Cert in thunderbird: wrong site

skidr · February 22, 2022, 10:05am

I have 2 certificates that I set up with certbot.

[root@s3.x.com letsencrypt]$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: a.com
    Serial Number: 3e04e0125cc04a36b17a8e3a7216368408b
    Key Type: RSA
    Domains: a.com
    Expiry Date: 2022-04-23 05:49:10+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/a.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/a.com/privkey.pem
  Certificate Name: mail.x.com
    Serial Number: 480b0c7d04ea134508cb2f297e4d5003c2d
    Key Type: RSA
    Domains: mail.x.com mail.y.com mail.z.com
    Expiry Date: 2022-05-23 08:28:46+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mail.x.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.x.com/privkey.pem

I use the second cert to my mail. I set up this cert in postfix and dovecot:
postfix/main.cf:

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.x.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.x.com/privkey.pem

dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/mail.x.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.x.com/privkey.pem

I renewed the cert and restarted postfix and dovecot.

When I set up my email account in a mail client with the mail.x.com server address, thunderbird shows a security exception: "This site attempst to identify itself with invalid information... wrong site"
I can see the certificate belongs to the a.com domain. But I don't understand why. I set up the mail.x.com cert in dovecot and postfix. Sholdn't mail server use the second cert?
I've used this config a few years now and it worked. I don't know what changed now. Could anyone help me a bit?

9peppe · February 22, 2022, 10:28am

You should really tell us the actual domain names. No way to debug without knowing them.

What domain name is thunderbird complaining about? The MX? Autodiscover? Autoconfig? Just when you add it, or when you fetch mail too?

skidr · February 22, 2022, 10:48am

Thank you for your answer. Excuse me, I didn't know if it is a security issue if I post the domain names.

  Certificate Name: idegen-szavak.hu
    Serial Number: 3e04e0125cc04a36b17a8e3a7216368408b
    Key Type: RSA
    Domains: idegen-szavak.hu
    Expiry Date: 2022-04-23 05:49:10+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/idegen-szavak.hu/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/idegen-szavak.hu/privkey.pem
  Certificate Name: mail.radicsferi.com
    Serial Number: 480b0c7d04ea134508cb2f297e4d5003c2d
    Key Type: RSA
    Domains: mail.radicsferi.com mail.aktivmediator.hu mail.idegen-szavak.hu mail.interitkft.hu mail.lqd.hu mail.skidrmusic.com mail.szinonimaszotar.hu
    Expiry Date: 2022-05-23 08:28:46+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mail.radicsferi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.radicsferi.com/privkey.pem

I set up imap and smtp settings in thunderbird manually. There's no problem with the imap or smtp settings. Idegen-szavak.hu mx is mail.idegen-szavak.hu and the radicsferi.com mx is mail.radicsferi.com
My idegen-szavak.hu email account works great.
The problem shows up when I set up my radicsferi.com email account. That security exception window appears there. If I add it to exception it works and I can see my emails. But I think something is misconfigured. I think it shouldn't use idegen-szavak.hu cert when I try to use an email account that belongs to the mail.radicsferi.com cert.

9peppe · February 22, 2022, 11:23am

First of all, if you only have one IPv4 address (1), you should use the same MX record for all domains: antispam software looks badly at smtp servers when the reverse DNS does not match. That way dovecot and postfix only need a certificate for the (single) mx hostname. (Of course your webmail will still need several FQDNs.) (I mean, the MX record only concerns postfix, dovecot can still have multiple FQDNs to serve imap and pop -- but then you'd have different hostnames for imap and smtp: think of it like a SaaS service, if you host your mail on Gsuite, you point your MX at google but you still get to use email@yourdomain.com)

That said, your dovecot and postfix (checked starttls imap, smtp and direct tls both) send the right certificate for mail.radicsferi.com, so thunderbird is complaining about something else.

