Dovecot Issues on Debian 12

Webmin
1
SYSTEM INFORMATION
OS Version - Debian 12 REQUIRED
Webmin version - 2.510 REQUIRED
Virtualmin version - 7.40.1 REQUIRED

This is an error I keep getting when I run journalctl -f

dovecot[281918]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=103.186.198.165, lip=72.60.203.205, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=

As far as I can make out, this is happening with only one domain. This IP - 103.186.198.165 - is of that client that owns that domain where the problem occurs. It’s happening only with Outlook. In that same office, they are able to connect to my VPS through an iPhone and that works properly.

Can we do something about this? Please let me know what information do you need from me and where from to troubleshoot this.

Thank you.

2

maybe they should upgrade outlook? are they using outlook 2013 or older?
(iirc, these versions are not supported anymore…)

3

They did say they are using the latest version. I asked about that first thing.

4

i see no auth sent, so maybe they have completely wrong settings in outlook / incoming.

5

The problem is they have 2 domains hosted with us. We have both of them on the same server. Both of them are on the same Outlook. One of them works perfectly while the other doesn’t. All settings are the same.

6

They’re not getting to auth. Obviously there is no auth because the TLS connection failed as it couldn’t verify. Auth is not expected in this session yet.

The problem is the client got a certificate they didn’t like. So, use openssl to connect to the exact same hostname and port the user is trying to connect to and see if you get the right cert for exactly that hostname and if it verifies.

7

Thank you for your reply. I will do this and report. Of course, it will take me some time as I will need to look up the Internet on how to do this exactly.

8

Got this for port 587-

openssl s_client -connect effezascience.com:587
CONNECTED(00000003)
40A78ACA4F7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

