveria Support wrote: > > > Thanks for your help. Do you know in which folder the keys are stored? > I'd like to check the permissions... > Some notes here, after reading this thread again: - Keys are stored in mail_attributes file, which depends on your config, but usually is %h/dovecot-attributes, which means it'll be in user's home directory. - The key format is Dovecot Dcrypt Key, you can use `doveadm mailbox cryptokey export` to export them in PEM format. Only **global keys** expect PEM formatted keys, which you are not using. - If you are using mail_crypt_private_password to encrypt the user key, you will need to provide this every time you want to access the user's emails, including using doveadm. Dovecot does not know what password you are using. - Your logs indicate that you are, still, using master userdb. This will not work. You cannot use master users with per-user encryption passwords in the way you do. If you want to use master users / master password, you must not encrypt the user key. - You should really focus on reading your logs, because they really do indicate that the userdb_mail_crypt_private_password is not exprted in anywhere, so clearly and obviously you are not able to access the mails. Maybe consider removing the master user authentication completely? Aki
Re: Panic: file mail-index-transaction-finish.c: line 185
> On 15/09/2022 07:57 EEST Arkadiusz Miśkiewicz wrote: > > > On 29.12.2021 10:26, Aki Tuomi wrote: > > > >> On 29/12/2021 11:20 tobiswo...@gmail.com wrote: > >> > >> > >> Hi list > >> > >> I have weird issue with my Dovecot 2.3.17.1 (476cd46418) > >> When deleting a certain amount of messages from my INBOX via my MUA > >> (Evolution) all over sudden dovecot starts to panic > >> > >> Panic: file mail-index-transaction-finish.c: line 185 > >> (mail_index_transaction_get_uid): assertion failed: (seq <= t->view- > >>> map->hdr.messages_count) > >> > >> imap(REDACTED)<24075>: Error: Raw backtrace: > >> /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) > >> [0x7f09274d4142] -> > >> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7f09274d424e] > >> -> /usr/lib64/dovecot/libdovecot.so.0(+0xf72fe) [0x7f09274e22fe] -> > >> /usr/lib64/dovecot/libdovecot.so.0(+0xf73a1) [0x7f09274e23a1] -> > >> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0927430e38] -> > > I also sometimes see this on 2.3.19.1: > > Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> > session=, Panic: file mail-index-transaction-finish.c: > line 185 (mail_index_transaction_get_uid): assertion failed: (seq <= > t->view->map->hdr.messages_count) > Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> > session=, Error: Raw backtrace: #0 > t_askpass[0x7f16bf8658e0] -> #1 backtrace_append[0x7f16bf865b50] -> #2 > backtrace_get[0x7f16bf865cb0] -> #3 > i_syslog_error_handler[0x7f16bf8727d0] -> #4 > i_syslog_fatal_handler[0x7f16bf872900] -> #5 i_panic[0x7f16bf7c62d6] -> > #6 mail_index_sync_set_corrupted[0x7f16bf996d27] -> #7 > mail_transaction_expunge_guid_cmp[0x7f16bfa43fe0] -> #8 > mail_index_transaction_finish[0x7f16bfa44550] -> #9 > mail_index_transaction_unref[0x7f16bfa48c30] -> #10 > mail_index_transaction_commit_full[0x7f16bfa49110] -> #11 > mail_index_transaction_commit[0x7f16bfa491f0] -> #12 > mail_cache_set_seq_corrupted_reason[0x7f16bf993a4f] -> #13 > mail_set_mail_cache_corrupted[0x7f16bf9ae690] -> #14 > maildir_keywords_idx_char[0x7f16bf9d2a50] -> #15 > maildir_keywords_idx_char[0x7f16bf9d2de0] -> #16 > mail_get_physical_size[0x7f16bf99b770] -> #17 [unw_get_proc_name() > failed: -10] -> #18 notify_contexts_mail_copy[0x7f16bead94b0] -> #19 > notify_plugin_deinit[0x7f16beada440] -> #20 > quota_plugin_deinit[0x7f16bf4b9350] -> #21 > acl_mailbox_right_lookup[0x7f16bf4d7720] -> #22 > mailbox_save_begin[0x7f16bf9ac880] -> #23 mailbox_copy[0x7f16bf9aca00] > -> #24 cmd_close[0x55978a0b0980] -> #25 command_exec[0x55978a0bf220] -> > #26 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #27 > client_handle_unfinished_cmd[0x55978a0bd2b0] -> #28 > client_handle_unfinished_cmd[0x55978a0bd2b0] -> #29 > client_handle_input[0x55978a0bd630] -> #30 client_input[0x55978a0bdca0] > -> #31 io_loop_call_io[0x7f16bf50] -> #32 > io_loop_handler_run_internal[0x7f16bf889e90] -> #33 > io_loop_handler_run[0x7f16bf888910] -> #34 io_loop_run[0x7f16bf888ae0] > -> #35 master_service_run[0x7f16bf7fbe70] -> #36 main[0x55978a0ae9f0] -> > #37 __libc_init_first[0x7f16bf5a34d0] -> #38 > __libc_start_main[0x7f16bf5a3580] -> #39 _start[0x55978a0aefa0] > Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> > session=, Fatal: master: service(imap): child 14897 > killed with signal 6 (core dumps disabled - > https://dovecot.org/bugreport.html#coredumps) > > No NFS involved here (linux + xfs). > > > -- > Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org ) The actual core dump would be useful. The backtrace is nice, but it does not really help figuring out what went wrong in this case. Aki
Re: Panic: file mail-index-transaction-finish.c: line 185