peppe@monolite:~$ openssl s_client -connect mail.radicsferi.com:143 -starttls imap
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.radicsferi.com
verify return:1
---
Certificate chain
 0 s:CN = mail.radicsferi.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 22 08:28:47 2022 GMT; NotAfter: May 23 08:28:46 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgISBICwx9BOoTRQjLLyl+TVADwtMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMjIwODI4NDdaFw0yMjA1MjMwODI4NDZaMB4xHDAaBgNVBAMT
E21haWwucmFkaWNzZmVyaS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC3LD4Nqw6Tj1F0K7sUON3wWcf4Bc0sASQ68Bv39ib0whhiZrshVBkvf+iP
940Di64sD55P6IQZOd4ha2dpoGy8nXZiMFHPMpIACoVPkJ/xO7Sxh4Bmnu2fN0Bo
iSSzP4s4ufZ99oT0XgwFh4/8Cz4PUFO79Jq6gPCWO2r/jCJSSP/g/sEdzkB9KLAF
0dzwOq//tI2wzg1Yh86W5mwxjhP09pa0alW60zKrNecQrmmNAqpG7sq7vJmbhCDe
fS+YUHJCRpya+0dxdGvNKg9cJ/pz1I8Eo/n/4ccs/47KRHquTBUZXTKLpjS00te8
XebLapj44l07rbe/zlsI4tz5qiCPAgMBAAGjggLOMIICyjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFK/MftLXrgidgMo3FqIdGiqXJaloMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIGdBgNVHREEgZUwgZKCFW1haWwuYWt0aXZtZWRpYXRvci5odYIVbWFp
bC5pZGVnZW4tc3phdmFrLmh1ghJtYWlsLmludGVyaXRrZnQuaHWCC21haWwubHFk
Lmh1ghNtYWlsLnJhZGljc2ZlcmkuY29tghNtYWlsLnNraWRybXVzaWMuY29tghdt
YWlsLnN6aW5vbmltYXN6b3Rhci5odTBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACl5vvCeOTkh8FZzn2Old+W+
V32cYAr4+U1dJlwlXceEAAABfyDDDBEAAAQDAEcwRQIhAJ7MMwZn8SjBtNpvO2Cd
aRZFusyw73b38vXcX7ZaT5N1AiA8tuxCZUYZGweOwy9tYAkyP11eREGg7dW+McB6
S5BzjQB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABfyDDDd8A
AAQDAEcwRQIgM9bBYCVYCCU7REsBeHRjCi669x1+KIXvsdmS/JQ0TrUCIQC7STTL
EMzPmLlAvPeWNdFFZK7Gd6ShqZHS4JSl3EUqbjANBgkqhkiG9w0BAQsFAAOCAQEA
GC66ACWOZqXVGkeoniv/DfviUI1bCwvMBxRoVz9svrRr6OcBa87G3rpgQm+DTC8e
pXNeJxw6SxGY+UK+yNVZC8ZrWpXsMwZftw9TbcCzx/6OmOhVjdbhHzL/WK0p3t/z
2xWSzEvCCyJd10uR+mZBVZd1tsN+ucBnblaXDtZCyok31Rz66tJK++o8i5tRUde3
+4e9FEiNgjebWbgjOkLVgJxiIMpDjS2dnb8IqI36QUjg8Mprvz24S0bb+GDSWEYn
MomZvj8TFR82j0TxuVShijb4YEF+AnWJiNnOgkvER6v9NAUmeFobHEBCp+B0cVXz
mXhZZlknSkjycm4eyirHqg==
-----END CERTIFICATE-----
subject=CN = mail.radicsferi.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5153 bytes and written 473 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 918B0DF1BEBDA869272E0EA4990A2120237B68E9983150D9CE776C472113D953
    Session-ID-ctx:
    Master-Key: 10CBD9AEFD7C6EF62E44E9FD06800692A853F80FB76B8678B6B2BD35F6BF53AB7641D45037288648DA24F764B58826D6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 36 5f 74 1c c2 44 f1 c7-3b 51 36 61 48 2d 67 4f   6_t..D..;Q6aH-gO
    0010 - 40 8d fa 36 b3 2e e4 99-db cc 69 c1 f8 a0 6d ae   @..6......i...m.
    0020 - 19 74 f1 91 28 ab a2 87-c4 53 dd 66 fe 9b 4b ac   .t..(....S.f..K.
    0030 - 70 36 66 c2 da e1 31 cd-38 53 45 ee 77 e5 6a e3   p6f...1.8SE.w.j.
    0040 - ba 67 b9 0e 31 11 de 74-f6 bf 45 59 f8 b4 71 19   .g..1..t..EY..q.
    0050 - d8 42 57 2a af c3 f7 68-e4 83 3a cf 76 de 46 b5   .BW*...h..:.v.F.
    0060 - 46 f6 f0 34 8d a3 23 e8-bf 0b af 59 df d4 71 3f   F..4..#....Y..q?
    0070 - ab 99 3b a2 b8 7e 72 f0-c3 cf 56 92 b6 06 72 26   ..;..~r...V...r&
    0080 - c2 c4 49 ed 28 b6 b3 33-7a 52 a4 61 2b e8 03 0f   ..I.(..3zR.a+...
    0090 - 43 8d 05 c9 86 81 45 36-b4 18 cd 87 26 1a 3d 06   C.....E6....&.=.
    00a0 - 6f 61 15 a5 25 05 03 d8-91 c6 7b 42 39 b9 46 e7   oa..%.....{B9.F.