This, for port 465 -

penssl s_client -connect effezascience.com:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R13
verify return:1
depth=0 CN = effezascience.com
verify return:1
---
Certificate chain
 0 s:CN = effezascience.com
   i:C = US, O = Let's Encrypt, CN = R13
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 15 05:50:07 2025 GMT; NotAfter: Jan 13 05:50:06 2026 GMT
 1 s:C = US, O = Let's Encrypt, CN = R13
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgISBlbEymyNZ3rapNbRecWKkVGVMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTMwHhcNMjUxMDE1MDU1MDA3WhcNMjYwMTEzMDU1MDA2WjAcMRowGAYDVQQD
ExFlZmZlemFzY2llbmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKE7dj+CqX0LvR6wgxVclEFRiqo5susanzQIeYmUJHsNOpBRhlTjSW/2ZfiE
dCozNYFoiqdWR1h4uXNd6OKP1mWVDesxhqoLCD7u6jOeIO90W3DDMph5yD86vQls
WAvwNTstfiiKMmDGcLujnmk+QRuqtVldVizCNJL87Vckcp32PRXEyt+pV3NB8Hq5
fdQrbOw0ohlkLHdcJUaTma2m9CMcPNS7qgMgX3cS9LbYTENxbMJEy7wwumQRQj06
3KAl5ecwZ4pQmFVBjHv8hfCCF7PWWXCpi5UcooR8hV6W33qANSBC7yFhnIkRzBbf
10OKWbvl+rWCz/+3w+2BM8zkogsCAwEAAaOCAjUwggIxMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU4fcZErQTiMQId+xTUz97yZVJ9M8wHwYDVR0jBBgwFoAU56ufDywz
oFPTXk94yLKEDjvWkjMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdodHRw
Oi8vcjEzLmkubGVuY3Iub3JnLzAxBgNVHREEKjAoghMqLmVmZmV6YXNjaWVuY2Uu
Y29tghFlZmZlemFzY2llbmNlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAECATAuBgNV
HR8EJzAlMCOgIaAfhh1odHRwOi8vcjEzLmMubGVuY3Iub3JnLzIyLmNybDCCAQMG
CisGAQQB1nkCBAIEgfQEgfEA7wB2AEmcm2neHXzs/DbezYdkprhbrwqHgBnRVVL7
6esp3fjDAAABmeagvQQAAAQDAEcwRQIgS8d1RrGqiL1YC/KAAqhHsBR6cD6U/aTx
3woGSv8Tk8MCIQCGTlViE/imTjLGSv5cWERyUpey4woCdMvdI/cr0wBDJwB1AA5X
lLzzrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABmeagvQkAAAQDAEYwRAIg
QBpfqm3Bj8iDBqno2qMI0V6MxfJ4u9Krnpd5Neg4POECID9RN2S2PQGUmD8wvqWP
0ZzbeQr4VRSATpDBWyrQgRC2MA0GCSqGSIb3DQEBCwUAA4IBAQAnqDtCQdkcnZq8
8fVLa3ldf1odraESa/sRjkawIlY2Rfgqn0LUeOHgmnrmGLGF7tlUaLAfRjPw4z6B
bK/zmyHto1nyGaQ3py3uw9Rqdu7LJciW0TLfG22h4CJ72LynqfPYtmr7yxcr7HSQ
3udtMq1Gg2a4p73jcy7/D7zrLfJy3qUxSvFQZ2Dku6ovHgKYlNuXtO9rNZs3athx
dTYnncb5ntdd43+sTV0L0uvHdE9Z+5DaxTLV+i453S2l6P4E7ZhNxln/K0vJNGsJ
8brgA4tDzYZ1/TrljOkYaMy4VkBkcTB9OnivUgw3b1yRXVUnuh3nuP3PQpG+3V+e
c5ebhiRH
-----END CERTIFICATE-----
subject=CN = effezascience.com
issuer=C = US, O = Let's Encrypt, CN = R13
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3156 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7C0EBCDEB7204D63F53CB1D2E9CD5D17214F0218EE6621FE134949F9250EC964
    Session-ID-ctx: 
    Resumption PSK: 37198BAE2570CF3B85D9A55DC50BC0BF0FC62C1E3B368B5E522794F41368942D8FBEC6043A3B4B9BC5918F258F8D6A28
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 87 9c fd 6a 9b b7 a5 b5-16 0a 7c 0e ff 3b 60 7c   ...j......|..;`|
    0010 - 92 1b 8e 3e ab 1e 3a 74-60 a7 cd 71 7e 5b 42 c6   ...>..:t`..q~[B.
    0020 - 0e cf 49 40 64 59 7c 0f-54 8e 59 d1 72 f0 3c 54   ..I@dY|.T.Y.r.<T
    0030 - 37 46 a0 32 de a2 2b d0-6c 30 5e 2f c4 b5 3b 80   7F.2..+.l0^/..;.
    0040 - e3 14 34 27 4b 34 52 05-ac 0e 85 c7 48 cb ff f0   ..4'K4R.....H...
    0050 - 84 0b a2 18 99 a4 66 14-86 45 93 08 1d e1 fe 47   ......f..E.....G
    0060 - 6e 01 22 8f b4 51 8c dd-c0 7e c4 6d 2a 81 e2 88   n."..Q...~.m*...
    0070 - cb 72 cb 5f a8 40 f3 fa-ca ff 8c d9 77 0a 90 16   .r._.@......w...
    0080 - 61 ad e0 36 5a cc dd 4c-27 e6 c4 ed c0 5e cb fe   a..6Z..L'....^..
    0090 - 27 cc 8e 94 42 76 94 f4-1a 6d 51 b6 89 e7 89 e6   '...Bv...mQ.....
    00a0 - 64 c7 da af 36 6e 5f 40-3d 99 5e ea 85 c2 05 09   d...6n_@=.^.....
    00b0 - a7 77 79 a9 84 b9 02 8e-74 e9 5e 54 9a b5 23 18   .wy.....t.^T..#.
    00c0 - c9 ff b6 5b df 78 96 eb-a6 c7 04 16 b8 12 e6 69   ...[.x.........i
    00d0 - e2 69 04 e1 8f 5a fe 3d-e4 2c 96 1c e7 96 44 bc   .i...Z.=.,....D.
    00e0 - dc 7f bb 26 2d dc 15 ed-75 89 97 92 95 40 f1 6c   ...&-...u....@.l

    Start Time: 1760636264
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
220 server.securemailserver.in ESMTP Postfix (Debian/GNU)

