Thunderbird says "unknown identity"

Hello,

I created a new certificate for testing my mailserver (dovecot, postfix) with the domain mx1.mydomain . The command I used was :

certbot certonly --apache -d mx1.mydomain

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mx1.mydomain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mx1.mydomain/privkey.pem

In postfix the file pathes are
smtpd_tls_key_file = /etc/letsencrypt/live/mx1.mydomain/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mx1.mydomain/fullchain.pem

In dovecot the file pathes are
ssl_cert = </etc/letsencrypt/live/mx1.mydomain/fullchain.pem
ssl_key = </etc/letsencrypt/live/mx1.mydomain/privkey.pem

But when I try to add a mail account for that in thunderbird after finding the server settings and confirming the account, a window pops up titled "Add Security Exception".
"This site attempts to identify itself with invalid information". -> Unknown Identity

I pressed the button View certificate.

Subject Name
common name mx1.mydomain

Issuer Name
comman name mx1.mydomain

Did something go wrong when creating the certificate?

I'm pretty sure this is not actually your domain.

Note that the mx label hostname is usually not the hostname you'd use in the configuration of the MUA. E.g., my MUA is configured with smtp.example.com and imap.example.com. I would need to include those hostnames into the certificate as wel as the mx.example.com hostname.

mydomain is just an example. Some people write example.com, I write mydomain.

So, using an mx label as hostname is the reason why thunderbird complains about unknown identity?

That depends on what hostname you've used in Thunderbird, but most people wouldn't use the mx label but e.g. imap. And if that doesn't correspond with the information in the certificate, you'll get an error.

Thus we'd need to know what exact hostname you used in Thunderbird.

Please note that providing the real domain name is mandatory as explained in the questionnaire which should have been presented when you opened this thread in the Help section.

People write example.com because it is a resevered domain for such use and it is obvious to readers that it is a placeholder.

Using a real domain that is not yours serves only to waste the time of those whom you are hoping will help you. You need to stop that bad behavior.

As I mentioned it is just for testing a mailserver. Later it will be imap.mydomain, smtp,mydomain. These subdomains actually point to another mailserver (CNAME to another mx label) and I cannot create them now. I m upgrading my mailserver step by step, I therefore need to be able to address a server specifically via an address. Thats why I use mx1.mydomain. When I write an email to user@mx1.mydomain, server one get the email, user@mx2.mydomain, server two gets the email. But it would be nice to get it error free in thunderbird with a correct certificate. The info in the "testcertificate" should match with the domain. That's why I'm surprised that Thunderbird can't determine the identity.

Postfix and Dovecot have many "moving parts". How can anyone (and Thunderbird) figure out how to talk to your mail server If you withhold the very information that probably could have already resolved YOUR issue?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.