On 29.12.2021 10:26, Aki Tuomi wrote: On 29/12/2021 11:20 tobiswo...@gmail.com wrote: Hi list I have weird issue with my Dovecot 2.3.17.1 (476cd46418) When deleting a certain amount of messages from my INBOX via my MUA (Evolution) all over sudden dovecot starts to panic Panic: file mail-index-transaction-finish.c: line 185 (mail_index_transaction_get_uid): assertion failed: (seq <= t->view- map->hdr.messages_count) imap(REDACTED)<24075>: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7f09274d4142] -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7f09274d424e] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf72fe) [0x7f09274e22fe] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf73a1) [0x7f09274e23a1] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0927430e38] -> I also sometimes see this on 2.3.19.1: Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> session=, Panic: file mail-index-transaction-finish.c: line 185 (mail_index_transaction_get_uid): assertion failed: (seq <= t->view->map->hdr.messages_count) Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> session=, Error: Raw backtrace: #0 t_askpass[0x7f16bf8658e0] -> #1 backtrace_append[0x7f16bf865b50] -> #2 backtrace_get[0x7f16bf865cb0] -> #3 i_syslog_error_handler[0x7f16bf8727d0] -> #4 i_syslog_fatal_handler[0x7f16bf872900] -> #5 i_panic[0x7f16bf7c62d6] -> #6 mail_index_sync_set_corrupted[0x7f16bf996d27] -> #7 mail_transaction_expunge_guid_cmp[0x7f16bfa43fe0] -> #8 mail_index_transaction_finish[0x7f16bfa44550] -> #9 mail_index_transaction_unref[0x7f16bfa48c30] -> #10 mail_index_transaction_commit_full[0x7f16bfa49110] -> #11 mail_index_transaction_commit[0x7f16bfa491f0] -> #12 mail_cache_set_seq_corrupted_reason[0x7f16bf993a4f] -> #13 mail_set_mail_cache_corrupted[0x7f16bf9ae690] -> #14 maildir_keywords_idx_char[0x7f16bf9d2a50] -> #15 maildir_keywords_idx_char[0x7f16bf9d2de0] -> #16 mail_get_physical_size[0x7f16bf99b770] -> #17 [unw_get_proc_name() failed: -10] -> #18 notify_contexts_mail_copy[0x7f16bead94b0] -> #19 notify_plugin_deinit[0x7f16beada440] -> #20 quota_plugin_deinit[0x7f16bf4b9350] -> #21 acl_mailbox_right_lookup[0x7f16bf4d7720] -> #22 mailbox_save_begin[0x7f16bf9ac880] -> #23 mailbox_copy[0x7f16bf9aca00] -> #24 cmd_close[0x55978a0b0980] -> #25 command_exec[0x55978a0bf220] -> #26 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #27 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #28 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #29 client_handle_input[0x55978a0bd630] -> #30 client_input[0x55978a0bdca0] -> #31 io_loop_call_io[0x7f16bf50] -> #32 io_loop_handler_run_internal[0x7f16bf889e90] -> #33 io_loop_handler_run[0x7f16bf888910] -> #34 io_loop_run[0x7f16bf888ae0] -> #35 master_service_run[0x7f16bf7fbe70] -> #36 main[0x55978a0ae9f0] -> #37 __libc_init_first[0x7f16bf5a34d0] -> #38 __libc_start_main[0x7f16bf5a3580] -> #39 _start[0x55978a0aefa0] Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> session=, Fatal: master: service(imap): child 14897 killed with signal 6 (core dumps disabled - https://dovecot.org/bugreport.html#coredumps) No NFS involved here (linux + xfs). -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: Bug report: TLS SNI for LDAP userdb/passdb
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter wrote: >Cheers, > >Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer >any hope of salvation, so a bug report it is. > >The LDAP connections for userdb/passdb do not support SNI via TLS. > >Simple construct to reproduce this: > >0.) Have a.pem with SAN `foo.example.com`, b.pem with `bar.example.com` >1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem ssl >crt /foo/b.pem` >2.) Try to use ldaps://bar.example.com/ in passdb, receive >"auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com" > >Expectation, of course, would be for this to work; most libraries >should support it, it's probably just a matter of convincing the >appropriate binding. > >Kind regards, >-towo Can you verify with openssl s_client -connect bar.example.com:ldaps -servername bar.example.com that correct cert is served? --- Aki
Bug report: TLS SNI for LDAP userdb/passdb
Cheers, Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is. The LDAP connections for userdb/passdb do not support SNI via TLS. Simple construct to reproduce this: 0.) Have a.pem with SAN `foo.example.com`, b.pem with `bar.example.com` 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem` 2.) Try to use ldaps://bar.example.com/ in passdb, receive "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com" Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding. Kind regards, -towo signature.asc Description: This is a digitally signed message part
Re: Dovecot mail-crypt webmail can't read encrypted messages
