After upgrading my Gentoo based home server, the e-mail client on my laptop could no longer make a connection to the IMAP server. It seems that Dovecot v2.3.20 requires stronger encryption.
In my server log I found:
Jul 09 10:20:21 asrock dovecot[7663]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:0A00018E:SSL routines::ca md too weak: user=<>, rip=2003:df:c719:600:3a1c:87e5:dabf:489f, lip=2003:df:c719:600:6775:ccd4:93fb:5991, session=<EO5Qpx0AjK0gAwDfxxkGADAch+Xav0if>
The certificates are listed in the dovecot configuration file
/etc/dovecot/conf.d/10-ssl.conf
:
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_key = </etc/ssl/dovecot/server.key
Regenerate the files and make them read-only:
# cd /etc/ssl/dovecot
# openssl req -new -x509 --days 7000 -nodes -out server.pem -keyout server.key
# chmod 400 server.key server.pem
This certificate will now be valid for the coming 7000 days, almost 20 years.
Restart Dovecot:
# /etc/init.d/dovecot restart
In email clients the newly self-signed certificate would need to be accepted.