Hi All, :-)
I *know* (from various on-line posts over the years) that the accepted wisdom is that Thunderbird does *not* cache the TLS Certificates of the MDA(s) th… (Máis información)
Hi All, :-)
I *know* (from various on-line posts over the years) that the accepted wisdom is that Thunderbird does *not* cache the TLS Certificates of the MDA(s) that it connects too - however, I can come to no other conclusion but this based on the information and investigations I have been able to gather over the last several days. :-(
Our MDA (Dovecot, with Postfix and back-ended by MariaDB) hosts a number of Email Domains, each with its own Let's Encrypt Certificate. Our Thunderbird clients correctly "obtain" (via SNI) the correct(?) TLS Certificate from the MDA for each given Email Domain - or at least, "obtains" the *old* (ie out of date / expired) Certs.
And here's the thing: I've just spent the last 2 days trying to work out why the "old" certs are still being "obtained".
I've:
- Gone over the Dovecot (and Postfix) configs - nothing, all correct
- Searched the Storage of the actual servers - only Certificates found are the *new* (ie renewed) ones
- Confirming that the Certificates located are correct by inspecting them (using Step-CLI) - yes, they are correct
- Cross-confirming (vi OpenSSH) that the correct (new) certificates are being server by Dovecot - yes, they are
- Checked that the "old" Certificates do not exist *anywhere* on the mail server, the local PCs (Rocky Linux with KDE), nor the database server (on the server or in the database itself)
- Cleaned the Thunderbird Certificate Stores of all but CA Certificates
And yet, Thunderbird bitches and complains that the MDA's Certificates are "out of date", and when I ask Thunderbird to show me the offending Cert it presents the correct (for the relevant Email Domain) but "old" (ie expired) Certificate.
So, could someone please help me out in working out WTF is going on? :-)
And, FTR, I'm quite ready to "eat humble pie" if it turns out I've gone and Fire-trucked something - so feel free to tell me so if that's the case :-)
Thanks in advance
Dulux-Oz