    Start Time: 1645528410
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
. OK Pre-login capabilities listed, post-login capabilities have more.
DONE
peppe@monolite:~$ openssl s_client -connect mail.radicsferi.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.radicsferi.com
verify return:1
---
Certificate chain
 0 s:CN = mail.radicsferi.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 22 08:28:47 2022 GMT; NotAfter: May 23 08:28:46 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgISBICwx9BOoTRQjLLyl+TVADwtMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMjIwODI4NDdaFw0yMjA1MjMwODI4NDZaMB4xHDAaBgNVBAMT
E21haWwucmFkaWNzZmVyaS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC3LD4Nqw6Tj1F0K7sUON3wWcf4Bc0sASQ68Bv39ib0whhiZrshVBkvf+iP
940Di64sD55P6IQZOd4ha2dpoGy8nXZiMFHPMpIACoVPkJ/xO7Sxh4Bmnu2fN0Bo
iSSzP4s4ufZ99oT0XgwFh4/8Cz4PUFO79Jq6gPCWO2r/jCJSSP/g/sEdzkB9KLAF
0dzwOq//tI2wzg1Yh86W5mwxjhP09pa0alW60zKrNecQrmmNAqpG7sq7vJmbhCDe
fS+YUHJCRpya+0dxdGvNKg9cJ/pz1I8Eo/n/4ccs/47KRHquTBUZXTKLpjS00te8
XebLapj44l07rbe/zlsI4tz5qiCPAgMBAAGjggLOMIICyjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFK/MftLXrgidgMo3FqIdGiqXJaloMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIGdBgNVHREEgZUwgZKCFW1haWwuYWt0aXZtZWRpYXRvci5odYIVbWFp
bC5pZGVnZW4tc3phdmFrLmh1ghJtYWlsLmludGVyaXRrZnQuaHWCC21haWwubHFk
Lmh1ghNtYWlsLnJhZGljc2ZlcmkuY29tghNtYWlsLnNraWRybXVzaWMuY29tghdt
YWlsLnN6aW5vbmltYXN6b3Rhci5odTBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACl5vvCeOTkh8FZzn2Old+W+
V32cYAr4+U1dJlwlXceEAAABfyDDDBEAAAQDAEcwRQIhAJ7MMwZn8SjBtNpvO2Cd
aRZFusyw73b38vXcX7ZaT5N1AiA8tuxCZUYZGweOwy9tYAkyP11eREGg7dW+McB6
S5BzjQB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABfyDDDd8A
AAQDAEcwRQIgM9bBYCVYCCU7REsBeHRjCi669x1+KIXvsdmS/JQ0TrUCIQC7STTL
