I have * Generated a CA root certificate. * Generated a server certificate signed with said CA root cert. * Used openssl to verify the server certificate against the CA. * Installed both on the dovecot server. * Installed CA root cert in system cert pool on Thunderbird (client) machine. * Verified correctness with openssl s_client against dovecot. * Installed the CA root cert into the Authorities section of the Thunderbird certificate manager, set to authenticate a web server (I'm assuming this is for every kind of server, including an IMAPS server). * Set Thunderbird to speak to the IP address of the dovecot server, port 993 and set connection type to SSL/TLS in the account settings. I ran a tcpdump on the connection, hit refresh, see a Bad Certificate alert coming from Thunderbird before it shuts down the connection. The certificate verifies with openssl, openssl s_client gives no indication of any kind of error. Thunderbird flashes a warning that I can't copy-n-paste, so I may have mis-typed it, but it is: "Non-overridabe TLS error occurred. Handshake error or probably the TLS version or certificate used by server <DNS of mail server here> is incompatible." I haven't a clue what is going wrong here. Anybody know what Thunderbird checks (above and beyond what openssl checks) that might produce this error? There doesn't appear to be any way of attaching tcpdump captures or for that matter, cert/key files, just images, so I'll copy the PEM cert blocks here in case they are useful: Server: -----BEGIN CERTIFICATE----- MIIF3zCCA8egAwIBAgICB+YwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCENvbG9yYWRvMRMwEQYDVQQKEwpCZXRlbGdldXNlMQswCQYDVQQL EwJJVDEQMA4GA1UEAxMHVGVzdCBDQTEhMB8GCSqGSIb3DQEJARYSam9obkBiZXRl bGdldXNlLnVzMB4XDTIyMDgxNTEyMjcwM1oXDTIzMDgxNTEyMjcwM1owgYIxCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhDb2xvcmFkbzETMBEGA1UEChMKQmV0ZWxnZXVz ZTELMAkGA1UECxMCSVQxGzAZBgNVBAMTEm1haWwuYmV0ZWxnZXVzZS51czEhMB8G CSqGSIb3DQEJARYSam9obkBiZXRlbGdldXNlLnVzMIICIjANBgkqhkiG9w0BAQEF AAOCAg8AMIICCgKCAgEAznFqh+ql0+dqrZs0J6c7hHgeUfxnkRzgxF9nhGSjErod ZWe1kNjg95vqhof2TCH+i5dqqzRD9kZMS/rNQHoyZDsje1YVeyqHrJWSFpvyhExG HDBBDCYjisAYq3AWL5uZTyOBqRAphfcvcbvVqQhdF6ZwOPMkiNMW0k2CdVCqW81B K9wOfDJ4aowNRE3pOunEOpLKSpEkuQ1Ju9DTBwdRtu26THuFAGLVqc5RkyzIpWOl jsttCeriJIsTWJwY8ZyafNXf/UxMzYaGH20IL952ufVY7jnn21IVo4FIg786ABxQ R26dObdbQeLpS+bHh8N29wGRJiXjdi1vCHJBceF/8BJh6q1xc5PF+Fn5iyytKvC/ cUe02ELOik7kR2rt85KKgvSPm3r0kVZg7IvfvnqOxtezB+/bv+7eqb6t/Meuz3w/ lDKfsSzWEVoIt9N8nONeCpNllFOHGWlhFoJ0kmC3qkE6uoL2SA0dlC8YY3c19mZq vso/tnrgdA4RNCO6sOb4GNwAO08dlMSA3l9GxfMBEj8YrdObSidsvAx9ikmhe+Df Yv2NFMFiWKt6ZyBm8HcQ/bmMZZBxhpJvpsZUOEUedJ9lejrv4A3gIU+KeyKrJxgt 0nHGdQm+XfvGvyS2aglZ2cKt6uCiMBULoXsu3sqRwYuNdxycQj63x1UkJiR6ZP0C AwEAAaNpMGcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsG A1UdIwQUMBKAENZg5KSFKU/VoV8FtWFnJc4wIwYDVR0RBBwwGoISbWFpbC5iZXRl