Dovecot error certificate unknown

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.servicemouse.com

I ran this command:
tail -f /var/log/maillog

It produced this output:
mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=71.190.227.103, lip=45.79.79.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
My web server is (include version):
servicemouse.com is served from another ip

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

With TLS1.2 the imaps server works correctly:

$ openssl s_client -connect mail.servicemouse.com:993
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.servicemouse.com
verify return:1
---
Certificate chain
 0 s:CN = mail.servicemouse.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

With tls1.0 there is no server certificate sent:

$ openssl s_client -tls1 -connect mail.servicemouse.com:993
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 134 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1639736494
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Maybe the imap client is too old for that server configuration. You should revise the level of the TLS version backward compatibility that the mail server is supposed to provide.

3 Likes

un-commenting ssl_min_protocol = TLSv1 didn't help

@fugee Which version of Dovecot are you using? Starting with v2.3.15 the default for that setting is TLSv1.2. But, earlier versions defaulted to TLSv1. You could set it explicitly with:

ssl_min_protocol = TLSv1.2
4 Likes

It accepts 1.2 connects but not 1's so changing the min to 1.2 doesn't make sense although I tried and it didn't help either

Then I would try:
ssl_min_protocol = TLSv1.0
OR
ssl_min_protocol = TLSv1

2 Likes

Tried that already

Maybe try asking on the Dovecot support channels how you can get it to support TLSv1 testing with the example command from @bruncsak

Is it possible to upgrade the imap client to support TLSv1.2?

This is not really a Let's Encrypt cert problem. It is a protocol mismatch between your mail client and Dovecot server.

2 Likes

Are you trying to "staple" the cert? Dovecot/Postfix do not support OSCP stapling.
As of 2017-10, No .

Dovecot does not have any OCSP support whatsoever, as of 2016 was considering the feature for a future release, no work has been done on that since.

Postfix does not have any OCSP support whatsoever, and as of 2017 is not planning to ever to ever implement such feature.

Not sure if this is the issue, however, I have been wrestling with this as well.
Might be something to look in to.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.