The following for port 995 -

openssl s_client -connect effezascience.com:995
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R12
verify return:1
depth=0 CN = effezascience.com
verify return:1
---
Certificate chain
 0 s:CN = effezascience.com
   i:C = US, O = Let's Encrypt, CN = R12
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 16 10:14:27 2025 GMT; NotAfter: Jan 14 10:14:26 2026 GMT
 1 s:C = US, O = Let's Encrypt, CN = R12
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFozCCBIugAwIBAgISBjbn+1oDqvC4NEHByaKH+Jp6MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTIwHhcNMjUxMDE2MTAxNDI3WhcNMjYwMTE0MTAxNDI2WjAcMRowGAYDVQQD
ExFlZmZlemFzY2llbmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKE7dj+CqX0LvR6wgxVclEFRiqo5susanzQIeYmUJHsNOpBRhlTjSW/2ZfiE
dCozNYFoiqdWR1h4uXNd6OKP1mWVDesxhqoLCD7u6jOeIO90W3DDMph5yD86vQls
WAvwNTstfiiKMmDGcLujnmk+QRuqtVldVizCNJL87Vckcp32PRXEyt+pV3NB8Hq5
fdQrbOw0ohlkLHdcJUaTma2m9CMcPNS7qgMgX3cS9LbYTENxbMJEy7wwumQRQj06
3KAl5ecwZ4pQmFVBjHv8hfCCF7PWWXCpi5UcooR8hV6W33qANSBC7yFhnIkRzBbf
10OKWbvl+rWCz/+3w+2BM8zkogsCAwEAAaOCAsYwggLCMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU4fcZErQTiMQId+xTUz97yZVJ9M8wHwYDVR0jBBgwFoAUALUp8i2O
bzHom0yteD763OkM0dIwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdodHRw
Oi8vcjEyLmkubGVuY3Iub3JnLzCBvwYDVR0RBIG3MIG0ghdhZG1pbi5lZmZlemFz
Y2llbmNlLmNvbYIcYXV0b2NvbmZpZy5lZmZlemFzY2llbmNlLmNvbYIeYXV0b2Rp
c2NvdmVyLmVmZmV6YXNjaWVuY2UuY29tghFlZmZlemFzY2llbmNlLmNvbYIWbWFp
bC5lZmZlemFzY2llbmNlLmNvbYIZd2VibWFpbC5lZmZlemFzY2llbmNlLmNvbYIV
d3d3LmVmZmV6YXNjaWVuY2UuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMC8GA1Ud
HwQoMCYwJKAioCCGHmh0dHA6Ly9yMTIuYy5sZW5jci5vcmcvMTIzLmNybDCCAQQG
CisGAQQB1nkCBAIEgfUEgfIA8AB3AMs49xWJfIShRF9bwd37yW7ymlnNRwppBYWw
yxTDFFjnAAABmey5GG0AAAQDAEgwRgIhAJlOxjOUQqK5423EghXa24QQREwsI5fa
qzRs4ZLwJAAEAiEAjrk5UXMa7P7W+8b3YudOoNIhMPDtJcmSuyADqBRCbaYAdQBJ
nJtp3h187Pw23s2HZKa4W68Kh4AZ0VVS++nrKd34wwAAAZnsuRhkAAAEAwBGMEQC
IB0twSyYpX81oR6qiBLvLgHAwuSHJWCoi+z4g4j9PWfnAiBOt3BXPc2u31Z4r7uj
XPc95fcm62D71rjQnoBSU4gd1jANBgkqhkiG9w0BAQsFAAOCAQEACO1qzfpK2wi9
zQ2IN9aVL1M8x89Sw5dqMvYkWXZ8SbVYJnQ4MD9hoaAtAnvXgZowp7SHrtCzvjh8
4DD9fffjerljFHI3PDDdjROq8/V7XTsRvSCojwGGz4UEUV6enkvRumzCA0CRk6lM
Yqe0vb4L1YQ3zP4AtXOO2y028kE9W4qj/Bd/eRSUyOLpO9WUiVYVwV/BgGkaRKlK
VQt+rKvlv/FJXlCjUXXFVO+byBnNIprK/jv19Y1cRdq5CQAlIzVF0GXpXqr6sJOr
ke6mfxWY1F7U7ijErLCUkiOxSpB85nSBEsSnj4mTBEIEavQgQp6OT83Tsg0atD7Q
VUQXarJRRQ==
-----END CERTIFICATE-----
subject=CN = effezascience.com
issuer=C = US, O = Let's Encrypt, CN = R12
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3302 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 392E1E81DE0085D90A6978EE61506980C5E3C36D39065D70E72812CEC485DC49
    Session-ID-ctx: 
    Resumption PSK: 0C7F476664690A021848F12FD604D7923660307E77E6A19A4AFB7399CA5A8CF0CC5DE348C904461E9490CEEF12C49B22
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7f 8e 3d 43 15 ae e5 11-08 a7 ea 6e b7 d2 20 d0   ..=C.......n.. .
    0010 - 7d 4a 17 34 b0 31 0a a1-7c 0a a2 b5 1f 19 b5 4d   }J.4.1..|......M
    0020 - 9a b3 bf dd c9 74 f9 79-a5 2d d2 81 95 69 7d ef   .....t.y.-...i}.
    0030 - fc 12 7e d3 9f 80 64 f4-94 f8 d7 24 b3 21 38 18   ..~...d....$.!8.
    0040 - fd 70 c4 c0 df 70 8c 06-c7 f3 f1 b4 45 4e f1 a9   .p...p......EN..
    0050 - ca b9 50 a3 56 84 64 ab-fa 6d e9 02 ec 2e ae 38   ..P.V.d..m.....8
    0060 - 35 02 ba 13 7d a2 71 be-7b ef e1 3d 43 9d 67 e8   5...}.q.{..=C.g.
    0070 - 9e 78 46 dd 5b de e5 23-50 96 47 11 86 aa 70 ab   .xF.[..#P.G...p.
    0080 - ef 02 d5 b4 eb 06 54 ea-52 b2 a3 6d 6f a5 c3 6d   ......T.R..mo..m
    0090 - b8 2e d9 44 63 25 85 14-30 98 3e e6 85 7a bf 2b   ...Dc%..0.>..z.+
    00a0 - 9d 3e 68 70 e8 e1 80 23-ab 28 8b fa 39 c2 c8 7a   .>hp...#.(..9..z
    00b0 - f7 c0 5c 05 e4 98 b7 62-5c 31 93 68 4c b0 fd 76   ..\....b\1.hL..v
    00c0 - 5d e6 6c 2c 53 45 56 d6-58 71 c3 74 ef a1 8a 18   ].l,SEV.Xq.t....
    00d0 - a1 3a d6 27 c5 c5 45 9a-fe cb 8f 1d 01 8b 6b 99   .:.'..E.......k.

    Start Time: 1760636382
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: CE607BCC863F6CE32C46776DD0F088C78098E89CA05DA65DE7048B4B848C622B
    Session-ID-ctx: 
    Resumption PSK: 4302D2621CBD28E71FAC51C0258D73168D19BCB0E21DF515E3CA398847EA495F46163C759A94467DF586766CBEB527FA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7f 8e 3d 43 15 ae e5 11-08 a7 ea 6e b7 d2 20 d0   ..=C.......n.. .
    0010 - 77 f7 60 08 3c d2 82 35-c1 b9 10 68 75 39 15 4c   w.`.<..5...hu9.L
    0020 - 6d a1 de 77 f4 2b 44 bd-da f3 3b 7a 54 37 25 9f   m..w.+D...;zT7%.
    0030 - d5 ea 11 06 ac a1 35 2c-a5 80 99 cb 81 d7 6b bb   ......5,......k.
    0040 - da 6c 15 c1 7d 1c 0b 8c-9c 48 1d da 4e 6e 4a 73   .l..}....H..NnJs
    0050 - bd d1 2c ac 54 a8 a2 6b-4b 94 3b b9 3e 37 b4 01   ..,.T..kK.;.>7..
    0060 - 71 cb a9 52 c7 d3 d8 36-84 de 9c 33 83 72 5f de   q..R...6...3.r_.
    0070 - 99 97 8d 4d 37 59 08 19-64 3f 96 96 84 ea 34 c9   ...M7Y..d?....4.
    0080 - d5 7f fe ec b8 9f 97 4f-89 94 e2 c4 91 a6 ed c3   .......O........
    0090 - 7d 5f 34 6a b5 39 11 e2-3f 63 10 d4 d8 cb 95 d9   }_4j.9..?c......
    00a0 - 9c c2 df a3 c6 40 a0 72-f6 0d bb 05 c2 cb 71 8e   .....@.r......q.
    00b0 - 58 a9 0c c5 03 ee 46 ae-58 b1 08 84 cb c1 1b 35   X.....F.X......5
    00c0 - 48 78 d0 ee ba 5d 3d a4-bb 55 c0 d4 7d 40 eb 67   Hx...]=..U..}@.g
    00d0 - 1a 51 07 fd 1d bf 80 f1-84 2c e4 43 1f 19 5a 37   .Q.......,.C..Z7

    Start Time: 1760636382
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
+OK Dovecot (Debian) ready.