bGdldXNlLnVzhwQvL6FSMA0GCSqGSIb3DQEBCwUAA4ICAQCgkEzwAUAbN9ZHOymd Sd+4Pi6bZqDVOmEg1XeOjoulmMQXUivcJ+hcnK3duVYr5b9Mz3IdwMab+mykTBbo Bg45khkAZr8GrrGF6GI9StEZcYx2bEbAa1Psfkvb8RE9DKf2H1MJkXV1b8Nh/wN1 SJYrRwC/NWpq+qUvCMolcezBXcvsY9RoZhU3q0TwR31nofW7GMlsnI8WEwku1jvQ OWeW3uPHnZi3JGu3nNk3stWBlYYJbgqlvEq2lH0YEpFIco7cpD+YITkO2bW/uQVV WlSqOf+Fax18JJO1m1ZftllbSqdRx5/FHs4oOchGBEB4RDjt/CkJRvp70jlY2R1k 3bkbWu/oQMxQNmQUjZgYS/wurGt5ij/rB/xB5XN8DKhUXUJIjEP7KK1eRo41yGdZ ebiw0BihSWezGrAWlLMmhKeSf4YaQ6puj1EFMHdX3LkImr8UEH6WJYcXb5VFA+6k /NI5hZhgk9rXMv66x02GePsItYIohDnvjlUEYGEs+CIZBALs+5FpwcTcxvXlsuSD 4FFhFO+ccsF/sGarBXoZkKfPIWGs374ICawglhxFP1SbdYhPf8b11E71D3Nu9HMc /4yzflMNqVweMtUUIc0gIAbOvOY4IuCGRxuoE/6uqzyze5b9s/ZJ7S9mernvmDiQ A3ZIPIt4wgqi6qGvDg767vEf/w== -----END CERTIFICATE----- CA root cert: -----BEGIN CERTIFICATE----- MIIF2jCCA8KgAwIBAgICB+YwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCENvbG9yYWRvMRMwEQYDVQQKEwpCZXRlbGdldXNlMQswCQYDVQQL EwJJVDEQMA4GA1UEAxMHVGVzdCBDQTEhMB8GCSqGSIb3DQEJARYSam9obkBiZXRl bGdldXNlLnVzMB4XDTIyMDgxNTEyMTcwMVoXDTIzMDgxNjEyMTcwMVowdzELMAkG A1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMRMwEQYDVQQKEwpCZXRlbGdldXNl MQswCQYDVQQLEwJJVDEQMA4GA1UEAxMHVGVzdCBDQTEhMB8GCSqGSIb3DQEJARYS am9obkBiZXRlbGdldXNlLnVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEAwumiMuBtRmdYCJ7Ydm92WiNql1I1j3SFAHBhtdXBahJUeYdSozCWJO2QXjoi DSMqYwDJMlpdan3TRQ3gH9/fYsu0K9ophWHCWpRJ63bI7X+mNqYVzSkPUStN6sNU 8v3f9DwgPvbtrQaByCVNDCM/mpB8UlUeDqCCbs/x37901Cpprwnw5M+BR5wHtRd/ p/frqDkW/uS2vONlR9/IRCuqsLrZGbcHlH3/+b1E2M9h9ynL0x9eIS2XOML08K+j 5ixdeM8IUf3bA/iCeui25RNUEkDQ+wUJE2/tyFDKktlR0Adzuxp2xwN7GN133A26 lC2OfEoMAotuO1gldPyeQbThEMQP3amfXFZ5SyWXq9VTo9JfMnb6+tFEcCbBc1TX XMJhM1GI561EGLKdajCDUbckFRaZZlOB2QbhaznDCntp6te2SgOHLkQr5AJgPZrG E2MEM17JwDqjbzCkRps7UaTQPLzUuq5KvQV83TdONq949YfmW1/glCU5vwqLDBcU V9IP4elSd8JuW53VICGAaKlKaPRtegIlXcIpAW9BAOQFAlroPj1FcVd1Sm4wiSBz MkVcsIuLu1MKAtjBIoLPcrdmUpkvc/WEOPW0+XPypr+aawkfBsnxR/1KjPHj2p0g KgBUto1xv46ByTPAVwf46ZiU4GGzUs9wKUt0ClPaw7CwusECAwEAAaNwMG4wDgYD VR0PAQH/BAQDAgEGMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMB Af8wGQYDVR0OBBIEENZg5KSFKU/VoV8FtWFnJc4wGwYDVR0jBBQwEoAQ1mDkpIUp T9WhXwW1YWclzjANBgkqhkiG9w0BAQsFAAOCAgEAE1H5m+gwj/Jb3WcdEOrtY09k pP4+GK+Of32DmJNgE83kTQ0C9pFifbf5weoRfB+cXixnykQ7GpLKMap5b03a4SP2 T0DIj22T6RyJ/vpZWS0xReYn9Gd1+11CLiR4vS+8OGVLOQ2APkOXPjyTY6eqCpL/ Du3/QmuVcFaqUrj360UOPxeMO7xwXoEWx3OhIhR12P1gpOrnDeUW3HG175nLjAGN 3RTogNyG8a5XhxabqMiBiDxSHAXTkCOG3pxExSmStvi8/43ezWxijJwuPxjXStkU 2pSd+RKiw6ZrU2XcA/Q4sYN3kqJmgMAvvMy29dq95a3Rp0qjamKqBTN227eH7VqS UMKCiY2mLK10pAHxFVwbyEIHB4SXcOpg7jjQreeIcX0gWYmVDmwa/IMQcEPIfwjL deL0q6O7w96bOmJa2+t7Kg1HClWl4vdZ5dVsPjOvDoxaiq4GFrkEtIO+4gKy0S4/ Hcnw2r8ufRCv7w27MjDpfVBqUPZ3OXzW38j/q/aG/LgLzFmkFtM/DEkzeAKhnr/R OkAmVvzSFCvvIVIOIA2bvX//trGle3FZibhaZ90LTBTTyw4xuPgzyh+zSVqkPorb hRr5w2JX5aK9DXP3nkdA9qzaOOpSqyJa+suQj2GdI6FGgSqwqbqhYyiiUX8wvj4D y+jfSWwYlAp2IQP2vAk= -----END CERTIFICATE-----