Re: Dovecot mail-crypt webmail can't read encrypted messages
> On 14/09/2022 19:34 EEST Serveria Support wrote: > > > Thanks for your help. Do you know in which folder the keys are stored? > I'd like to check the permissions... > Some notes here, after reading this thread again: - Keys are stored in mail_attributes file, which depends on your config, but usually is %h/dovecot-attributes, which means it'll be in user's home directory. - The key format is Dovecot Dcrypt Key, you can use `doveadm mailbox cryptokey export` to export them in PEM format. Only **global keys** expect PEM formatted keys, which you are not using. - If you are using mail_crypt_private_password to encrypt the user key, you will need to provide this every time you want to access the user's emails, including using doveadm. Dovecot does not know what password you are using. - Your logs indicate that you are, still, using master userdb. This will not work. You cannot use master users with per-user encryption passwords in the way you do. If you want to use master users / master password, you must not encrypt the user key. - You should really focus on reading your logs, because they really do indicate that the userdb_mail_crypt_private_password is not exprted in anywhere, so clearly and obviously you are not able to access the mails. Maybe consider removing the master user authentication completely? Aki
Re: Panic: file mail-index-transaction-finish.c: line 185
> On 15/09/2022 07:57 EEST Arkadiusz Miśkiewicz wrote: > > > On 29.12.2021 10:26, Aki Tuomi wrote: > > > >> On 29/12/2021 11:20 tobiswo...@gmail.com wrote: > >> > >> > >> Hi list > >> > >> I have weird issue with my Dovecot 2.3.17.1 (476cd46418) > >> When deleting a certain amount of messages from my INBOX via my MUA > >> (Evolution) all over sudden dovecot starts to panic > >> > >> Panic: file mail-index-transaction-finish.c: line 185 > >> (mail_index_transaction_get_uid): assertion failed: (seq <= t->view- > >>> map->hdr.messages_count) > >> > >> imap(REDACTED)<24075>: Error: Raw backtrace: > >> /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) > >> [0x7f09274d4142] -> > >> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7f09274d424e] > >> -> /usr/lib64/dovecot/libdovecot.so.0(+0xf72fe) [0x7f09274e22fe] -> > >> /usr/lib64/dovecot/libdovecot.so.0(+0xf73a1) [0x7f09274e23a1] -> > >> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0927430e38] -> > > I also sometimes see this on 2.3.19.1: > > Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> > session=, Panic: file mail-index-transaction-finish.c: > line 185 (mail_index_transaction_get_uid): assertion failed: (seq <= > t->view->map->hdr.messages_count) > Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> > session=, Error: Raw backtrace: #0 > t_askpass[0x7f16bf8658e0] -> #1 backtrace_append[0x7f16bf865b50] -> #2 > backtrace_get[0x7f16bf865cb0] -> #3 > i_syslog_error_handler[0x7f16bf8727d0] -> #4 > i_syslog_fatal_handler[0x7f16bf872900] -> #5 i_panic[0x7f16bf7c62d6] -> > #6 mail_index_sync_set_corrupted[0x7f16bf996d27] -> #7 > mail_transaction_expunge_guid_cmp[0x7f16bfa43fe0] -> #8 > mail_index_transaction_finish[0x7f16bfa44550] -> #9 > mail_index_transaction_unref[0x7f16bfa48c30] -> #10 > mail_index_transaction_commit_full[0x7f16bfa49110] -> #11 > mail_index_transaction_commit[0x7f16bfa491f0] -> #12 > mail_cache_set_seq_corrupted_reason[0x7f16bf993a4f] -> #13 > mail_set_mail_cache_corrupted[0x7f16bf9ae690] -> #14 > maildir_keywords_idx_char[0x7f16bf9d2a50] -> #15 > maildir_keywords_idx_char[0x7f16bf9d2de0] -> #16 > mail_get_physical_size[0x7f16bf99b770] -> #17 [unw_get_proc_name() > failed: -10] -> #18 notify_contexts_mail_copy[0x7f16bead94b0] -> #19 > notify_plugin_deinit[0x7f16beada440] -> #20 > quota_plugin_deinit[0x7f16bf4b9350] -> #21 > acl_mailbox_right_lookup[0x7f16bf4d7720] -> #22 > mailbox_save_begin[0x7f16bf9ac880] -> #23 mailbox_copy[0x7f16bf9aca00] > -> #24 cmd_close[0x55978a0b0980] -> #25 command_exec[0x55978a0bf220] -> > #26 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #27 > client_handle_unfinished_cmd[0x55978a0bd2b0] -> #28 > client_handle_unfinished_cmd[0x55978a0bd2b0] -> #29 > client_handle_input[0x55978a0bd630] -> #30 client_input[0x55978a0bdca0] > -> #31 io_loop_call_io[0x7f16bf50] -> #32 > io_loop_handler_run_internal[0x7f16bf889e90] -> #33 > io_loop_handler_run[0x7f16bf888910] -> #34 io_loop_run[0x7f16bf888ae0] > -> #35 master_service_run[0x7f16bf7fbe70] -> #36 main[0x55978a0ae9f0] -> > #37 __libc_init_first[0x7f16bf5a34d0] -> #38 > __libc_start_main[0x7f16bf5a3580] -> #39 _start[0x55978a0aefa0] > Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> > session=, Fatal: master: service(imap): child 14897 > killed with signal 6 (core dumps disabled - > https://dovecot.org/bugreport.html#coredumps) > > No NFS involved here (linux + xfs). > > > -- > Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org ) The actual core dump would be useful. The backtrace is nice, but it does not really help figuring out what went wrong in this case. Aki
