ThunderBird - Sieve not working?

NethServer Version: 7.8.2003 & 7.9.2009
Module: dovecot

A couple of users tried to activate the autoresponder from Thunderbird as usual when holidays comes …
It had worked fine until this summer. Now it seems not to works.
I suppose this is a TB problem (plug-in ManageSieve), but tried with the TB independent version (not very different from the plug-in),
It can’t authenticate.
Anyone have already seen this problem and found some workaround?
In the maillog I have:

Dec 23 18:28:01 posta dovecot: managesieve-login: Aborted login (auth failed, 1 attempts in 85 secs): user=, method=PLAIN, rip=, lip=, TLS, session=<MBZP/iS308PAqAKH>
Dec 23 18:28:12 posta rspamd[1332]: ; lua; bayes_expiry.lua:440: finished expiry step 14: 989 items checked, 241 significant (0 made persistent), 0 insignificant (0 ttls set), 0 common (0 discriminated), 748 infrequent (0 ttls set), 64 mean, 210 std
Dec 23 18:28:25 posta dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip=, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes
:sslv3 alert bad certificate: SSL alert number 42, session=
Dec 23 18:28:34 posta dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip=, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=


Hi Paolo

As a workaround, you can use Roundcube to activate / create / manage Sieve Mail rules.
Roundcube can read all sieve mail rules (on the server!) and use them.

Roundcube can be installed independently from Webtop / Sogo / Nextcloud.
Use Stephdl’s module from here to get the newer GUI:

Merry Christmas!

My 2 cents

1 Like

Do you use a valid certificate?

Maybe dovecot needs to be restarted to apply a renewed certificate? It may also help to reapply the default server cert.

Client side: Maybe you need to (re)trust/allow the server certificate in TB?

Already considered (with the standard RC in NS), but I prefer give to users the options to still do it from TB, if possible.

Thanks, P.


As said, just as a workaround, 'til TB works again!


No. It’s an Internal server. Default self-signed certificate expiring in 2027 used until now…

Restarted server, updated (2003 -->2009), restarted …

Same problem using the stand-alone Sieve Manager client.

Thanks, P.

Don’t know if it applies to your case:

ThunderBird Sieve addon - WebExtension: Logging & Debugging
1 Like

Yes. This solves the problem.
Not a end-user solution, but clearly demontrates that recent TB updates broken the plug-in and probably the author haven’t yet fixed it (or found a more elegant workaroud).

Thanks, P.

1 Like

I can confirm the issue and the working workaround posted by @dnutan
You may use a letsencrypt cert. It’s possible for internal servers too with acme-dns.
This way you get a valid cert so there’s no work with the client TB profiles.

After the “emergency solution” used in the holidays period I am now reconsidering the problem attempting to solve it with a “more practical” solution.
I am trying to implement the acme-dns trick, but I noticied a firts problem: if my internal server doesn’t have a RED Public IP and the capability to give a public access to any service, this way can’t be a valid solution.
Am I missing something?
Is there a solution that doesn’t require a public accessible service from the LAN?

Thanks, P.

I think it’s not necessary to open the services to the public:

Note that, in this configuration, anyone on the Internet can access the API of your acme-dns instance. If the other hosts that might be using it are on your LAN, you might want to change the access property above to just green rather than red,green.


BTW, NethServer now supports DNS challenge with certbot, see documentation and Let's Encrypt DNS challenge.

1 Like

This box specific configuration is already configured as GREEN only interface.
It doesn’t use a DNS provider supported by certbot so still I can’t see a simple way to obtain an LE certificate.

I had read the wiki/docs, but haven’t found useful hints

Thanks, P.

Hi Paolo,

Have a look here:
How to use DNS API: Most API key providers, and how to use them, are listed there.

If your DNS provider doesn’t provide API access, you can use our DNS alias mode:


1 Like