Thanks for your help. Do you know in which folder the keys are stored? I'd like to check the permissions... On 2022-09-14 18:56, hi@zakaria.website wrote: On 2022-09-14 16:04, Serveria Support wrote: Oh, I thought that section is for the global keys. I'm trying to use per-user/per-folder keys. I used this command: doveadm -o plugin/mail_crypt_private_password=xx mailbox cryptokey generate -u u...@mydomain.xyz -URf On 2022-09-14 17:47, hi@zakaria.website wrote: On 2022-09-14 15:11, Serveria Support wrote: How can I set the global private key in conf? I was following the official mail-crypt tutorial. This is what I have in dovecot.conf mail-crypt section: mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes On 2022-09-14 17:23, hi@zakaria.website wrote: On 2022-09-14 14:41, Serveria Support wrote: Hi, This log shows no errors. Running doveadm fetch command gives me this: doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX uid=15: read() failed: read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) failed: Private key not available: Cannot decrypt key fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot decrypt key 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: Password not available On 2022-09-13 14:43, hi@zakaria.website wrote: On 2022-09-02 20:40, Serveria Support wrote: I tried it but it doesn't seem to make any difference at all. Can someone please assist me with reading logs? Does this log below mean Dovecot is trying to use master_user again or simply reading master_user password file? Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected (pid=900284) Sep 2 15:35:33 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Everything ok here? Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected (pid=899859) Sep 2 15:25:34 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth: Debug: auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request finished Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: OK#0111#011user=us...@mydomain.xyz Sep 2 15:25:34 mx dovecot: auth: Debug: master in: REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot:
Re: Dovecot mail-crypt webmail can't read encrypted messages
Oh, I thought that section is for the global keys. I'm trying to use per-user/per-folder keys. I used this command: doveadm -o plugin/mail_crypt_private_password=xx mailbox cryptokey generate -u u...@mydomain.xyz -URf On 2022-09-14 17:47, hi@zakaria.website wrote: On 2022-09-14 15:11, Serveria Support wrote: How can I set the global private key in conf? I was following the official mail-crypt tutorial. This is what I have in dovecot.conf mail-crypt section: mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes On 2022-09-14 17:23, hi@zakaria.website wrote: On 2022-09-14 14:41, Serveria Support wrote: Hi, This log shows no errors. Running doveadm fetch command gives me this: doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX uid=15: read() failed: read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) failed: Private key not available: Cannot decrypt key fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot decrypt key 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: Password not available On 2022-09-13 14:43, hi@zakaria.website wrote: On 2022-09-02 20:40, Serveria Support wrote: I tried it but it doesn't seem to make any difference at all. Can someone please assist me with reading logs? Does this log below mean Dovecot is trying to use master_user again or simply reading master_user password file? Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected (pid=900284) Sep 2 15:35:33 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Everything ok here? Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected (pid=899859) Sep 2 15:25:34 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth: Debug: auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request finished Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: OK#0111#011user=us...@mydomain.xyz Sep 2 15:25:34 mx dovecot: auth: Debug: master in: REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT LOWER(CONCAT(mailbox.storagebasedirectory, '/',
Re: Dovecot mail-crypt webmail can't read encrypted messages
How can I set the global private key in conf? I was following the official mail-crypt tutorial. This is what I have in dovecot.conf mail-crypt section: mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes On 2022-09-14 17:23, hi@zakaria.website wrote: On 2022-09-14 14:41, Serveria Support wrote: Hi, This log shows no errors. Running doveadm fetch command gives me this: doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX uid=15: read() failed: read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) failed: Private key not available: Cannot decrypt key fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot decrypt key 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: Password not available On 2022-09-13 14:43, hi@zakaria.website wrote: On 2022-09-02 20:40, Serveria Support wrote: I tried it but it doesn't seem to make any difference at all. Can someone please assist me with reading logs? Does this log below mean Dovecot is trying to use master_user again or simply reading master_user password file? Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected (pid=900284) Sep 2 15:35:33 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Everything ok here? Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected (pid=899859) Sep 2 15:25:34 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth: Debug: auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request finished Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: OK#0111#011user=us...@mydomain.xyz Sep 2 15:25:34 mx dovecot: auth: Debug: master in: REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND
Re: Dovecot mail-crypt webmail can't read encrypted messages
Hi, This log shows no errors. Running doveadm fetch command gives me this: doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX uid=15: read() failed: read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) failed: Private key not available: Cannot decrypt key fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot decrypt key 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: Password not available On 2022-09-13 14:43, hi@zakaria.website wrote: On 2022-09-02 20:40, Serveria Support wrote: I tried it but it doesn't seem to make any difference at all. Can someone please assist me with reading logs? Does this log below mean Dovecot is trying to use master_user again or simply reading master_user password file? Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected (pid=900284) Sep 2 15:35:33 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Everything ok here? Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected (pid=899859) Sep 2 15:25:34 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth: Debug: auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request finished Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: OK#0111#011user=us...@mydomain.xyz Sep 2 15:25:34 mx dovecot: auth: Debug: master in: REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Finished Sep 2
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
cert had an invalid/incorrect hostname fyi, https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird ... cert_override.txt This is an optional file used to store a security exception. It appears to store the host name , thus preventing you from creating a security exception for a rotating SMTP server. ... for ref, Firefox: How to audit & reset the list of trusted servers/CAs https://access.redhat.com/solutions/1549043
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hi, I had the same issue on TB102. Self-Signed certificates rejected despite having the CA installed correctly as authority. Turns out out that that TB now wants extension "Subject Alt Names". Added that and all works now. Seems another Google pressed issue being introduced (my Chromium had same issues and rejected certs before I added SAN). Thanks and regards Goetz R Schultz >8 Quis custodiet ipsos custodes? /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ 8< On 14/09/2022 13:39, Mark Stevens wrote: I just ran into something similar with the latest version of TB. I updated our SSL cert for Dovecot but TB could not access my email over port 993. I clicked on file then get new messages for all accounts. TB popped up a warning that the cert had an invalid/incorrect hostname and if I should allow the exception. I allowed the exception which worked and TB is fine now. I only did this because my ssl cert is a wildcard for the domain but does not explicitly list the hostname. Mark On 9/14/2022 8:23 AM, Meikel wrote: Hello. Am 14.09.2022 um 13:59 schrieb Christian Mack: Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. Following the documentation at https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 I configured ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and at least for one installation of Thunderbird it seems to work again now. For the other installations I need to check later at home, but the problem seems to be resolved. Regards, Meikel >8-- /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ This message is transmitted on 100% recycled electrons. >8-- Unsigned message - no responsibillity that content is not altered
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
I just ran into something similar with the latest version of TB. I updated our SSL cert for Dovecot but TB could not access my email over port 993. I clicked on file then get new messages for all accounts. TB popped up a warning that the cert had an invalid/incorrect hostname and if I should allow the exception. I allowed the exception which worked and TB is fine now. I only did this because my ssl cert is a wildcard for the domain but does not explicitly list the hostname. Mark On 9/14/2022 8:23 AM, Meikel wrote: Hello. Am 14.09.2022 um 13:59 schrieb Christian Mack: Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. Following the documentation at https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 I configured ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and at least for one installation of Thunderbird it seems to work again now. For the other installations I need to check later at home, but the problem seems to be resolved. Regards, Meikel
