On Sun, May 31, 2020 at 03:20:51PM +0200, Matthias Apitz wrote: > Any ideas?
Run mutt with the -d2 switch and it'll store debug information in ~/.muttdebug0. For me, mutt finds a PositiveSSL wildcard cert after STARTTLS on the host and port you specified: [2019-05-31 15:49:53] Looking up imap.1blu.de... [2020-05-31 15:49:53] Connecting to imap.1blu.de... [2020-05-31 15:49:53] Connected to imap.1blu.de:143 on fd=4 [2020-05-31 15:49:53] 4< * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot ready. [2020-05-31 15:49:53] 4> a0000 STARTTLS [2020-05-31 15:49:53] 4< a0000 OK Begin TLS negotiation now. [2020-05-31 15:49:53] ssl_load_certificates: loading trusted certificates [2020-05-31 15:49:53] mutt_ssl_starttls: Error loading trusted certificates [2020-05-31 15:49:53] ssl_verify_callback: checking cert chain entry /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority (preverify: 1 skipmode: 0) [2020-05-31 15:49:53] ssl_verify_callback: checking cert chain entry /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA (preverify: 1 skipmode: 0) [2020-05-31 15:49:53] ssl_verify_callback: checking cert chain entry /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.1blu.de (preverify: 1 skipmode: 0) [2020-05-31 15:49:53] ssl_verify_callback: hostname check passed [2020-05-31 15:49:53] TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384) openssl s_client confirms that this valid PositiveSSL wildcard cert is being presented on both ports 143 after STARTTLS and port 993 (IMAPS). So far so good? Unless the hoster was just rotating certs when you were looking, your mutt debug output will tell you more. Lastly -- make 100% sure that the DNS name is resolving to the correct IP address for you locally -- compare dig @1.1.1.1 imap.1blu.de to whatever your mutt debug output shows as well as the output of dig without the @ clause.
