A default dovecot install on AlmaLinux 9 creates a self-signed SSL certifiate. Thunderbird is now very picky about SSL certs. It used to tell you a certificate wasn't valid and allow you to create an exception. Now it just spins and does nothing. You will see the following in your dovecot logs:
Apr 23 18:47:42 sHOST dovecot[12484]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=CLIENTIP, lip=HOSTIP, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<BNl+V8sWFOgKAAAF>
I spent 4-5 hours running around in circles to try and find a solution
First step is to import the key, tell dovecot to listen on port 443 (https) by adding the following lines to the service imap-login stanza in /etc/dovecot/conf.d/10-master.conf:
#service imap-login { inet_listener https { port = 443 ssl = yes }
Note that you could also set up lighttpd to serve up the cert.
Restart dovecot with:
systemctl restart dovecot
Test the above with:
openssl s_client -connect YOURHOST:443
Then, in Thuderbird, you go into Hamburger > Preferences > Privacy & security > (scroll way down) > Manage Certificates... In the Certificate Manager window, you select the Servers tab and click Add Exception... and enter https://YOURHOST:443. Then click on Get Certificate and Confirm Security Exception.
We now have an exception for YOURHOST:443, but we want YOURHOST:993 (if you are using SSL/TLS) or YOURHOST:143 (if you are using STARTTLS). To fix the port number, you need to close Thunderbird, then modify the Thunderbird profile directly. Under Linux, this is ~USER/.thunderbird/SOMETHING-NON-OBVIOUS. I had a half dozen directories. To find the one you want:
cd ~/.thunderbird find . -name cert_override.txt | xargs ls -l --sort=time
The most recently modified file is the one you want to edit.
YOURHOST:443 OID.2.16.840.1.101.3.4.2.1 HEX-STRING-HERE U BASE64-STRING-HERE
Change the :443 on that line to :993 (for SSL/TLS) or :143 (for STARTTLS).
You can confirm you have the correct line by comparing the HEX-STRING-HERE with your dovecot cert's SHA256 fingerprint:
openssl x509 -sha256 -in /etc/pki/dovecot/certs/dovecot.pem -noout -fingerprint