EMzPmLlAvPeWNdFFZK7Gd6ShqZHS4JSl3EUqbjANBgkqhkiG9w0BAQsFAAOCAQEA
GC66ACWOZqXVGkeoniv/DfviUI1bCwvMBxRoVz9svrRr6OcBa87G3rpgQm+DTC8e
pXNeJxw6SxGY+UK+yNVZC8ZrWpXsMwZftw9TbcCzx/6OmOhVjdbhHzL/WK0p3t/z
2xWSzEvCCyJd10uR+mZBVZd1tsN+ucBnblaXDtZCyok31Rz66tJK++o8i5tRUde3
+4e9FEiNgjebWbgjOkLVgJxiIMpDjS2dnb8IqI36QUjg8Mprvz24S0bb+GDSWEYn
MomZvj8TFR82j0TxuVShijb4YEF+AnWJiNnOgkvER6v9NAUmeFobHEBCp+B0cVXz
mXhZZlknSkjycm4eyirHqg==
-----END CERTIFICATE-----
subject=CN = mail.radicsferi.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5055 bytes and written 480 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 301933FA1A597B52FBFD46230E0FB3E283AFAF84905DF7E804AD9DF83BBD29A1
    Session-ID-ctx:
    Master-Key: 016059D092CB25C027E95222B5C2EEF78F1DD873FD60AF942AD52A1298371D4713200CD08137EB81436DAE2F7F3E140E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 49 5f f8 9c 35 8e f2 58-c0 ee fe ba a0 bd ca 77   I_..5..X.......w
    0010 - 1e 2b 18 fc be c0 33 87-e4 ef 8b 7c 1d 60 5f aa   .+....3....|.`_.
    0020 - 0a af 2a a7 09 2a 78 e8-f6 5f b5 f3 6d fe 46 19   ..*..*x.._..m.F.
    0030 - cd f8 7b 84 a5 d2 6a cf-09 ae 47 fc 60 65 47 aa   ..{...j...G.`eG.
    0040 - eb 78 dc e6 74 d6 60 e8-54 a3 31 9e e1 1c 7a 58   .x..t.`.T.1...zX
    0050 - 95 2e d4 dd 7b f8 b9 09-d6 64 f1 85 f3 66 7f 39   ....{....d...f.9
    0060 - c8 f1 b2 1e 3b a3 43 57-a1 f1 46 be df 80 a7 51   ....;.CW..F....Q
    0070 - 0f 53 c6 cd 1f 54 6a 89-85 46 ca a4 11 bd fe 8f   .S...Tj..F......
    0080 - 48 0d 77 67 f7 dc 5a a2-56 25 20 60 0a 25 ca e9   H.wg..Z.V% `.%..
    0090 - c7 3a 75 a4 96 54 f9 eb-ee 29 45 08 b7 58 1d b6   .:u..T...)E..X..
    00a0 - b2 c0 bd 7d cf 8e 4d c6-a1 c5 30 a1 a2 34 4f 6d   ...}..M...0..4Om
    00b0 - 7f 82 5a af 3d 1c 4a 04-ab 44 f0 4d 49 0b 09 6b   ..Z.=.J..D.MI..k