Re: Panic: file mail-index-transaction-finish.c: line 185
On 29.12.2021 10:26, Aki Tuomi wrote: On 29/12/2021 11:20 tobiswo...@gmail.com wrote: Hi list I have weird issue with my Dovecot 2.3.17.1 (476cd46418) When deleting a certain amount of messages from my INBOX via my MUA (Evolution) all over sudden dovecot starts to panic Panic: file mail-index-transaction-finish.c: line 185 (mail_index_transaction_get_uid): assertion failed: (seq <= t->view- map->hdr.messages_count) imap(REDACTED)<24075>: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7f09274d4142] -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7f09274d424e] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf72fe) [0x7f09274e22fe] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf73a1) [0x7f09274e23a1] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0927430e38] -> I also sometimes see this on 2.3.19.1: Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> session=, Panic: file mail-index-transaction-finish.c: line 185 (mail_index_transaction_get_uid): assertion failed: (seq <= t->view->map->hdr.messages_count) Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> session=, Error: Raw backtrace: #0 t_askpass[0x7f16bf8658e0] -> #1 backtrace_append[0x7f16bf865b50] -> #2 backtrace_get[0x7f16bf865cb0] -> #3 i_syslog_error_handler[0x7f16bf8727d0] -> #4 i_syslog_fatal_handler[0x7f16bf872900] -> #5 i_panic[0x7f16bf7c62d6] -> #6 mail_index_sync_set_corrupted[0x7f16bf996d27] -> #7 mail_transaction_expunge_guid_cmp[0x7f16bfa43fe0] -> #8 mail_index_transaction_finish[0x7f16bfa44550] -> #9 mail_index_transaction_unref[0x7f16bfa48c30] -> #10 mail_index_transaction_commit_full[0x7f16bfa49110] -> #11 mail_index_transaction_commit[0x7f16bfa491f0] -> #12 mail_cache_set_seq_corrupted_reason[0x7f16bf993a4f] -> #13 mail_set_mail_cache_corrupted[0x7f16bf9ae690] -> #14 maildir_keywords_idx_char[0x7f16bf9d2a50] -> #15 maildir_keywords_idx_char[0x7f16bf9d2de0] -> #16 mail_get_physical_size[0x7f16bf99b770] -> #17 [unw_get_proc_name() failed: -10] -> #18 notify_contexts_mail_copy[0x7f16bead94b0] -> #19 notify_plugin_deinit[0x7f16beada440] -> #20 quota_plugin_deinit[0x7f16bf4b9350] -> #21 acl_mailbox_right_lookup[0x7f16bf4d7720] -> #22 mailbox_save_begin[0x7f16bf9ac880] -> #23 mailbox_copy[0x7f16bf9aca00] -> #24 cmd_close[0x55978a0b0980] -> #25 command_exec[0x55978a0bf220] -> #26 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #27 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #28 client_handle_unfinished_cmd[0x55978a0bd2b0] -> #29 client_handle_input[0x55978a0bd630] -> #30 client_input[0x55978a0bdca0] -> #31 io_loop_call_io[0x7f16bf50] -> #32 io_loop_handler_run_internal[0x7f16bf889e90] -> #33 io_loop_handler_run[0x7f16bf888910] -> #34 io_loop_run[0x7f16bf888ae0] -> #35 master_service_run[0x7f16bf7fbe70] -> #36 main[0x55978a0ae9f0] -> #37 __libc_init_first[0x7f16bf5a34d0] -> #38 __libc_start_main[0x7f16bf5a3580] -> #39 _start[0x55978a0aefa0] Sep 15 05:05:43 mbox dovecot: imap(marek): pid=<14897> session=, Fatal: master: service(imap): child 14897 killed with signal 6 (core dumps disabled - https://dovecot.org/bugreport.html#coredumps) No NFS involved here (linux + xfs). -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: Bug report: TLS SNI for LDAP userdb/passdb
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter wrote: >Cheers, > >Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer >any hope of salvation, so a bug report it is. > >The LDAP connections for userdb/passdb do not support SNI via TLS. > >Simple construct to reproduce this: > >0.) Have a.pem with SAN `foo.example.com`, b.pem with `bar.example.com` >1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem ssl >crt /foo/b.pem` >2.) Try to use ldaps://bar.example.com/ in passdb, receive >"auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com" > >Expectation, of course, would be for this to work; most libraries >should support it, it's probably just a matter of convincing the >appropriate binding. > >Kind regards, >-towo Can you verify with openssl s_client -connect bar.example.com:ldaps -servername bar.example.com that correct cert is served? --- Aki
Bug report: TLS SNI for LDAP userdb/passdb
Cheers, Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is. The LDAP connections for userdb/passdb do not support SNI via TLS. Simple construct to reproduce this: 0.) Have a.pem with SAN `foo.example.com`, b.pem with `bar.example.com` 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem` 2.) Try to use ldaps://bar.example.com/ in passdb, receive "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com" Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding. Kind regards, -towo signature.asc Description: This is a digitally signed message part
Re: Dovecot mail-crypt webmail can't read encrypted messages
Thanks for your help. Do you know in which folder the keys are stored? I'd like to check the permissions... On 2022-09-14 18:56, hi@zakaria.website wrote: On 2022-09-14 16:04, Serveria Support wrote: Oh, I thought that section is for the global keys. I'm trying to use per-user/per-folder keys. I used this command: doveadm -o plugin/mail_crypt_private_password=xx mailbox cryptokey generate -u u...@mydomain.xyz -URf On 2022-09-14 17:47, hi@zakaria.website wrote: On 2022-09-14 15:11, Serveria Support wrote: How can I set the global private key in conf? I was following the official mail-crypt tutorial. This is what I have in dovecot.conf mail-crypt section: mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes On 2022-09-14 17:23, hi@zakaria.website wrote: On 2022-09-14 14:41, Serveria Support wrote: Hi, This log shows no errors. Running doveadm fetch command gives me this: doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX uid=15: read() failed: read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) failed: Private key not available: Cannot decrypt key fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot decrypt key 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: Password not available On 2022-09-13 14:43, hi@zakaria.website wrote: On 2022-09-02 20:40, Serveria Support wrote: I tried it but it doesn't seem to make any difference at all. Can someone please assist me with reading logs? Does this log below mean Dovecot is trying to use master_user again or simply reading master_user password file? Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected (pid=900284) Sep 2 15:35:33 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Everything ok here? Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected (pid=899859) Sep 2 15:25:34 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth: Debug: auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request finished Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: OK#0111#011user=us...@mydomain.xyz Sep 2 15:25:34 mx dovecot: auth: Debug: master in: REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot:
Re: Dovecot mail-crypt webmail can't read encrypted messages
Oh, I thought that section is for the global keys. I'm trying to use per-user/per-folder keys. I used this command: doveadm -o plugin/mail_crypt_private_password=xx mailbox cryptokey generate -u u...@mydomain.xyz -URf On 2022-09-14 17:47, hi@zakaria.website wrote: On 2022-09-14 15:11, Serveria Support wrote: How can I set the global private key in conf? I was following the official mail-crypt tutorial. This is what I have in dovecot.conf mail-crypt section: mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes On 2022-09-14 17:23, hi@zakaria.website wrote: On 2022-09-14 14:41, Serveria Support wrote: Hi, This log shows no errors. Running doveadm fetch command gives me this: doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX uid=15: read() failed: read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) failed: Private key not available: Cannot decrypt key fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot decrypt key 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: Password not available On 2022-09-13 14:43, hi@zakaria.website wrote: On 2022-09-02 20:40, Serveria Support wrote: I tried it but it doesn't seem to make any difference at all. Can someone please assist me with reading logs? Does this log below mean Dovecot is trying to use master_user again or simply reading master_user password file? Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected (pid=900284) Sep 2 15:35:33 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Everything ok here? Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected (pid=899859) Sep 2 15:25:34 mx dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= (previous base64 data may contain sensitive data) Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb lookup Sep 2 15:25:34 mx dovecot: auth: Debug: auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request finished Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: OK#0111#011user=us...