Do you struggle to keep a dovecot IMAP server afloat in this and age?
Do you like using Thunderbird?
Did you just change IP addresses, update a certificate, or upgrade the OS that your dovecot imap server ran on?
Do you see errors in your syslog or dovecot log like this?
Sep 1 04:22:46 fragile5 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=10.10.12.14, lip=10.10.12.1, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<BflAg0QEpOIKCgwO>
Too long didn’t read?
- On the computer that runs Thunderbird, put the Dovecot IMAP server’s certificate common name (CN) in your /etc/hosts with the IP address you want to use for that IMAP server for your client host;
- Tell Thunderbird to use that CN;
- Add your dovecot cert’s certificate authority (CA) cert to thunderbird’s CA list;
- Make sure the dovecot certificate has that CN or the name you use is in Subject Altertnative Names.
Long story, not short
What this error means is that during the SSL handshake there was an error. I assume it is client side. And I assume it is thunderbird’s fault.
The phrase “bad certificate” should give you a hint at what is going on. It doesn’t mean your certificate is bad. It means that your certificate is bad for the given configuration. Your certificate could still be bad. Bad configs include things like connecting to a host where the CN and the hostname doesn’t match, or the certificate is expired.
Thunderbird used to be very leniant about certs and self-signed certs, and exceptions could be trivially added. That doesn’t seem to be the case with newer versions, with versions 102 and 115 it seems pretty hard to get those exceptions to work even if you use a valid certificate authority (CA). When I used a valid certificate authority it wouldn’t add exceptions because my certificate was “perfectly valid” and thus did not need an exception. Thanks, I wanted an exception because you wouldn’t let this handshake properly.
I struggled a lot with this problem after an upgrade and what I found worked well for me was to ensure that the certificate authority (CA) for the certificate was added to Thunderbird and that the hostname I was using for the IMAP server matched one of the hostnames in the server’s certificate. So if you read closely you’ll see I needed not 1 but 2 certificates: CA cert and IMAP server cert. I had to tell Thunderbird to trust the CA, and I needed the dovecot IMAP server to have a certificate that would use the same hostname that Thunderbird would use.
My imap server is fragile5, so either the common name of the cert had to be fragile5 or one of the Subject Alternative Names had to be fragile5. To complicate things fragile5 was already in my DNS search path, so I had shortcut it by defining the host in /etc/hosts and have it point to the exact IP I wanted to use for the imap server. I recommend just using DNS normally like a sane sysadmin.
- Use a CA or make a CA.
openssl genrsa -out fragile5CA.key 4096
openssl req -x509 -new -nodes -key fragile5CA.key \
-subj "/C=CA/ST=AB/L=EDMONTON/O=dovecotnow/CN=fragile5" \
-sha256 -days 3650 -out fragile5CA.pem
openssl req -new -x509 -days 3650 -key fragile5CA.key \
-subj "/C=CA/ST=AB/L=EDMONTON/O=dovecotnow/CN=fragile5" \
-out fragile5CA.crt
fragile5CA.keywill be the dovecot keyfragile5CA.pemandfragile5CA.crtwill be the cert- It’ll last for 10 years
- The CN is
fragile5which you should change to whatever CN you want. - The organization is
dovecotnow, you can change it to whatever you want. - Make sure the Dovecot certificate has that CN or the name you use is in Subject Altertnative Names.
- You’ll need a v3.ext file to make your cert. Change fragile5 to whatever you want and you can add multiple DNS
alt_names
- You’ll need a v3.ext file to make your cert. Change fragile5 to whatever you want and you can add multiple DNS
# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = fragile5
DNS.2 = fragile.domain.dns
DNS.3 = fragile6
- Once
v3.extis made use it to make some keys and certs
# Make the key
$(openssl) genrsa -out fragile5.key 4096
# Make the certificate request
openssl req -new -key fragile5.key -out fragile5.csr -subj \
"/C=CA/ST=AB/L=EDMONTON/O=dovecotnow/CN=fragile5"
# Make a certificate
openssl x509 -req -in fragile5.csr -CA fragile5CA.pem -CAkey \
fragile5CA.key -CAcreateserial -out fragile5.crt \
-days 3650 -sha256 -extfile v3.ext
# Make a certificate
openssl x509 -req -in fragile5.csr -CA fragile5CA.pem -CAkey \
fragile5CA.key -CAcreateserial -out fragile5.pem \
-days 3650 -sha256 -extfile v3.ext
fragile5.keyandfragile5CA.pemwill be used in your dovecot10-ssl.conffile (see/etc/dovecot/conf/10-ssl.conf).- Make sure that the CA’s certificate is trusted by Thunderbird
- Settings -> Privacy & Security -> Manage Certificates -> Authorities -> Import (and choose your CA’s
pemorcrtsuch asfragile5CA.crt)
- Settings -> Privacy & Security -> Manage Certificates -> Authorities -> Import (and choose your CA’s
- Put the IMAP server’s cert CN in your /etc/hosts with the IP you want;
10.10.12.1 fragile5 - Tell thunderbird to use that CN as the imap server (
fragile5); - Good luck and watch your logs!
Extra help
- If you use let’s encrypt for your CA you can skip making a CA altogether and just make the key, the csr, and get the crt using the csr.
- You can view your cert’s with openssl as well:
openssl x509 -text -in fragile5CA.crt
openssl x509 -text -in fragile5.crt
If you find the certificate generation really annoying I have a project called httpsnow that will generate keys for localhost and then you just need to change references to localhost to your CN: https://github.com/abramhindle/httpsnow
Why did I make this post? So I’d remember how to deal with it for next time.
To avoid hassling your clients with extra setup, use a CA already in the thunderbird CA store and make sure your IMAP server’s CN has an actual and real DNS resolvable name (and make sure that CN is the server name you told your clients to use). Then you won’t have to do anything specific for Thunderbird clients.