    Start Time: 1645528489
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 DSN
DONE
peppe@monolite:~$ openssl s_client -connect mail.radicsferi.com:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.radicsferi.com
verify return:1
---
Certificate chain
 0 s:CN = mail.radicsferi.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 22 08:28:47 2022 GMT; NotAfter: May 23 08:28:46 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgISBICwx9BOoTRQjLLyl+TVADwtMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMjIwODI4NDdaFw0yMjA1MjMwODI4NDZaMB4xHDAaBgNVBAMT
E21haWwucmFkaWNzZmVyaS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC3LD4Nqw6Tj1F0K7sUON3wWcf4Bc0sASQ68Bv39ib0whhiZrshVBkvf+iP
940Di64sD55P6IQZOd4ha2dpoGy8nXZiMFHPMpIACoVPkJ/xO7Sxh4Bmnu2fN0Bo
iSSzP4s4ufZ99oT0XgwFh4/8Cz4PUFO79Jq6gPCWO2r/jCJSSP/g/sEdzkB9KLAF
0dzwOq//tI2wzg1Yh86W5mwxjhP09pa0alW60zKrNecQrmmNAqpG7sq7vJmbhCDe
fS+YUHJCRpya+0dxdGvNKg9cJ/pz1I8Eo/n/4ccs/47KRHquTBUZXTKLpjS00te8
XebLapj44l07rbe/zlsI4tz5qiCPAgMBAAGjggLOMIICyjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFK/MftLXrgidgMo3FqIdGiqXJaloMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIGdBgNVHREEgZUwgZKCFW1haWwuYWt0aXZtZWRpYXRvci5odYIVbWFp
bC5pZGVnZW4tc3phdmFrLmh1ghJtYWlsLmludGVyaXRrZnQuaHWCC21haWwubHFk
Lmh1ghNtYWlsLnJhZGljc2ZlcmkuY29tghNtYWlsLnNraWRybXVzaWMuY29tghdt
YWlsLnN6aW5vbmltYXN6b3Rhci5odTBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACl5vvCeOTkh8FZzn2Old+W+
V32cYAr4+U1dJlwlXceEAAABfyDDDBEAAAQDAEcwRQIhAJ7MMwZn8SjBtNpvO2Cd
aRZFusyw73b38vXcX7ZaT5N1AiA8tuxCZUYZGweOwy9tYAkyP11eREGg7dW+McB6
S5BzjQB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABfyDDDd8A
AAQDAEcwRQIgM9bBYCVYCCU7REsBeHRjCi669x1+KIXvsdmS/JQ0TrUCIQC7STTL
EMzPmLlAvPeWNdFFZK7Gd6ShqZHS4JSl3EUqbjANBgkqhkiG9w0BAQsFAAOCAQEA
GC66ACWOZqXVGkeoniv/DfviUI1bCwvMBxRoVz9svrRr6OcBa87G3rpgQm+DTC8e
pXNeJxw6SxGY+UK+yNVZC8ZrWpXsMwZftw9TbcCzx/6OmOhVjdbhHzL/WK0p3t/z
2xWSzEvCCyJd10uR+mZBVZd1tsN+ucBnblaXDtZCyok31Rz66tJK++o8i5tRUde3
+4e9FEiNgjebWbgjOkLVgJxiIMpDjS2dnb8IqI36QUjg8Mprvz24S0bb+GDSWEYn
MomZvj8TFR82j0TxuVShijb4YEF+AnWJiNnOgkvER6v9NAUmeFobHEBCp+B0cVXz
mXhZZlknSkjycm4eyirHqg==
-----END CERTIFICATE-----
subject=CN = mail.radicsferi.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4834 bytes and written 447 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6335E6C2EC14033F8053D0F3292AB00B28E1FD27F696752AA63EA4F2D6C3F360
    Session-ID-ctx:
    Master-Key: 851F52901D5B542DE7064BA37D955E38D66886C696CDF81BC6E97435AD64F177CF4CB2E9C864DFC40A2507A84E38B39B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 9e 24 37 47 a3 0e 07 e4-db d5 e6 0d c4 c4 23 15   .$7G..........#.
    0010 - f5 5f 1c 0c 9f 3a d1 1b-84 85 9c 66 dd e5 62 d2   ._...:.....f..b.
    0020 - de 1a 55 a9 c6 ea b6 70-11 52 b4 0a 3a 66 2e 9f   ..U....p.R..:f..
    0030 - 71 49 ae ae a0 91 60 1a-ba b5 df ae ec 83 57 76   qI....`.......Wv
    0040 - cb a6 14 60 05 8e 6c ca-82 e6 b6 6c 95 3a 96 e1   ...`..l....l.:..
    0050 - 3b b9 c6 4b fc 10 ca aa-29 ac 2f f9 74 4d c0 e5   ;..K....)./.tM..
    0060 - 0f be 2e 22 99 e1 43 ad-26 ab 96 06 02 2b 61 8f   ..."..C.&....+a.
    0070 - 92 93 9a 1d 1d 69 c6 82-3e 5b ae 88 52 5f 0b 0a   .....i..>[..R_..
    0080 - 74 88 53 a9 cc 36 eb 06-62 64 87 95 29 a0 14 5d   t.S..6..bd..)..]
    0090 - 8b 9b a5 0f 34 d2 75 ba-7d 36 72 64 f1 0e 7c 91   ....4.u.}6rd..|.
    00a0 - 18 4c 2d 31 2e ea 82 60-16 a1 c6 36 35 66 5a cb   .L-1...`...65fZ.
    00b0 - 1b b1 8f f1 eb 81 c8 2d-f1 24 6d 32 28 ab a8 d2   .......-.$m2(...