@mydomain.xyz Sep 2 15:25:34 mx dovecot: auth: Debug: master in: REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token Sep 2 15:25:34 mx dovecot: auth: Debug: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER request Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing userdb lookup Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn unix:auth-worker (pid=899853,uid=110): auth-worker<4>: sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT LOWER(CONCAT(mailbox.storagebasedirectory, '/',
Re: Dovecot mail-crypt webmail can't read encrypted messages
How can I set the global private key in conf? I was following the
official mail-crypt tutorial. This is what I have in dovecot.conf
mail-crypt section:
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
mail_crypt_require_encrypted_user_key = yes
On 2022-09-14 17:23, hi@zakaria.website wrote:
On 2022-09-14 14:41, Serveria Support wrote:
Hi,
This log shows no errors. Running doveadm fetch command gives me this:
doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX
uid=15: read() failed:
read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S)
failed: Private key not available: Cannot decrypt key
fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89:
Cannot decrypt key
10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7:
Password not available
On 2022-09-13 14:43, hi@zakaria.website wrote:
On 2022-09-02 20:40, Serveria Support wrote:
I tried it but it doesn't seem to make any difference at all.
Can someone please assist me with reading logs? Does this log below
mean Dovecot is trying to use master_user again or simply reading
master_user password file?
Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from
/run/dovecot/auth-token-secret.dat
Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file
/etc/dovecot/dovecot-master-users: Read 1 users in 0 secs
Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected
(pid=900284)
Sep 2 15:35:33 mx dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE=
(previous base64 data may contain sensitive data)
Everything ok here?
Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected
(pid=899859)
Sep 2 15:25:34 mx dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE=
(previous base64 data may contain sensitive data)
Sep 2 15:25:34 mx dovecot: auth: Debug:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
passdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling
PASSV request
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
passdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT
mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1
AND mailbox.active=1 AND mailbox.domain=domain.domain AND
domain.backupmx=0 AND domain.active=1
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished
passdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished
Sep 2 15:25:34 mx dovecot: auth: Debug:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished
passdb lookup
Sep 2 15:25:34 mx dovecot: auth: Debug:
auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request
finished
Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out:
OK#0111#011user=us...@mydomain.xyz
Sep 2 15:25:34 mx dovecot: auth: Debug: master in:
REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token
Sep 2 15:25:34 mx dovecot: auth: Debug:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
userdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER
request
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
userdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT
LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
'/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1
AND mailbox.active=1 AND mailbox.domain=domain.domain AND
Re: Dovecot mail-crypt webmail can't read encrypted messages
Hi,
This log shows no errors. Running doveadm fetch command gives me this:
doveadm(u...@mydomain.xyz): Error: fetch(text) failed for box=INBOX
uid=15: read() failed:
read(/var/vmail/vmail1/mydomain.xyz/a/b/d/-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S)
failed: Private key not available: Cannot decrypt key
fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: Cannot
decrypt key
10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7:
Password not available
On 2022-09-13 14:43, hi@zakaria.website wrote:
On 2022-09-02 20:40, Serveria Support wrote:
I tried it but it doesn't seem to make any difference at all.
