Closed Bug 1729140 Opened 3 years ago Closed 3 years ago

v91.0.3 give cert errors when connecting to imap server with Letsencrypt cert. Other mail agents do not.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: david, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

TB_cert_error.jpg
(deleted), image/jpeg
Details
Attached image TB_cert_error.jpg (deleted) —

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

I have set up a new server running postfix, IMAP server dovecot and nginx on Ubuntu 20.04. The server has a Letsencrypt SSL cert issued to mail.safemail.nz. The cert works perfect on nginx / webmail. I can connect to the IMAP server with a windows mail client and with an older version of Thunderbird (78.13) with no errors.

Actual results:

When connecting via IMAP with STARTTLS (ports 143 and 587) using TB 91.0.3 I get an Add Security Exception error. The error claims the location is safemail.nz but the certificate is issued to mail.safemail.nz. If I cancel that error it pops up again. If I cancel it several times it goes away and thereafter TB seems to work OK - I can open / close it, send / receive mail on it without any further error. This is without ever hitting the Confirm Security Exception button.

The attached screen shot shows both the error and the certificate - note the mismatch between the common name and the location in the error

Expected results:

It should have picked up that the certificate is valid for mail.safemail.nz which is the name of the server and the hostname used in the account settings for incoming and outgoing servers.

If there actually is a problem with the certificate cancelling the error several times should not cause it to go away.

BTW - this server is not yet in production so not always accessible from the outside world. Happy to give you an account on it for testing purposes though.

Component: Untriaged → Security
Blocks: tb91found

Basically no other reports about this, so there must be something wrong with the setup (maybe with the cert). Impossible to say what.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Summary: v91.0.3 give cert errors when connecting to server with Letsencrypt cert. Other mail agents do not. → v91.0.3 give cert errors when connecting to imap server with Letsencrypt cert. Other mail agents do not.

  1. make sure that your IMAP server is referencing the current LE cert.

  2. make sure you "reload" or "restart" your IMAP server as part of the certificate renewal process so it is using the current cert.

On further review, it appears that your imap server (i.e. imap.example.com) isn't present in your certificate. You either need to add that subdomain or use the top level domain name instead.

Based on the screenshot, Thunderbird attempts to connect to the server using hostname "safemail.nz".

As Lee said, there is a hostname mismatch.

openssl s_client -showcerts -starttls imap -connect mail.safemail.nz:143 -verify_hostname safemail.nz

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: