View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Dovecot TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
Log in to Ask a Question

Dovecot TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46

I get this error:
dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.58.235.102, lip=45.79.79.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<h5b0juhsooesoutm></h5b0juhsooesoutm>

The following command shows a normal response/certificate
openssl s_client -starttls imap -servername $hostname -connect $hostname:143

1 Reply

This is symptomatic of a client (172.58.235.102…an IP address belonging to TMobile, USA) using a disallowed protocol according to the dovecot configuration parameter:

ssl_protocols

FWIW, I don't use this setting. I have

ssl_min_protocol = TLSv1.2

which means that any client using a protocol weaker (less secure) than TLS 1.2 will cause dovecot to throw this error and reject the connection attempt.

The error is innocuous unless the remote IP address is a cell phone you need to support… It typically indicates a misconfigured MUA…or a very amateurish attempt at intrusion into your mail system (Hint:, if this is common and you determine it's the latter, you can configure fail2ban to block the rip for some amount of time).

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct