Jerry Stuckle writes:

I'm starting with POP3 (because it's easy to handle from the CLI). I have it working from localhost - I can telnet to port localhost 110 and access emails (of course I can't do this from a remote system because it requires SSL).

Sure you can:

(STARTTLS style) openssl s_client -starttls pop3 -connect your.pop.server:110

(SSL style) openssl s_client -connect your.pop.server:995

You can also use ncat (exercise left to the reader).

"localhost", I believe, is a specific exclusion where SSL in *not* enforced during the session.

Trying to access this from a remote system with Thunderbird is not working. /var/log/mail.log shows the following:

2024-03-03T22:18:54.887061-05:00 debian-server dovecot: pop3-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=206.223.85.12, lip=206.223.85.137, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<l6qBL80SOePO31UM>

This looks like an error message stating STARTTLS was expected but the client used a plaintext session. Try enabling STARTTLS on your Thunderbird.

If that is not the cause ...

Ref: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/

The most important dovecot configurations are

ssl_cert = </path/to/your/server.crt ssl_key = </path/to/your/server.key

You can have protocol specific certificates e.g.

protocol pop3 { ssl_cert = ... ssl_key = ... }

but you'll typically put this outside the protocol section so that there is one default certificate.

I need help. First of all, an explanation as to how to configure the dovecot-openssl.cnf file (an example with actual values - real or fake - would be a real help).

Second, where does this go?

Maybe running doveconf will tell you where your installation expects the main configuration file to be. This file may include other config files.

Note that for right now I'm trying to just get one domain working but eventually this will serve at least 4 domains. Once I get the first domain working, thoughts about how to get multiple domains working would also be appreciated.

This depends on how you set up your filesystem and authentication and your security constraints. You'll have to be more specific on your setup.

Confining my reply to just SSL setup, you can obtain a SSL certificate with multiple domains named listed, which makes multi-domain SSL support easier.

Joseph Tam <jtam.home@gmail.com>