    Start Time: 1645528893
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
220 s3.radicsferi.com ESMTP
DONE
peppe@monolite:~$ openssl s_client -connect mail.radicsferi.com:993
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.radicsferi.com
verify return:1
---
Certificate chain
 0 s:CN = mail.radicsferi.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 22 08:28:47 2022 GMT; NotAfter: May 23 08:28:46 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgISBICwx9BOoTRQjLLyl+TVADwtMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMjIwODI4NDdaFw0yMjA1MjMwODI4NDZaMB4xHDAaBgNVBAMT
E21haWwucmFkaWNzZmVyaS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC3LD4Nqw6Tj1F0K7sUON3wWcf4Bc0sASQ68Bv39ib0whhiZrshVBkvf+iP
940Di64sD55P6IQZOd4ha2dpoGy8nXZiMFHPMpIACoVPkJ/xO7Sxh4Bmnu2fN0Bo
iSSzP4s4ufZ99oT0XgwFh4/8Cz4PUFO79Jq6gPCWO2r/jCJSSP/g/sEdzkB9KLAF
0dzwOq//tI2wzg1Yh86W5mwxjhP09pa0alW60zKrNecQrmmNAqpG7sq7vJmbhCDe
fS+YUHJCRpya+0dxdGvNKg9cJ/pz1I8Eo/n/4ccs/47KRHquTBUZXTKLpjS00te8
XebLapj44l07rbe/zlsI4tz5qiCPAgMBAAGjggLOMIICyjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFK/MftLXrgidgMo3FqIdGiqXJaloMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIGdBgNVHREEgZUwgZKCFW1haWwuYWt0aXZtZWRpYXRvci5odYIVbWFp
bC5pZGVnZW4tc3phdmFrLmh1ghJtYWlsLmludGVyaXRrZnQuaHWCC21haWwubHFk
Lmh1ghNtYWlsLnJhZGljc2ZlcmkuY29tghNtYWlsLnNraWRybXVzaWMuY29tghdt
YWlsLnN6aW5vbmltYXN6b3Rhci5odTBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACl5vvCeOTkh8FZzn2Old+W+
V32cYAr4+U1dJlwlXceEAAABfyDDDBEAAAQDAEcwRQIhAJ7MMwZn8SjBtNpvO2Cd
aRZFusyw73b38vXcX7ZaT5N1AiA8tuxCZUYZGweOwy9tYAkyP11eREGg7dW+McB6
S5BzjQB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABfyDDDd8A
AAQDAEcwRQIgM9bBYCVYCCU7REsBeHRjCi669x1+KIXvsdmS/JQ0TrUCIQC7STTL
EMzPmLlAvPeWNdFFZK7Gd6ShqZHS4JSl3EUqbjANBgkqhkiG9w0BAQsFAAOCAQEA
GC66ACWOZqXVGkeoniv/DfviUI1bCwvMBxRoVz9svrRr6OcBa87G3rpgQm+DTC8e
pXNeJxw6SxGY+UK+yNVZC8ZrWpXsMwZftw9TbcCzx/6OmOhVjdbhHzL/WK0p3t/z
2xWSzEvCCyJd10uR+mZBVZd1tsN+ucBnblaXDtZCyok31Rz66tJK++o8i5tRUde3
+4e9FEiNgjebWbgjOkLVgJxiIMpDjS2dnb8IqI36QUjg8Mprvz24S0bb+GDSWEYn
MomZvj8TFR82j0TxuVShijb4YEF+AnWJiNnOgkvER6v9NAUmeFobHEBCp+B0cVXz
mXhZZlknSkjycm4eyirHqg==
-----END CERTIFICATE-----
subject=CN = mail.radicsferi.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4822 bytes and written 447 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1A1AA7D6A1E53D85C6729930229B7B32F7F9BBB2DAEF9B130A28CC354BF9694F
    Session-ID-ctx:
    Master-Key: 38152FCB6E509551ACAA8C5A821118C3D8426524A856E438B58A64E40FB7B10640235AB3051AF6759A379FDE2E2D988B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8d 3a 0b 52 e1 4f a4 93-17 8b 26 ca 51 5f 92 47   .:.R.O....&.Q_.G
    0010 - c5 98 c8 70 46 f2 47 42-0b fe eb e6 f0 5e b3 7a   ...pF.GB.....^.z
    0020 - 63 c3 3c b4 c8 5e 0b b9-5c 37 a2 3c df f3 ad 50   c.<..^..\7.<...P
    0030 - 62 98 07 cf 43 da 0b f4-e3 5e 5d 7d 6c 19 58 85   b...C....^]}l.X.
    0040 - ae df 0a 02 44 00 ac bd-ac 5d bc ed ce 61 ab da   ....D....]...a..
    0050 - 1c b4 4a 87 3a d5 6b e8-fe eb 78 2a 4e b9 6e 3b   ..J.:.k...x*N.n;
    0060 - 50 5f 10 9a 34 96 a3 0d-a1 47 21 89 20 d4 09 b9   P_..4....G!. ...
    0070 - 4c 4f f0 90 db 7d 12 3a-b4 b1 52 ad 11 dc 60 56   LO...}.:..R...`V
    0080 - e5 e1 cf 51 50 5a 1b 42-e0 db b4 d7 fc 80 82 cf   ...QPZ.B........
    0090 - da 03 10 ba c5 9c 6a e9-a1 c4 a2 1a b4 d7 39 8a   ......j.......9.
    00a0 - 81 8f 67 db 41 1e 85 41-55 aa 39 3c f6 54 38 ad   ..g.A..AU.9<.T8.

