"Add Security Exception" - Does not SAVE Security Exception.
Retrieve emails from same VPS machine using several different domain names.
Use multiple machines running Thunderbird [v68.4.1 (64-bit) Linux (LMDE)].
This problem is only on ONE of the machines running Thunderbird.
On Linux desktop 'A' Thunderbird had been connecting to the mail server daily for just over a year on the domain that, part way though today, stopped functioning by popping up the 'Add Security Exception' dialog and NOT saving the Security Exception.
Clicking 'Confirm Security Exception' temporally dismissing the dialog until the next time Thunderbird polls the server.
There is an entry for both imap... and smtp... in the Certificate Manager for the domain. However this doesn't stop Thunderbird from displaying the 'Add Security Exception' dialog.
Creating an account in Claws Mail ( 3.14.1, Linux) also requests a verification of a self-signed certificate. However, Claws Mail does save the exception allowing the sending and receiving of emails for the same account Thunderbird refuses to.
---> On a similar Linux machine running the same version of Thunderbird in the same office, we've got email accounts properly connecting, sending and receiving mail normally at the same domain which the 'A' desktop machine started having problems with partway through the day.
There were no changes on the VPS today. Again, the same email account is accessed using Claws Mail, K9mail (Android) and a copy of Thunderbird on a different desktop in the office.
I removed the problem account from Thunderbird, restarted and configured again. This did not correct the problem.
Any ideas?
Okulungisiwe
All Replies (8)
Did the certificate change? What's the 'valid from' date of the cert?
christ1 said
Did the certificate change? What's the 'valid from' date of the cert?
Thanks for your feedback. :)
No. There were no changes to the self-signed certificate.
Even if it were out of date, one can still manually accept it.
FWIW, when starting Thunderbird for the day at about 0700 it was connecting, sending and receiving emails. Just before noon the problems with that one domain started.
All the other domains and accounts use the same self-signed certificate which is on the VPN. They all function.
Finally when I configure Claws Email with the same problem account, Claws Email connects, sends and receives emails. This, I believe, indicates the problem is with Thunderbird rather than the server.
See if this helps. https://support.mozilla.org/en-US/questions/1278144
Update:
First keep in mind:
- Domains being used are on a single VPS machine and, thus, use the same IP.
- Using self signed certificate.
Accessing IMAP or SMTP using the domain name (eg: imap.domain.com) results in the 'Add Security Exception' dialog to display. However the exception is not saved even with the save permanently box ticked.
In other words the valid self-signed certificate is not being saved.
Oddly when using the VPS's IP address instead of the domain, the self-signed certificate is saved.
While emails can be sent and received with this ugly change, the DKIM (naturally) will return an error to those receiving emails from Thunderbird accounts set up in this manner.
Why will Thunderbird:
- Not save self-signed certificates with using a domain name (with only some accounts on the same VPS).
- Will save self-signed certificates if using the VPS IP address.
Didn't I just read in the message you posted
Unknown Identity The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature."
Perhaps you need to make your self a tiny certifying authority. https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Matt said
Perhaps you need to make your self a tiny certifying authority.
I don't believe so. Here's why ...
1) This domain (one of several on a VPS using the same self-signed cert) was functioning normally for nearly a year. It then stopped mid-day earlier in this week. (It was sending/receiving email for about 4 hours at the start of the day before Thunderbird failed.)
2) When the Thunderbird stopped saving the cert on one machine in the office, the other 2 machines (both using Thunderbird) continued to function normally.
3) Thunderbird will send and receive when I use the VPS IP address rather than a domain name.
4) Other accounts using different domains on the same VPS function normally with just domain (eg: smtp.domain.com).
I would think a self-signed cert would function the same in Thunderbird regardless if using a domain or IP for accesing the mail server.
Additionally ...
The same account/domain, with identical configurations function normally on:
- Claws Mail
- Evolution
- Kmail
All machines Linux.
I am not going to debate it with you. I have used all three of the email clients you list, I use Thunderbird because I found them to be clunky, dated, and feature poor. Typical of much of the Linux software I have used really, lots of configuration and little in off the shelf functionality. Given how dated Thunderbird looks, that is truly saying something.
But if your certificate works in those application or not is not really all that relevant.
I don't think ANY of them do OCSP checks on certificates. Thunderbird does. Modern security is not just a certificate and someone saying it is OK. It is about a chain of trust. Manual over rides are becoming a thing of the past.
I do not claim any real expertise in the subject more than any other user. But I find the use of self signed certificates in production to be error prone and a serious security risk.
SO lets look at your not why.
1. It used to work so it should continue to do so. Hardly a reason for even a Light bulb to continue to function. That is supposedly happens mid session while the program was running would indicate it is not at fault unless the certificate store is corrupt.
How about looking at what might be the issue. It might not be Thunderbird you know, or it might be a change to security standards that Thunderbird accepts. But that is unlikely as such things are instantiated upon startup.
You have a virtual private server, that I assume shares an IP address with a number of domains. So you set the IP address and the certificate is valid, given the IP address bypasses DNS, there is NO server name for the certificate to match.
2. Two other machines both using Thunderbird both function normally.
What version of Thunderbird is installed in each case, are their other add-ons. Do you have anti virus on your corporate Linux machines. They commonly change the certificate store from the Mozilla one to the system one and open their own can of worms.
3. Have you checked the error console (ctrl+Shift+J) for certificate related errors.