Problems with R3 Certificate using exim/dovecot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I use letsencrypt since a while fuer POP3, IMAP and SMTP (more correct POP3s, IMAPs, SSMTP, SMTP/TLS using dovecot and exim4. The Certificate for was due and was renewed today and since then I get the Error while connecting "R3 certificate is expired".

See the Trust Information that is shown in my email client:

PDF with Trust Information

Like you see, the DST Root CA X3 is still valid (for another 18 hours), but the attached R3 Certificate already expired.

As result, I cannot receive or send any email. I tried already several steps including issue a complete new certificate, update on the Ubuntu 18.04 the root certificates (even when I am sure that it is not related), reboot, etc and running out of ideas.



Your IMAP and POP3 services aren't sending any intermediate certificates. Please reconfigure your Dovecot so it sends the correct certificate chain.

As for your SMTP: for some reason I can't connect to port 25 or 587 with STARTTLS.. But as for your port 465: it serves a self signed certificate?


osiris@erazer ~ $ telnet 25
Connected to
Escape character is '^]'.
220 ESMTP Exim 4.90_1 Ubuntu Thu, 30 Sep 2021 09:51:41 +1300
EHLO blaat Hello []
250-SIZE 25000000
250 HELP
454 TLS currently unavailable

Ah, that's why STARTTLS didn't work...



Many thanks to look into this:

Regarding Ports:

Maybe you tested it at the time of reboot. Port 587 should be reachable based on Open Port Check Tool - Test Port Forwarding on Your Router

Port 25 ist blocked, 465 pls ignore, that is used only for very old clients.

Regarding Dovecot:

i switched the Cert from /etc/letsencrypt/live/ to /etc/letsencrypt/live/, but it seems that make not a difference.

Config in dovecot.conf:

ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/
ssl_client_ca_dir = /etc/ssl/certs



IMAP now sends the correct chain, that should work now. However, STARTTLS on SMTP is still unavailable.


Many thanks. In exim the problem was, seems a permission problem and as well replace the reference to fullchain.pem.

Many thanks, it seems its working now.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.