Do the above help?

9

465 and 587 are not Dovecot. Those are the SMTP server (Postfix). So, those are off-topic. The problem you see with submission port (587) is probably because the connection is not SSL/TLS. It allows negotiation of an encrypted STARTTLS connection, but it is not wrapped in an encrypted connection.

Dovecot on 995 looks fine, if your client really is connecting to the hostname (and exactly the hostname, not some subdomain not included in the cert) effezascience.com.

So, if your client actually connecting to exactly that hostname and port 995 for POP3S? (Are you sure it’s using POP3S and not IMAPS, which is much more common in modern mail deployments.)

10

The client is connecting to mail.effezascience.com
That is the MX Mail Server.

I asked the client to connect to both POP3S and IMAP to check.

11

openssl s_client -connect effezascience.com:993
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = R12
verify return:1
depth=0 CN = effezascience.com
verify return:1

Certificate chain
0 s:CN = effezascience.com
i:C = US, O = Let’s Encrypt, CN = R12
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 16 10:14:27 2025 GMT; NotAfter: Jan 14 10:14:26 2026 GMT
1 s:C = US, O = Let’s Encrypt, CN = R12
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIFozCCBIugAwIBAgISBjbn+1oDqvC4NEHByaKH+Jp6MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTIwHhcNMjUxMDE2MTAxNDI3WhcNMjYwMTE0MTAxNDI2WjAcMRowGAYDVQQD
ExFlZmZlemFzY2llbmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKE7dj+CqX0LvR6wgxVclEFRiqo5susanzQIeYmUJHsNOpBRhlTjSW/2ZfiE
dCozNYFoiqdWR1h4uXNd6OKP1mWVDesxhqoLCD7u6jOeIO90W3DDMph5yD86vQls
WAvwNTstfiiKMmDGcLujnmk+QRuqtVldVizCNJL87Vckcp32PRXEyt+pV3NB8Hq5
fdQrbOw0ohlkLHdcJUaTma2m9CMcPNS7qgMgX3cS9LbYTENxbMJEy7wwumQRQj06
3KAl5ecwZ4pQmFVBjHv8hfCCF7PWWXCpi5UcooR8hV6W33qANSBC7yFhnIkRzBbf
10OKWbvl+rWCz/+3w+2BM8zkogsCAwEAAaOCAsYwggLCMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU4fcZErQTiMQId+xTUz97yZVJ9M8wHwYDVR0jBBgwFoAUALUp8i2O
bzHom0yteD763OkM0dIwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdodHRw
Oi8vcjEyLmkubGVuY3Iub3JnLzCBvwYDVR0RBIG3MIG0ghdhZG1pbi5lZmZlemFz
Y2llbmNlLmNvbYIcYXV0b2NvbmZpZy5lZmZlemFzY2llbmNlLmNvbYIeYXV0b2Rp
c2NvdmVyLmVmZmV6YXNjaWVuY2UuY29tghFlZmZlemFzY2llbmNlLmNvbYIWbWFp
bC5lZmZlemFzY2llbmNlLmNvbYIZd2VibWFpbC5lZmZlemFzY2llbmNlLmNvbYIV
d3d3LmVmZmV6YXNjaWVuY2UuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMC8GA1Ud
HwQoMCYwJKAioCCGHmh0dHA6Ly9yMTIuYy5sZW5jci5vcmcvMTIzLmNybDCCAQQG
CisGAQQB1nkCBAIEgfUEgfIA8AB3AMs49xWJfIShRF9bwd37yW7ymlnNRwppBYWw
yxTDFFjnAAABmey5GG0AAAQDAEgwRgIhAJlOxjOUQqK5423EghXa24QQREwsI5fa
qzRs4ZLwJAAEAiEAjrk5UXMa7P7W+8b3YudOoNIhMPDtJcmSuyADqBRCbaYAdQBJ
nJtp3h187Pw23s2HZKa4W68Kh4AZ0VVS++nrKd34wwAAAZnsuRhkAAAEAwBGMEQC
IB0twSyYpX81oR6qiBLvLgHAwuSHJWCoi+z4g4j9PWfnAiBOt3BXPc2u31Z4r7uj
XPc95fcm62D71rjQnoBSU4gd1jANBgkqhkiG9w0BAQsFAAOCAQEACO1qzfpK2wi9
zQ2IN9aVL1M8x89Sw5dqMvYkWXZ8SbVYJnQ4MD9hoaAtAnvXgZowp7SHrtCzvjh8
4DD9fffjerljFHI3PDDdjROq8/V7XTsRvSCojwGGz4UEUV6enkvRumzCA0CRk6lM
Yqe0vb4L1YQ3zP4AtXOO2y028kE9W4qj/Bd/eRSUyOLpO9WUiVYVwV/BgGkaRKlK
VQt+rKvlv/FJXlCjUXXFVO+byBnNIprK/jv19Y1cRdq5CQAlIzVF0GXpXqr6sJOr
ke6mfxWY1F7U7ijErLCUkiOxSpB85nSBEsSnj4mTBEIEavQgQp6OT83Tsg0atD7Q
VUQXarJRRQ==
-----END CERTIFICATE-----
subject=CN = effezascience.com
issuer=C = US, O = Let’s Encrypt, CN = R12

