The newer version of thunderbird are more strict on certificates, specially on self-signed certificates.
If you have a private imap-server that you maintain yourself you probably use this.
You can find a tutorial on this site:
https://softwareprocess.es/homepage/pos ... number-42/
I'll give a brief resume here.
You'll need to use a CA or make one yourself.
And respect the common name of the certificate is the same as your server.
Upload the CA in thunderbird
Step1 1: Use a CA or make a CA.
Code: Select all
openssl genrsa -out SERVER_CA.key 4096
openssl req -x509 -new -nodes -key SERVER_CA.key \
-subj "/C=BE/ST=NO/L=Town/O=dovecotnow/CN=SERVER" \
-sha256 -days 3650 -out SERVER_CA.pem
openssl req -new -x509 -days 3650 -key SERVER_CA.key \
-subj "/C=BE/ST=NO/L=TOWN/O=dovecotnow/CN=SERVER" \
-out SERVER_CA.crt
hold on to SERVER_CA.pem, you'll need to upload it in thunderbird.
Step 2: Subject Altertnative Names (for you server)
Code: Select all
# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = SERVER
DNS.2 = server.domain.dns
DNS.3 = server6
Step3: Create Keys and certificate
Code: Select all
openssl genrsa -out SERVER.key 4096
# Make the certificate request
openssl req -new -key SERVER.key -out SERVER.csr -subj \
"/C=BE/ST=NO/L=Town/O=dovecotnow/CN=SERVER"
# Make a certificate
openssl x509 -req -in SERVER.csr -CA SERVER_CA.pem -CAkey \
SERVER_CA.key -CAcreateserial -out SERVER.crt \
-days 3650 -sha256 -extfile v3.ext
# Make a certificate
openssl x509 -req -in SERVER.csr -CA SERVER_CA.pem -CAkey \
SERVER_CA.key -CAcreateserial -out SERVER.pem \
-days 3650 -sha256 -extfile v3.ext
Step 4: install cert on server
SERVER.key and SERVER.pem will be used in your dovecot 10-ssl.conf file on your server. (see /etc/dovecot/conf.d/10-ssl.conf)
restart dovecot.
Step 5: install cert in thunderbird
Make sure that the CA’s certificate is trusted by Thunderbird
Settings -> Privacy & Security -> Manage Certificates -> Authorities -> Import (and choose your CA’s pem or crt such as SERVER_CA.pem)
Step 6: hostname ( not sure if this is needed)
Add IMAP hostname on you client PC (see /etc/hosts )