SSL Fehler: sslv3 alert certificate unknown

Frank Kirschner fk at celebrate.de
Fr Mai 10 08:09:53 CEST 2019 

Hallo zusammen,

ich habe einen Mailserver mit Postfix und Dovecot aufgesetzt, läuft 
soweit gut, nur mit einem Client gibt es Probleme.
Es handelt sich um ein Android Handy mit K-9 Mail. Zyklisch auftretend 
aus dem dovecot Logfile:

May 10 06:41:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<ypG/L4GICLzAqIKr>
May 10 06:42:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<BVVQM4GIoMLAqIKr>
May 10 06:43:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<HxPlNoGISMnAqIKr>
May 10 06:44:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<+4l3OoGIxM/AqIKr>
May 10 06:45:10 imap-login: Info: Disconnected (no auth attempts in 3 secs): user=<>, rip=196.52.43.131, lip=192.168.130.191, TLS handshaking: Disconnected, session=<ZhxMO4GIOuzENCuD>
May 10 06:45:55 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<xycBPoGIbtbAqIKr>
May 10 06:46:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<EgafQYGIGN3AqIKr>
May 10 06:47:41 imap-login: Info: Login: user=<foo at bar.de>, method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24201, TLS, session=<O1tNRIGINMCyDkTn>
May 10 06:47:41 imap-login: Info: Login: user=<foo at bar.de>, method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24202, TLS, session=<4qNNRIGINsCyDkTn>
May 10 06:47:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<BOAsRYGI1uPAqIKr>
May 10 06:48:23 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<j5rSRoGIoOiyDkTn>
May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<DrrXRoGIouiyDkTn>
May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<fFPdRoGIpOiyDkTn>
May 10 06:48:24 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<ffbiRoGIpuiyDkTn>
May 10 06:48:25 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<PsPqRoGIqOiyDkTn>
May 10 06:48:25 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<d5fvRoGIquiyDkTn>
May 10 06:48:26 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<19/1RoGIrOiyDkTn>
May 10 06:48:26 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<mtz7RoGIruiyDkTn>
May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<G8wDR4GIsOiyDkTn>
May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<u2kJR4GIsuiyDkTn>
May 10 06:48:27 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<wGAOR4GItOiyDkTn>
May 10 06:48:28 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<29gTR4GItuiyDkTn>
May 10 06:48:28 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=178.14.68.231, lip=192.168.130.191, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<RPseR4GIuOiyDkTn>
May 10 06:48:51 imap-login: Info: Login: user=<foo at bar.de>, method=PLAIN, rip=178.14.68.231, lip=192.168.130.191, mpid=24225, TLS, session=<V9x8SIGImMCyDkTn>
May 10 06:48:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<hOjJSIGIfOrAqIKr>
May 10 06:49:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.130.171, lip=192.168.130.191, session=<+bJQTIGIyoLAqIKr>

Zertifikate werden von Let's Encrypt verwendet, andere clients 
(Thunderbird, Outlook und K-9 Mail auf anderen Handys) funktionieren 
einwandfrei, nur bei diesem Nutzer taucht das Problem auf und füllt das 
Logfile.

# doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 4.15.18-12-pve x86_64 CentOS Linux release 7.6.1810 (Core)
# Hostname: xxxxx.xxx.de
disable_plaintext_auth = no
first_valid_uid = 1000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot.log
login_greeting = IMAP Cluster ready.
mail_fsync = always
mail_gid = 1000
mail_home = /srv/mail/mail_storage/%d/%n
mail_location = maildir:~
mail_privileged_group = vpostfix
mail_uid = 1000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime for everypart 
extracttext vacation-seconds
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Spam {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   args = scheme=CRYPT username_format=%u /etc/dovecot/users
   driver = passwd-file
}
plugin {
   sieve = file:~/sieve;active=~/.dovecot.sieve
   sieve_before = /etc/dovecot/spam-global.sieve
   sieve_extensions = +vacation-seconds
   sieve_vacation_default_period = 1d
   sieve_vacation_max_period = 30d
   sieve_vacation_min_period = 0
}
postmaster_address = xxx at xxxxxx.de
protocols = imap pop3 lmtp sieve
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = vpostfix
     mode = 0666
     user = vpostfix
   }
   unix_listener auth-userdb {
     group = vpostfix
     mode = 0600
     user = vpostfix
   }
}
service imap-login {
   process_min_avail = 1
   service_count = 1
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
}
ssl_cert = </etc/letsencrypt/live/xxxxxx.de/fullchain.pem
ssl_key =  # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3
userdb {
   args = username_format=%u /etc/dovecot/users
   driver = passwd-file
}
protocol lmtp {
   mail_plugins = " sieve"
}
protocol lda {
   mail_plugins = " sieve"
}
protocol imap {
   mail_max_userip_connections = 10
}

-------------------------- ENDE doveconf --------------------------------

Habe ich etwas falsch konfiguriert?

lg Frank

-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listen.jpberlin.de/pipermail/dovecot/attachments/20190510/a119685a/attachment.html>

Mehr Informationen über die Mailingliste Dovecot