On Wed, March 3, 2021 1:17 am, Yassine Chaouche wrote: Erwan, Yassine,
thanks. hmm, just tried this, 110/143 gives error, 995/993 doesn't: I'll try changing in TB to SSL/TLS not StartTLS, 995 or 993, etc, and, see if error goes # echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate unable to load certificate 139830305752976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE # echo | openssl s_client -connect emu.sbt.net.au:995 2>/dev/null | openssl x509 -noout -enddate notAfter=Apr 27 12:11:32 2021 GMT > Looks fine from my side, both on pop3s > ------------------------------------------------------------------------ > > > ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect > 103.106.168.105:*995* -CApath /etc/ssl/certs > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify > return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = > emu.sbt.net.au verify return:1 --- > Certificate chain > 0 s:/CN=emu.sbt.net.au > i:/C=US/O=Let's Encrypt/CN=R3 > 1 s:/C=US/O=Let's Encrypt/CN=R3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > --- > Server certificate > -----BEGIN CERTIFICATE----- > [...] > -----END CERTIFICATE----- > subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3 --- > [...] > Start Time: 1614694135 > Timeout : 300 (sec) > *Verify return code: 0 (ok)* > --- > +OK Dovecot ready. > ^C > ychaouche#ychaouche-PC 15:09:01 ~ $ > > ------------------------------------------------------------------------ > > > and on pop3 with starttls > > ------------------------------------------------------------------------ > > > > ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client*-starttls pop3* > -connect 103.106.168.105*:pop3* -CApath /etc/ssl/certs > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify > return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = > emu.sbt.net.au verify return:1 --- > Certificate chain > 0 s:/CN=emu.sbt.net.au > i:/C=US/O=Let's Encrypt/CN=R3 > 1 s:/C=US/O=Let's Encrypt/CN=R3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > --- > Server certificate > -----BEGIN CERTIFICATE----- > [...] > -----END CERTIFICATE----- > subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3 --- > [...] > Start Time: 1614694499 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > +OK Dovecot ready. > ^C > ychaouche#ychaouche-PC 15:15:04 ~ $ > > ------------------------------------------------------------------------ > > > > > > Le 3/2/21 à 1:41 PM, Erwan David a écrit : > >> Le 02/03/2021 à 13:29, Voytek Eymont a écrit : >> >>> since a couple of days one of users reported getting expired >>> certificate error in TB, looking at the log, I can see like: >>> >>> Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0 >>> secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: >>> SSL_read >>> failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert >>> certificate expired: SSL alert number 45, session=<...> >> >> Here it is the certificate presented on the pop3 port (either port 110 >> with a STLS command or port 995) >> >> >>> but, looking at server with >>> https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as >>> does certbot tool >> >> Here it seems te site tests the smtp server (on port 25), which is not >> handled by dovecot. You probably have different certificates on both. >> >> >> > >