Can someone please assist me with reading logs? Does this log below
mean Dovecot is trying to use master_user again or simply reading
master_user password file?
Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret from
/run/dovecot/auth-token-secret.dat
Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file
/etc/dovecot/dovecot-master-users: Read 1 users in 0 secs
Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected
(pid=900284)
Sep 2 15:35:33 mx dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE=
(previous base64 data may contain sensitive data)
Everything ok here?
Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected
(pid=899859)
Sep 2 15:25:34 mx dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE=
(previous base64 data may contain sensitive data)
Sep 2 15:25:34 mx dovecot: auth: Debug:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
passdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling PASSV
request
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
passdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: SELECT
mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1
AND mailbox.active=1 AND mailbox.domain=domain.domain AND
domain.backupmx=0 AND domain.active=1
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb
lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished
Sep 2 15:25:34 mx dovecot: auth: Debug:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished passdb
lookup
Sep 2 15:25:34 mx dovecot: auth: Debug:
auth(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth request
finished
Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out:
OK#0111#011user=us...@mydomain.xyz
Sep 2 15:25:34 mx dovecot: auth: Debug: master in:
REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token
Sep 2 15:25:34 mx dovecot: auth: Debug:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
userdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling USER
request
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing
userdb lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT
LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
'/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
mailbox.username='us...@mydomain.xyz' AND mailbox.`enableimaptls`=1
AND mailbox.active=1 AND mailbox.domain=domain.domain AND
domain.backupmx=0 AND domain.active=1
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>:
sql(us...@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished userdb
lookup
Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn
unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Finished
Sep 2
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
cert had an invalid/incorrect hostname fyi, https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird ... cert_override.txt This is an optional file used to store a security exception. It appears to store the host name , thus preventing you from creating a security exception for a rotating SMTP server. ... for ref, Firefox: How to audit & reset the list of trusted servers/CAs https://access.redhat.com/solutions/1549043
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hi, I had the same issue on TB102. Self-Signed certificates rejected despite having the CA installed correctly as authority. Turns out out that that TB now wants extension "Subject Alt Names". Added that and all works now. Seems another Google pressed issue being introduced (my Chromium had same issues and rejected certs before I added SAN). Thanks and regards Goetz R Schultz >8 Quis custodiet ipsos custodes? /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ 8< On 14/09/2022 13:39, Mark Stevens wrote: I just ran into something similar with the latest version of TB. I updated our SSL cert for Dovecot but TB could not access my email over port 993. I clicked on file then get new messages for all accounts. TB popped up a warning that the cert had an invalid/incorrect hostname and if I should allow the exception. I allowed the exception which worked and TB is fine now. I only did this because my ssl cert is a wildcard for the domain but does not explicitly list the hostname. Mark On 9/14/2022 8:23 AM, Meikel wrote: Hello. Am 14.09.2022 um 13:59 schrieb Christian Mack: Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. Following the documentation at https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 I configured ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and at least for one installation of Thunderbird it seems to work again now. For the other installations I need to check later at home, but the problem seems to be resolved. Regards, Meikel >8-- /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \ This message is transmitted on 100% recycled electrons. >8-- Unsigned message - no responsibillity that content is not altered
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
I just ran into something similar with the latest version of TB. I updated our SSL cert for Dovecot but TB could not access my email over port 993. I clicked on file then get new messages for all accounts. TB popped up a warning that the cert had an invalid/incorrect hostname and if I should allow the exception. I allowed the exception which worked and TB is fine now. I only did this because my ssl cert is a wildcard for the domain but does not explicitly list the hostname. Mark On 9/14/2022 8:23 AM, Meikel wrote: Hello. Am 14.09.2022 um 13:59 schrieb Christian Mack: Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. Following the documentation at https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 I configured ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and at least for one installation of Thunderbird it seems to work again now. For the other installations I need to check later at home, but the problem seems to be resolved. Regards, Meikel
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hello. Am 14.09.2022 um 13:59 schrieb Christian Mack: Sound to me, as if Thunderbird does not know the CA used to (self) sign that server certificate. Following the documentation at https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 I configured ssl_cert = to my Let's Encrypt SSL certificates and did a restart of Dovecont and at least for one installation of Thunderbird it seems to work again now. For the other installations I need to check later at home, but the problem seems to be resolved. Regards, Meikel
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hello
Sound to me, as if Thunderbird does not know the CA used to (self) sign
that server certificate.
