0

I added ssl support to my exim smtp server. Now I'm trying it with a Thunderbird client, first of all I imported my self signed certificate to thunderbird keystore and than I tried to connect. It fails, and this is what exim get:

2016-02-27 15:26:00 TLS error on connection from [195.78.226.25] (recv): A TLS fatal alert has been received.: CA is unknown
2016-02-27 15:26:00 TLS error on connection from [195.78.226.25] (send): The specified session has been invalidated for some reason.

I cannot understand if this is a client or server error, for me it should be a client error, but why it happends if I imported the certificate in thunderbird keystore?

Tobia
  • 1,210
  • 8
  • 37
  • 73

1 Answers1

1

This is Exim showing that the client is complaining about a self-signed cert. More details here.

Specifically, "A TLS fatal alert has been received" is followed by the message that the client sent to the server when refusing to continue the connection.

I managed to fix this by downloading the PEM-format certificate file from the server, and then going to the Mozilla "Manage Certificates" dialog. (You might find this under the "Privacy & Security | Certificates" preferences section.) Click on the Servers tab and then the [Import...] button. Nevertheless, SeaMonkey (Mozilla's all-in-one client suite) still asked me to confirm the certificate fingerprint before it would use it.

It's worth trying a few times in case it doesn't prompt you the first time to accept the certificate.

On Debian/Ubuntu, you can view the fingerprint of the server's default self-signed cert with this command:

openssl x509 -fingerprint -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem
Alastair Irvine
  • 1,172
  • 10
  • 22