# IMAP TLS/SSL certificate failure after update [SOLVED]

## forbjok

This is a really weird problem. Earlier today, I ran a "emerge -uD world" on my mailserver, which is also running apache with webmail and group-office.. I had group-office working a few minutes before, and even after the update.

Among the things that got updated was Postfix and iptables.

I had to restart postfix and iptables, and since I wasn't sure if any other network services were updated without being restarted, I decided to do a full network service restart.

```
# /etc/init.d/net.br0 restart
```

(It's br0, because it's 2 or 3 nics bridged together)

Everything came backup just fine, but now Group-Office pops up the following when I enter the mail module:

 *Group-Office wrote:*   

> Failed to connect to mail server: 'mail.forb.nazari.org' at port: 143
> 
> Certificate failure for mail.forb.nazari.org: self signed certificate: /C=US/ST=NY/L=New York/O=Israfel Mail Server/OU=Automatically-generated IMAP SSL key/CN=israfel.forb.nazari.org/emailAddress=admin@forb.nazari.org

 

It seems that for some reason IMAP is trying to use SSL certificates? I've never even had the imapd-ssl or pop3d-ssl daemons running, and as far as I know 143 is just plain IMAP.

What's more strange is that everything else seems to work perfectly. Postfix is able to both send and receive mail without problems, Squirrelmail and phpMyAdmin still works perfectly, and I can even log into the mailserver using IMAP from www.mail2web.com.

I've tried re-running "mkpop3dcert" and "mkimapdcert", but it doesn't do anything. Deleting the .pem files from /etc/courier-imap/ does however get a reaction:

 *Group-Office wrote:*   

> Failed to connect to mail server: 'mail.forb.nazari.org' at port: 143
> 
> TLS/SSL failure for mail.forb.nazari.org: SSL negotiation failed

 

Then, after recreating the certificates, it's back to the first error again. This is really weird, and I don't think Group-Office itself was even updated.  :Confused: 

Anyone have any ideas what could be the problem?

EDIT:

 */var/log/messages wrote:*   

> Aug 27 12:50:23 israfel imapd: Connection, ip=[80.207.235.100]
> 
> Aug 27 12:50:23 israfel imapd: couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

 

Tries to use TLS possibly?

By the way, Group-Office also pops up an error message "mail.forb.nazari.org is unreachable. Automatic checking of e-mail is disabled."

However, mail.forb.nazari.org is definitely up and running.Last edited by forbjok on Fri Aug 27, 2004 5:47 pm; edited 2 times in total

----------

## forbjok

I removed the mail.forb.nazari.org (my own mailserver, running locally on the same machine as groupoffice) accounts from my Group-Office account, and it lost the error messages, so I can use it to view other mail accounts.

Upon trying to re-add one of them:

 *Group-Office wrote:*   

> Failed to connect to mail server: 'mail.forb.nazari.org' at port: 143
> 
> Certificate failure for mail.forb.nazari.org: self signed certificate: /C=US/ST=NY/L=New York/O=Israfel Mail Server/OU=Automatically-generated IMAP SSL key/CN=israfel.forb.nazari.org/emailAddress=admin@forb.nazari.org

 

The IMAPd is up and running. Can connect with:

```
telnet mail.forb.nazari.org 143
```

Now, I'm pretty sure the problem is either with Group-Office (in my opinion, rather unlikely), or most likely with the IMAPd. Probably some config file or certificate got overwritten during the update.

Any ideas?

----------

## forbjok

Okay, I think I figured it out. I checked the pop3d-ssl and imapd-ssl files in /etc/courier-imap, and found the options POP3_STARTTLS and IMAPDSTARTTLS set to YES. After commenting out those two lines and restarting the daemons, everything seems to be back to normal.

I seem to recall those files among the ones that were updated, so most likely they changed the default from disabled (or commented) to enabled, or I just don't remember editing it.  :Laughing: 

Just thought I'd post this, in case anyone else has the same problem after updating.  :Wink: 

----------

## honeymak

i got the same problem

i m using group office 2.12a

i tried disabling TLS of courier-imap

but the problem still exists

it can login without problem and listing all my imap directories correctly

but just no email display in the right hand side of email folder listings

any clues?

thx

 :Question: 

----------