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hello. Am 14.09.2022 um 13:59 schrieb Christian Mack: Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. Following the documentation at https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 I configured ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and at least for one installation of Thunderbird it seems to work again now. For the other installations I need to check later at home, but the problem seems to be resolved. Regards, Meikel
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hello Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. As it does not know and trust that server certifikate for sending email, it disconnects with that generic error. Thunderbird has its own trusted CA store, therefore not using the one from the OS (as Claw-Mail does). Kind regards, Christian Mack Am 14.09.22 um 13:14 schrieb Meikel: > Hi folks, > > on a Rocky Linux 8.6 based home server I run Dovecot with an account > that I use as an archive. Archive means, that from different Thunderbird > instances I connect to that Dovecot via IMAPS to move emails there, that > I want to keep. Since some days from all Thunderbird instances I can no > longer connect to that Dovecot account. In /var/log/maillog of the > server I see > > Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: > Connection closed: SSL_accept() failed: error:14094412:SSL > routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number > 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, > lip=192.168.177.13, TLS handshaking: SSL_accept() failed: > error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: > SSL alert number 42, session= > > I found that Openssl alert number 42 might be a problem with the SSL > certificate (which certificate?) but also might be an expired SSL > certificate (which certificate?). As on the Dovecot installation I work > with a self signed certificat. I created a new self signed certificate > yesterday with an expiry not before year 2032. That did not help, I see > the same messages when I try to connect from Thunderbird. > > Just to see how Thunderbird is involved in the problem I installed > Claws-Mail. From Claws-Mail I do NOT have those problems, I can access > to Dovecot via IMAPS as expected. > > I do not understand why all my Thunderbird installations can no longer > access Dovecot via IMAPS. This worked fine for about 18 months. I can't > prove but I think on beginning of month it worked fine. Something > happened meanwhile. > > If there is a problem with an SSL certificate (bad certificate: SSL > alert number 42), which certificate makes the problem? The certificate > used by Dovecot or some certificate used in Thunderbird? > > About installation: > > cat /etc/redhat-release > Rocky Linux release 8.6 (Green Obsidian) > > dovecot --version > 2.3.16 (7e2e900c1a) > > sudo dovecot -n > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf > # OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux > release 8.6 (Green Obsidian) > # Hostname: ... > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > first_valid_uid = 1000 > mail_debug = yes > mail_gid = vmail > mail_location = maildir:~/Maildir > mail_privileged_group = vmail > mail_uid = vmail > mbox_write_locks = fcntl > namespace { > inbox = yes > location = > mailbox Archives { > special_use = \Archive > } > prefix = INBOX/ > separator = / > type = private > } > passdb { > args = scheme=CRYPT username_format=%u /etc/dovecot/users > driver = passwd-file > } > protocols = imap > service imap-login { > inet_listener imap { > port = 0 > } > } > ssl = required > ssl_cert = ssl_cipher_list = PROFILE=SYSTEM > ssl_key = # hidden, use -P to show it > userdb { > args = username_format=%u /etc/dovecot/users > driver = passwd-file > } > verbose_proctitle = yes > > I used the following command to recreate the SSL certificate for Dovecot: > > sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 > -keyout /etc/dovecot/..key -out /etc/dovecot/..crt > > And with the command > > openssl s_client -crlf -connect .:993 > > I can successfully connect to Dovecot and "simulate" a minimal > IMAP-Session: > > * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready > a login meikel.archive@. topsecret > a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS > THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE > UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED > I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES > WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE > SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY > SPECIAL-USE] Logged in > a logout > * BYE Logging out > a OK Logout completed (0.001 + 0.000 secs). > closed > > I have the problem with different Thunderbird installations on various > operating systems (Windows 10, Fedora Linux 36 XFCE). > > Regards, > > Meikel > -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM)
