Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ?
Bastian, are you using an old version of thunderbird ? googling for "SSL alert number 42" gave me two results indicating a bug in thunderbird versions 31,32 and 33. You can check these links if you wish : * http://www.dovecot.org/list/dovecot/2014-July/097133.html * http://unix.stackexchange.com/questions/123367/thunderbird-fails-to-connect-to-dovecot-and-postfix -- Yassine On Friday, February 17, 2017 7:29 PM, Robert L Mathews <li...@tigertech.com> wrote: On 2/17/17 8:58 AM, Bastian Sebode wrote: > I uploaded two Wireshark tracefiles, further logs and dovecot -n Looking at your dovecot -n, you're using two different files here: ssl_cert = </etc/ssl/sebode-online.de/chain.pem ssl_key = </etc/ssl/sebode-online.de/key.pem Are you sure these two files match, and contain the right things in the right order? We use a single PEM file as input for both of these parameters, and that PEM file contains, in this order: -----BEGIN RSA PRIVATE KEY----- ... -----BEGIN CERTIFICATE----- ... -----BEGIN CERTIFICATE----- ... where the first BEGIN CERTIFICATE is the specific hostname one, and the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate certificate that ends with "DNFu0Qg==". You're also manually specifying these non-default parameters: ssl_cipher_list = ... ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 For testing, I would simplify. Does it work without any of those three things set? -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
