On 2023-12-28 06:16, David C. Rankin wrote:
On 12/27/23 13:12, Carlos E. R. wrote:
I am seeing these in the mail log, after a recent update (the machine is using Leap 15.4, but I have seen them in a 15.5 machine too (did not study those)):
<2.6> 2023-12-27T19:48:49.449784+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<7qHpP4INzunAqAIT> <2.6> 2023-12-27T19:48:49.459538+01:00 Telcontar dovecot - - - imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=192.168.2.19, lip=192.168.1.14, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<aqPpP4INwunAqAIT>
And Thunderbird can not open some folders.
Very, very long-running problem, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1671736
Claims it is resolved -- it isn't and never has been. There is something botched in tbirds acceptance of a changed self-signed cert. I was hit with this just about every year as the cert expired until I finally just went to using Let's Encrypt real certificates (you can use the same cert for web and mail servers)
I'd load certbot and just get the free cert for your domain, set up your web and mail servers to use them and be done with it.
I refuse to use external certificates. Also, I use a faked domain, I don't have a true domain.
Otherwise, you can't get rid of the old cert cached somewhere in the tbird profile and you end up having to install new cert, restart dovecot, delete your mailbox from within tbird and re-create it and it will then, and only then, give you the ability to "create an exception" for your new self-signed cert.
Royal pain....
Ah, restart dovecot. I had forgotten that ingredient in the vodoo concoction. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)