0

I am new to operating an email server (postfix + dovecot), and things seem to be working with my preferred email client (mutt), but when I try to use thunderbird, thunderbird fails to connect (and offers no useful information) and I get one SSL error in my server log for POP3 and one for SMTP (shown with linebreak for readability):

Error:

dovecot: pop3-login: Error: SSL: Stacked error: error:14094414:SSL routines:
    ssl3_read_bytes:sslv3 alert certificate revoked: SSL alert number 44

postfix/smtps/smtpd[1649]: SSL_accept error from unknown[###]: lost connection

Questions:

  1. What do these errors mean?

  2. In the first one, is thunderbird rejecting a certificate given my the server, or is the server rejecting a certificate given by thunderbird?

  3. Does the first error mean that thunderbird is using SSLv3? Doesn't that have a vulnerability?

When I connect to the server on the POP3 port using openssl s_client it says the certificates look fine. Also, openssl also says it is using TLSv1.2.

rexroni
  • 103
  • 3
  • 1
    Any additional information in Thunderbird under Tools, Developer Tools, Error Console? In general, what certificates are you using? – Jens Erat Aug 30 '17 at 19:48
  • THERE'S AN ERROR CONSOLE??? I never knew! But alas, nothing shows in Error Console when thunderbird tries to connect to POP3. I know network traffic is happening because I get more errors in the server's log file, but no network entries are generated in the Error Console. – rexroni Aug 30 '17 at 20:23
  • Unfortunately, as a newbie to hosting a server, I'm not quite sure how to answer your question: "what certificates are you using?". I have a startcom signed certificate that the server is presenting, and the client machine (arch linux) has ca-certificates and ca-certificates-mozilla installed. – rexroni Aug 30 '17 at 20:25

1 Answers1

2

Mozilla (and others) distrusted the StartCom CA. While mutt relies on your system's certificate store that still trusts StartCom, Mozilla products use their own list of trusted CAs that completely revoked StartCom CAs. This is probably also the explanation for the "revoked" error message, which then in fact is triggered by the IMAP client, Thunderbird.

Either use a certificate from another CA, or manually install the StartCom CA as trusted in Thunderbird. Latter is of course no applicable measure for non-managed systems of other users.

Jens Erat
  • 1,400
  • 2
  • 11
  • 26