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3302 bytes and written 403 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9BAAD3B2B1D3A085C661CBE7849E0992E64E473E287ACC07BBAD192727B48700
Session-ID-ctx:
Resumption PSK: F41F7F5AD514CB942AD80083AAD9068BC93EA9D0C363820D72D273203182CA2CD53CAC1FEF9852FA402FB2DA3CDF4380
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fc a4 e6 7f b8 ad c9 a2-80 37 d6 6e cc fc c4 2c …7.n…,
0010 - 3c fa e4 72 1b a5 e7 8e-b6 85 ee 86 81 9b 69 f7 <..r…i.
0020 - 6b 98 59 c7 82 6f f9 48-28 38 d2 3a 8d 29 46 e4 k.Y..o.H(8.:.)F.
0030 - bf e7 11 36 82 e9 84 6c-95 7e 23 ce 53 d0 cf 55 …6…l.~#.S..U
0040 - d7 d8 2d bc 49 15 09 23-61 e1 49 4d 9b 37 6d 22 ..-.I..#a.IM.7m"
0050 - 90 c6 9f 68 c1 8e f6 d8-88 bc 99 ea 46 41 13 50 …h…FA.P
0060 - 65 56 70 bc 64 25 29 fa-b8 61 e0 75 91 88 82 5c eVp.d%)..a.u…
0070 - f6 6a cb 9c fd f2 71 a6-33 0c 56 ab 54 3e a6 bb .j…q.3.V.T>..
0080 - 50 07 42 52 95 80 13 ad-35 30 40 87 f7 31 c3 55 P.BR…50@..1.U
0090 - 9c 9f 9c 3a c9 a3 25 c1-00 78 78 fc c2 a1 35 5f …:..%..xx…5_
00a0 - 61 14 14 e3 a7 21 cf 0b-ec 36 76 1d 1d 33 a7 59 a…!..6v..3.Y
00b0 - 49 cb 0f 88 9a f5 56 44-c4 4e 38 d6 c1 50 ae ce I…VD.N8..P..
00c0 - 3e 9b 6c 62 83 5a 63 07-87 01 28 80 2a c5 8b 50 >.lb.Zc…(.*..P
00d0 - f4 4d 47 ab 22 12 00 66-22 c9 ef 36 f9 c2 35 51 .MG.“..f”..6..5Q

