Dovecot TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
I get this error:
dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.58.235.102, lip=45.79.79.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<h5b0juhsooesoutm></h5b0juhsooesoutm>
The following command shows a normal response/certificate
openssl s_client -starttls imap -servername $hostname -connect $hostname:143
1 Reply
This is symptomatic of a client (172.58.235.102…an IP address belonging to TMobile, USA) using a disallowed protocol according to the dovecot configuration parameter:
ssl_protocols
FWIW, I don't use this setting. I have
ssl_min_protocol = TLSv1.2
which means that any client using a protocol weaker (less secure) than TLS 1.2 will cause dovecot to throw this error and reject the connection attempt.
The error is innocuous unless the remote IP address is a cell phone you need to support… It typically indicates a misconfigured MUA…or a very amateurish attempt at intrusion into your mail system (Hint:, if this is common and you determine it's the latter, you can configure fail2ban to block the rip for some amount of time).
-- sw