Thunderbird does not connect to Postfix/Dovecot. Webmail works

udgru picture udgru · Apr 19, 2015 · Viewed 7.7k times · Source

Thunderbird does not connect to Postfix/Dovecot.
My webmail interface works with login ([email protected] + password),
incoming (SSL/TLS, Port 993) and outgoing messages (STARTTLS, Port 587).
I did a bit debugging and got to know that it must be a certificate error.
Does anyone here know how to fix it, please?

This is my mail.log with SSL debugging:

Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:28 m123851 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=560: fatal unknown CA [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [x.x.x.x]
Apr 26 16:57:29 m123851 dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=192.x.x.x, lip=85.x.x.x, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<NDYo2aEUWQAfBhbN>

This is my Dovecot ssl-config file (/etc/dovecot/conf.d/10-ssl.conf):

# Log SSL problems
verbose_ssl = yes

ssl = required

ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem

ssl_protocols = !SSLv3 !SSLv2

ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+
                  SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+
                  CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:
                  !EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:
                  AES256-SHA:CAMELLIA128-SHA:AES128-SHA

ssl_prefer_server_ciphers = yes

The SSL cert for Dovecot is setup for localhost.
As I tried to integrate my root ca and domain cert into the dovecot cert, the problem remains:
dovecot.pem cert = dovecot cert content + domain cert content + root ca cert content (exactly in this order from top to bottom)
dovecot.pem key = dovecot cert key + domain cert key + root ca cert key (exactly in this order from top to bottom)

Answer

Allen Luce picture Allen Luce · Apr 21, 2015

Thunderbird is expecting dovecot to supply it with the certs it needs to verify the connection (intermediary certs or the self-signed CA cert). Check out "Chained SSL certificates" in http://wiki2.dovecot.org/SSL/DovecotConfiguration.

You can fix this by adding intermediary certs to your SSL cert file (/etc/ssl/certs/imap.pem or wherever your ssl_cert) is pointing. If you obtained your SSL certificate from a vendor, they should have instructions on how to obtain the intermediary certs.