As it does not know and trust that server certifikate for sending email,
it disconnects with that generic error.
Thunderbird has its own trusted CA store, therefore not using the one
from the OS (as Claw-Mail does).
Kind regards,
Christian Mack
Am 14.09.22 um 13:14 schrieb Meikel:
> Hi folks,
>
> on a Rocky Linux 8.6 based home server I run Dovecot with an account
> that I use as an archive. Archive means, that from different Thunderbird
> instances I connect to that Dovecot via IMAPS to move emails there, that
> I want to keep. Since some days from all Thunderbird instances I can no
> longer connect to that Dovecot account. In /var/log/maillog of the
> server I see
>
> Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
> Connection closed: SSL_accept() failed: error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
> 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
> lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
> error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:
> SSL alert number 42, session=
>
> I found that Openssl alert number 42 might be a problem with the SSL
> certificate (which certificate?) but also might be an expired SSL
> certificate (which certificate?). As on the Dovecot installation I work
> with a self signed certificat. I created a new self signed certificate
> yesterday with an expiry not before year 2032. That did not help, I see
> the same messages when I try to connect from Thunderbird.
>
> Just to see how Thunderbird is involved in the problem I installed
> Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
> to Dovecot via IMAPS as expected.
>
> I do not understand why all my Thunderbird installations can no longer
> access Dovecot via IMAPS. This worked fine for about 18 months. I can't
> prove but I think on beginning of month it worked fine. Something
> happened meanwhile.
>
> If there is a problem with an SSL certificate (bad certificate: SSL
> alert number 42), which certificate makes the problem? The certificate
> used by Dovecot or some certificate used in Thunderbird?
>
> About installation:
>
> cat /etc/redhat-release
> Rocky Linux release 8.6 (Green Obsidian)
>
> dovecot --version
> 2.3.16 (7e2e900c1a)
>
> sudo dovecot -n
> # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
> # OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
> release 8.6 (Green Obsidian)
> # Hostname: ...
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> first_valid_uid = 1000
> mail_debug = yes
> mail_gid = vmail
> mail_location = maildir:~/Maildir
> mail_privileged_group = vmail
> mail_uid = vmail
> mbox_write_locks = fcntl
> namespace {
> inbox = yes
> location =
> mailbox Archives {
> special_use = \Archive
> }
> prefix = INBOX/
> separator = /
> type = private
> }
> passdb {
> args = scheme=CRYPT username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> protocols = imap
> service imap-login {
> inet_listener imap {
> port = 0
> }
> }
> ssl = required
> ssl_cert = ssl_cipher_list = PROFILE=SYSTEM
> ssl_key = # hidden, use -P to show it
> userdb {
> args = username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> verbose_proctitle = yes
>
> I used the following command to recreate the SSL certificate for Dovecot:
>
> sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096
> -keyout /etc/dovecot/..key -out /etc/dovecot/..crt
>
> And with the command
>
> openssl s_client -crlf -connect .:993
>
> I can successfully connect to Dovecot and "simulate" a minimal
> IMAP-Session:
>
> * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready
> a login meikel.archive@. topsecret
> a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
> THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
> UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
> I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
> WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE
> SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY
> SPECIAL-USE] Logged in
> a logout
> * BYE Logging out
> a OK Logout completed (0.001 + 0.000 secs).
> closed
>
> I have the problem with different Thunderbird installations on various
> operating systems (Windows 10, Fedora Linux 36 XFCE).
