How can an IMAP connection fail with a certificate error when an SMTP connection with same credentials succeeds?

Question

I am connecting to an HIE in two interfaces using Direct Messaging - one to send messages and one to retrieve messages. The first uses a protocol of SMTP connecting on port 587 without SSL/TLS and then issuing a STARTTLS. All outbound Direct messages goes to this protocol; the HIE forwards the messages to the designated recipient. This works 100% of the time. The retrieval interface also uses Direct Messaging, but connects with IMAP protocol on port 993. SSL/TLS is used, but there is no STARTTLS issued. This used to work 100% of the time. Now it fails on every connect attempt. The error message is:

[java:java:ERR /1:fr_RHIO_direct_2:--/--/---- --:--:--] Catch Execption: 
[java:java:ERR /1:fr_RHIO_direct_2:--/--/---- --:--:--] javax.mail.MessagingException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target;

Last week both interfaces failed at the same time with this PKIX path building error. The HIE sent us an updated digital certificate. The old one was removed from the keystore and the new one was imported. Upon recycling of the interfaces, the SMTP sending interface was restored to working order. However the retrieving interface is still failing with the same error. Both interfaces use the same keystore. The configuration screens for both interfaces include a "keystore validation" function - both validate successfully, proving the location of the keystore and its password are correct in both interfaces. Before last week, both interfaces worked correctly. Now only one works. The HIE uses Mirth Mail. How is it possible that the same certificate path is correct in one interface but incorrect in another?

Answer 1

That was the right direction. it turns out that we were the only client to use IMAP; everyone else uses XDR. They had forgotten what to do with the IMAP service when a certificate is replaced. They had to restart a service called DOVECOT. Thanks for looking.