    Start Time: 1645528914
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
DONE
peppe@monolite:~$

(1):

peppe@monolite:~$ for fqdn in "mail.radicsferi.com mail.aktivmediator.hu mail.idegen-szavak.hu mail.interitkft.hu mail.l
qd.hu mail.skidrmusic.com mail.szinonimaszotar.hu"; do dig +short a $fqdn; done
185.80.48.202
185.80.48.202
185.80.48.202
185.80.48.202
185.80.48.202
185.80.48.202
185.80.48.202
peppe@monolite:~$

skidr · February 22, 2022, 2:52pm

Thank you for your suggestions about the mx records. I'll modify them.

I still don't understand why does the thunderbird clients give me that notification. I tried 3 clients (other versions) on different machines and they work the same. It told me that the problem is on the server side.
Maybe I have the solution now. I had to setup https in nginx on the radicsferi.com domain itself: I created a separate cert to the website and now the thunderbird error message disappeared.
It is really odd.

Thank you for your detailed answer. I learned a lot from it. I really appreciate it!

system · March 24, 2022, 2:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Thunderbird issues with postfix and dovecot using lets encrypt Help	6	38	October 23, 2024
Thunderbird not seeing letsencrypt cert anymore? Help	14	2751	December 30, 2020
Certbot certificate is done but https is not working Help	7	19011	August 5, 2018
Help needed to delete certificates Help	5	27974	May 1, 2018
Simple Guide: Using Lets Encrypt SSL certs with Dovecot Server	23	111628	November 14, 2018

Cert in thunderbird: wrong site

Related Topics