>
> Regards,
>
> Meikel
>
--
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Am 14.09.22 um 13:14 schrieb Meikel: Hi folks, on a Rocky Linux 8.6 based home server I run Dovecot with an account that I use as an archive. Archive means, that from different Thunderbird instances I connect to that Dovecot via IMAPS to move emails there, that I want to keep. Since some days from all Thunderbird instances I can no longer connect to that Dovecot account. In /var/log/maillog of the server I see Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105, lip=192.168.177.13, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session= I found that Openssl alert number 42 might be a problem with the SSL certificate (which certificate?) but also might be an expired SSL certificate (which certificate?). As on the Dovecot installation I work with a self signed certificat. I created a new self signed certificate yesterday with an expiry not before year 2032. That did not help, I see the same messages when I try to connect from Thunderbird. Just to see how Thunderbird is involved in the problem I installed Claws-Mail. From Claws-Mail I do NOT have those problems, I can access to Dovecot via IMAPS as expected. I do not understand why all my Thunderbird installations can no longer access Dovecot via IMAPS. This worked fine for about 18 months. I can't prove but I think on beginning of month it worked fine. Something happened meanwhile. If there is a problem with an SSL certificate (bad certificate: SSL alert number 42), which certificate makes the problem? The certificate used by Dovecot or some certificate used in Thunderbird? ... I have the problem with different Thunderbird installations on various operating systems (Windows 10, Fedora Linux 36 XFCE). Regards, Meikel Is this a self signed certificate? In the past I had issues with Firefox and self signed certificates on my servers. They worked in Chromium but not Firefox. Mozilla is a bit more niggling about certificates - I'd expect the same engine in Thunderbird. I had an issue with the X509v3 extension in my certificate and one day Firefox didn't accept these certificates any longer. If this is the case you can either create new certificates or - if this is a workaround for you - accept the certificate in Thunderbird (you might have to import it manually into Thunderbird first and adopt its trust level). I don't like the latter as it needs to be done on every client and might break trust in future. -- Cheers spi
Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Hi folks,
on a Rocky Linux 8.6 based home server I run Dovecot with an account
that I use as an archive. Archive means, that from different Thunderbird
instances I connect to that Dovecot via IMAPS to move emails there, that
I want to keep. Since some days from all Thunderbird instances I can no
longer connect to that Dovecot account. In /var/log/maillog of the
server I see
Sep 14 06:39:54 server3 dovecot[2033173]: imap-login: Disconnected:
Connection closed: SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number
42 (no auth attempts in 0 secs): user=<>, rip=192.168.177.105,
lip=192.168.177.13, TLS handshaking: SSL_accept() failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:
SSL alert number 42, session=
I found that Openssl alert number 42 might be a problem with the SSL
certificate (which certificate?) but also might be an expired SSL
certificate (which certificate?). As on the Dovecot installation I work
with a self signed certificat. I created a new self signed certificate
yesterday with an expiry not before year 2032. That did not help, I see
the same messages when I try to connect from Thunderbird.
Just to see how Thunderbird is involved in the problem I installed
Claws-Mail. From Claws-Mail I do NOT have those problems, I can access
to Dovecot via IMAPS as expected.
I do not understand why all my Thunderbird installations can no longer
access Dovecot via IMAPS. This worked fine for about 18 months. I can't
prove but I think on beginning of month it worked fine. Something
happened meanwhile.
If there is a problem with an SSL certificate (bad certificate: SSL
alert number 42), which certificate makes the problem? The certificate
used by Dovecot or some certificate used in Thunderbird?
About installation:
cat /etc/redhat-release
Rocky Linux release 8.6 (Green Obsidian)
dovecot --version
2.3.16 (7e2e900c1a)
sudo dovecot -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-372.19.1.el8_6.x86_64 x86_64 Rocky Linux
release 8.6 (Green Obsidian)
# Hostname: ...
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
mail_debug = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_privileged_group = vmail
mail_uid = vmail
mbox_write_locks = fcntl
namespace {
inbox = yes
location =
mailbox Archives {
special_use = \Archive
}
prefix = INBOX/
separator = /
type = private
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
}
ssl = required
ssl_cert = I have the problem with different Thunderbird installations on various
operating systems (Windows 10, Fedora Linux 36 XFCE).
Regards,
Meikel