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Am 14.09.22 um 13:14 schrieb Meikel: Hi folks, on a Rocky Linux 8.6 based home server I run Dovecot with an account that I use as an archive. Archive means, that from different Thunderbird instances I connect to that Dovecot via IMAPS to move emails there, that I want to keep. Since some days from all Thunderbird instances I can no longer connect to that Dovecot account. In /var/log/maillog of the server I see Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, lip=192.168.177.13, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session= I found that Openssl alert number 42 might be a problem with the SSL certificate (which certificate?) but also might be an expired SSL certificate (which certificate?). As on the Dovecot installation I work with a self signed certificat. I created a new self signed certificate yesterday with an expiry not before year 2032. That did not help, I see the same messages when I try to connect from Thunderbird. Just to see how Thunderbird is involved in the problem I installed Claws-Mail. From Claws-Mail I do NOT have those problems, I can access to Dovecot via IMAPS as expected. I do not understand why all my Thunderbird installations can no longer access Dovecot via IMAPS. This worked fine for about 18 months. I can't prove but I think on beginning of month it worked fine. Something happened meanwhile. If there is a problem with an SSL certificate (bad certificate: SSL alert number 42), which certificate makes the problem? The certificate used by Dovecot or some certificate used in Thunderbird? ... I have the problem with different Thunderbird installations on various operating systems (Windows 10, Fedora Linux 36 XFCE). Regards, Meikel Is this a self signed certificate? In the past I had issues with Firefox and self signed certificates on my servers. They worked in Chromium but not Firefox. Mozilla is a bit more niggling about certificates - I'd expect the same engine in Thunderbird. I had an issue with the X509v3 extension in my certificate and one day Firefox didn't accept these certificates any longer. If this is the case you can either create new certificates or - if this is a workaround for you - accept the certificate in Thunderbird (you might have to import it manually into Thunderbird first and adopt its trust level). I don't like the latter as it needs to be done on every client and might break trust in future. -- Cheers spi
Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hi folks, on a Rocky Linux 8.6 based home server I run Dovecot with an account that I use as an archive. Archive means, that from different Thunderbird instances I connect to that Dovecot via IMAPS to move emails there, that I want to keep. Since some days from all Thunderbird instances I can no longer connect to that Dovecot account. In /var/log/maillog of the server I see Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, lip=192.168.177.13, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session= I found that Openssl alert number 42 might be a problem with the SSL certificate (which certificate?) but also might be an expired SSL certificate (which certificate?). As on the Dovecot installation I work with a self signed certificat. I created a new self signed certificate yesterday with an expiry not before year 2032. That did not help, I see the same messages when I try to connect from Thunderbird. Just to see how Thunderbird is involved in the problem I installed Claws-Mail. From Claws-Mail I do NOT have those problems, I can access to Dovecot via IMAPS as expected. I do not understand why all my Thunderbird installations can no longer access Dovecot via IMAPS. This worked fine for about 18 months. I can't prove but I think on beginning of month it worked fine. Something happened meanwhile. If there is a problem with an SSL certificate (bad certificate: SSL alert number 42), which certificate makes the problem? The certificate used by Dovecot or some certificate used in Thunderbird? About installation: cat /etc/redhat-release Rocky Linux release 8.6 (Green Obsidian) dovecot --version 2.3.16 (7e2e900c1a) sudo dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux release 8.6 (Green Obsidian) # Hostname: ... auth_debug = yes auth_mechanisms = plain login auth_verbose = yes first_valid_uid = 1000 mail_debug = yes mail_gid = vmail mail_location = maildir:~/Maildir mail_privileged_group = vmail mail_uid = vmail mbox_write_locks = fcntl namespace { inbox = yes location = mailbox Archives { special_use = \Archive } prefix = INBOX/ separator = / type = private } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { port = 0 } } ssl = required ssl_cert = I have the problem with different Thunderbird installations on various operating systems (Windows 10, Fedora Linux 36 XFCE). Regards, Meikel