Thanks Miguel, Your suggestion is great when having self signed certificates.
It turned out my situation was not because Apple devices were having problems with TLSv1 like I initially thought. A backup server had a technical failure and it had rebooted and then automatically started a backup version of the (virtual) mail server. So the "real" and "backup" server were both online having the same IP. This apparently caused some confusion with the clients :) Took one full day to figure this out white trying all kinds of myriad fixes. I take this as a sign to finally start the migration to newer OS on this server. Now I would need to decide if I should go with COS7 or COS8... Best, Peter On Mon, Aug 24, 2020 at 12:20 AM Miguel Angel Amable Ventura <mvent...@compu-tecnia.com> wrote: > > Hi Peter, > > You need to tell your users to delete the pop/imap account completely > (not editing it) and register again just from the very beginning and > they need to be connected to the wifi so the trust certificate shows the > "trust option" to check it (in details) and finish their register. That > can happen when you change the actual certificate or it has expired, I > use my self-signed-certificates and set the expiry time at 10 years > forward. When signing you need to use the option -extensions v3_ca as > follows: > > openssl req -x509 -nodes -days 4825 -newkey rsa:2048 -keyout server1.key > -out server1.crt -extensions v3_ca > cat server.crt server.key > servercert.pem > cp servercert.pem /var/qmail/control/servercert.pem > chmod 640 /var/qmail/control/servercert.pem > chown root.vchkpw /var/qmail/control/servercert.pem > openssl pkcs12 -export -out mail4.pfx -inkey server.key -in server.crt > > When you use that option (extensions) apple/microsoft products can give > you an option to trust your certificate. > > Greetings! > > > El 22/08/2020 a las 04:28 a. m., Peter Peltonen escribió: > > I have an old COS5 qmailtoaster > > > > Since yesterday Apple devices using its Mail program have been > > receiving messages about certificate being not valid. Its a wildcard > > certificate that is being used elsewhere as well so it should be valid > > (it has not been expired). > > > > All other devices / clients seem to work also. > > > > As COS5 openssl uses TLSv1 I started wondering if Apple has deprecated > > it from its Mail clients...? > > > > I do have this fix enabled: > > https://www.qmailtoaster.org/newopensslcnt50.html > > > > But I assume it does not affect Dovecot which is still using the old > > OpenSSL, right? > > > > So my only option really is to upgrade... Should have done it ages ago > > of course. Just wondering if some quick fix came to somebody's mind so > > I could buy some time to do the upgrade with a little more > > preparation? > > > > Best, > > Peter > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com