Thunderbird vs. LetsEncrypt problems

microlinux · August 1, 2025, 7:02pm

Hi,

I’m hosting my own mail server running Rocky Linux 8 for mail.microlinux.fr. LetsEncrypt certificates for that server are managed with a Certbot script.

Today I had to revoke a bulk of certificates and then recreate them from scratch (since I got LetsEncrypt’s infamous domain-0001 problem).

New certificates seem to work fine everywhere. Except now I can’t connect to my mail server using Thunderbird. Here’s the error I get in /var/log/maillog whenever I try to connect to the mail server using Thunderbird:

Aug 1 06:30:08 sd-110196 dovecot[1777808]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=88.175.52.119, lip=163.172.82.215, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<4NF+NkY7/AhYrzR3>

I double-checked. It’s not Fail2ban. I restarted all the services and then even the whole server. I can use email fine with the Roundcube web client. But it looks like Thunderbird keeps an old and stale version of the certificates somewhere. Tried emptying Thunderbird’s cache, but to no avail.

This is quite a showstopper, since some of my clients are also using that server with Thunderbird. Googling brought me nowhere. I asked chat.mistral.ai but I only got a fantasy explanation with nonexistent options in Thunderbird.

Now I’m clueless and slightly desperate. Any suggestions ?

iwalker · August 1, 2025, 7:13pm

Looks to me as if dovecot has SSLv3 enabled - that is an old and unsecure protocol - SSLv2 and SSLV3 should be long disabled, as well as TLSv1.0, TLSv1.1 as well. Most likely you have certificates generated that won’t work with SSLv3 and hence the problem. At least that’s how it looks to me. I expect once SSLv3 is disabled, all should work.

microlinux · August 1, 2025, 7:42pm

Any idea how I can do that ? I took a peek in Dovecot’s configuration files, but to no avail. Again, I asked chat.mistral.ai, it told me something about an ssl_protocols directive in Dovecot’s configuration, but this directive seems to be nonexistent.

Curious detail : up until yesterday everything worked fine. Only after I bulk revoked all certificates and reissued them, the problems appeared.

iwalker · August 1, 2025, 8:16pm

If it doesn’t exist, then you probably have to add it in the config files for it to then use the appropriate value to enable/disable. I don’t use dovecot, but that is usually how you do things. A config entry doesn’t have to exist in the config files.

microlinux · August 1, 2025, 9:55pm

Just found the solution. Turns out it was Fail2ban after all. Sorry for the drama.

iwalker · August 2, 2025, 8:04am

Uff, that was good then

system · October 1, 2025, 8:04am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Thunderbird fails with imap pop3 Rocky Linux Help & Support rocky-linux-9	21	1842	January 14, 2024
Dovecot - 10-ssl.conf - Letsencrypt Certificates Rocky Linux Help & Support	1	446	August 25, 2023
Postfix Certificate problem Rocky Linux Help & Support	41	3609	August 25, 2023
Missing dovecot certs Rocky Linux Help & Support rocky-linux-9	6	880	December 29, 2023
Dovecot fails to 'initialize SSL server context' Rocky Linux Help & Support rocky-linux-9	2	262	October 12, 2025

Thunderbird vs. LetsEncrypt problems

Related topics