Start Time: 1760641935
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 09D2D940F3A987A7B6A65EDC35670DC7F0E61BFC243FA7578E58A3049A329661
Session-ID-ctx:
Resumption PSK: ABAF5345F7382DA232347ABE05B71E16E834306E3533B6FE922622A1EE9BFA70F2AB6099719073608882F6F93A2D92E6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fc a4 e6 7f b8 ad c9 a2-80 37 d6 6e cc fc c4 2c …7.n…,
0010 - 43 3d e3 30 04 cb 38 7b-3d a4 af 3d a6 15 7f 83 C=.0..8{=..=…
0020 - 85 95 88 b6 12 19 3f 83-90 98 68 14 80 d1 cb 75 …?..h…u
0030 - 66 80 05 d3 32 87 0a 86-fa cd 05 3e a5 77 b6 25 f…2…>.w.%
0040 - 80 36 4d 41 1a 86 1b 78-a9 ee 43 4a cc 7b e1 b2 .6MA…x..CJ.{..
0050 - b8 39 94 ba 04 39 31 7b-d1 32 ec c6 ad 18 5b cc .9…91{.2…[.
0060 - 34 6d 3c 0b 9d 94 15 1a-62 58 8c 7f d5 5c fd 83 4m<…bX…..
0070 - 50 cb 00 47 11 62 51 49-b6 46 63 5c 14 04 97 90 P..G.bQI.Fc.…
0080 - 53 ae ef a4 e8 ae 6e b5-3e 89 a2 01 8a 1b 34 66 S…n.>…4f
0090 - 78 4c 3b 63 1a 47 f7 dd-c0 47 79 69 7f 24 95 3a xL;c.G…Gyi.$.:
00a0 - c6 75 fe 9d 32 eb 09 b7-07 c4 12 1c a0 37 1e 84 .u..2…7..
00b0 - e4 79 9e 29 92 8b 11 e7-e5 d7 3d 3e 4f 54 33 de .y.)…=>OT3.
00c0 - 4f b6 d8 5a 19 a0 79 e2-0f c5 ba f1 cf 28 0d ab O..Z..y…(..
00d0 - ed 3e 31 3b 3f 88 e9 60-11 bf 5f 1a d8 91 08 82 .>1;?..`.._…

Start Time: 1760641935
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

  • OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
12

Should I only try entering only effezascience.com in the mail server settings in Outlook and not mail.effezascience.com?

Will that help?

13

Your SSL for Dovecot is configured correctly!

In your case, either will work! You can see it in the following openssl command output:

~# openssl s_client -connect effezascience.com:993 </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A1 "Subject Alternative Name"
 X509v3 Subject Alternative Name: 
   DNS:admin.effezascience.com, DNS:autoconfig.effezascience.com, DNS:autodiscover.effezascience.com, DNS:effezascience.com, DNS:mail.effezascience.com, DNS:webmail.effezascience.com, DNS:www.effezascience.com
14

Why test effezascience.com if your client is connecting to mail.effezascience.com?

In this case, it does work with the mail subdomain, as well. But, if you’re trying to track down a problem with TLS, you need to connect to the same thing the problem client is connecting to when testing. There are several ways those two names could behave differently.

15

I got off the phone with the client again after spending another 2 hours checking this. In the end, I asked them to install Thunderbird. That worked immediately without any problems. I have asked them to not use Outlook.

End of matter. I appreciate your help deeply, @Joe and @Ilia Please close this ticket/thread.

1 Like
16

What a wise solution! :slight_smile:

You are welcome!

17

FYI: As the resident Microsoft user: Certain versions of Outlook label StartTLS and TLS/SSL incorrectly in the settings. I think 2021 is correct.

I use outlook all of the time.

18

Actually, wait! What did that configure in Thunderbird? I mean, if you open account settings in Thunderbird, which port were configured for IMAP?

19

I mean, Outlook should also work. If it doesn’t, maybe update. It has had various bugs over the years, but we know lots of people are using Outlook with Dovecot and Postfix as we configure it.

20

The usual. I set it up for POP3, port 995 was by default. I checked with IMAP as well. It worked flawlessly. In Outlook, on some other PC, mail was being received but not being sent. Versus, in some other PC in the client’s office, mail was not being received on POP3 but was being received on IMAP. Same office, same version of Outlook yet different scenarios being created.

(And the SSLv3 error - from the other thread I created - was happening when a particular person using an iPhone 16 with the latest version of iOS was connecting to my VPS from Apple Mail. Told her to delete all mail accounts on her phone. Will talk to her tomorrow about that)