Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mail.servicemouse.com
I ran this command:
tail -f /var/log/maillog
It produced this output:
mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=126.96.36.199, lip=188.8.131.52, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
My web server is (include version):
servicemouse.com is served from another ip
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
With TLS1.2 the
imaps server works correctly:
$ openssl s_client -connect mail.servicemouse.com:993
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
depth=1 C = US, O = Let's Encrypt, CN = R3
depth=0 CN = mail.servicemouse.com
0 s:CN = mail.servicemouse.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
tls1.0 there is no server certificate sent:
$ openssl s_client -tls1 -connect mail.servicemouse.com:993
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 134 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Protocol : TLSv1
Cipher : 0000
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1639736494
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Maybe the imap client is too old for that server configuration. You should revise the level of the TLS version backward compatibility that the mail server is supposed to provide.
un-commenting ssl_min_protocol = TLSv1 didn't help
@fugee Which version of Dovecot are you using? Starting with v2.3.15 the default for that setting is TLSv1.2. But, earlier versions defaulted to TLSv1. You could set it explicitly with:
ssl_min_protocol = TLSv1.2
It accepts 1.2 connects but not 1's so changing the min to 1.2 doesn't make sense although I tried and it didn't help either
Then I would try:
ssl_min_protocol = TLSv1.0
ssl_min_protocol = TLSv1
Maybe try asking on the Dovecot support channels how you can get it to support TLSv1 testing with the example command from @bruncsak
Is it possible to upgrade the imap client to support TLSv1.2?
This is not really a Let's Encrypt cert problem. It is a protocol mismatch between your mail client and Dovecot server.
Are you trying to "staple" the cert? Dovecot/Postfix do not support OSCP stapling.
As of 2017-10, No .
Dovecot does not have any OCSP support whatsoever, as of 2016 was considering the feature for a future release, no work has been done on that since.
Postfix does not have any OCSP support whatsoever, and as of 2017 is not planning to ever to ever implement such feature.
Not sure if this is the issue, however, I have been wrestling with this as well.
Might be something to look in to.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.