Send Message Error->Add Security Exception ->Confirm Security Exception FAILS - due to uppercase letters in outgoing hostname
Categories
(Thunderbird :: Security, defect)
Tracking
(thunderbird_esr102+ fixed)
People
(Reporter: mark.roux, Assigned: rnons)
References
Details
(Whiteboard: [closeme 2022-10-10])
Attachments
(4 files)
(deleted),
image/png
|
Details | |
(deleted),
image/png
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
patch
|
wsmwk
:
approval-comm-esr102+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Steps to reproduce:
I've used Thunderbird for many years. After upgrading to 91.2, when we send mail to our mail server on port 587 with a self-signed certificate, we see the "Send Message Error: The certificate is not trusted because it is self-signed...". Selecting [Ok] segues to "Add Security Exception..." Please see the attached ThunderbirdAddSecurityExceptionFails.png. Selecting "Permanently store this exception: and [Confirm Security Exception] no longer work. The popup closes but the mail is not sent. Oddly, we can pop mail from the same server. This only affects sending mail. Again, this has worked for years. Our mail server has not changed. The change is Thunderbird 91.2
Thank you.
Actual results:
Thunderbird does not allow the exception.
Expected results:
Thunderbird has always and should allow the exception.
Updated•3 years ago
|
Comment 1•3 years ago
|
||
I just tested it again. Works fine over here with my test setup using a self signed certificate.
We also have no other report about this, so I suspect it's something specific to your setup.
Comment 2•3 years ago
|
||
I'm seeing this on Linux using 92.1.0
Comment 3•3 years ago
|
||
I should add this is for a mail server I've been using for years whose certificate has not changed recently.
Comment 4•3 years ago
|
||
My testing was on linux with 91.2 (I think you meant that as well).
Maybe the cert has some other problem as well...
Comment 5•3 years ago
|
||
Yes 91.2.0, sorry
Comment 6•3 years ago
|
||
Maybe some add-on interferring. Try Help | Troubleshoot mode
Comment 7•3 years ago
|
||
Troubleshoot mode did not help me.
Comment 8•3 years ago
|
||
Still a problem in 91.2.1
Comment 9•3 years ago
|
||
In another bug someone had something similar and found it was antivirus doing a MITM attack on him. Make sure anti-virus/firewall is turned off.
Reporter | ||
Comment 10•3 years ago
|
||
thank you for the workstation firewall suggestion. I turned it off and unfortunately had the same results. I'll also note that the mail server and my workstation had not changed. The change was installing v. 91.2. Today I'm on 91.3.
Comment 11•3 years ago
|
||
Do you have a public test case? We didn't have any other reports, and it's certainly working in the normal case.
Reporter | ||
Comment 12•3 years ago
|
||
Hello, Magnus. What is a "public test case"? My initial post documented what I observed. I'm now on 91.3.2 and the problem persists. Thank you.
Comment 13•3 years ago
|
||
We'd need to know the server hostname and port, to be able to test it.
Comment 14•3 years ago
|
||
Magnus I emailed you.
Comment 15•3 years ago
|
||
The server you sent me works just fine. After I add the exception I can connect to send just fine (actual sending doesn't since I have no pwd).
console.debug: mailnews.smtp: "Connecting to smtp://<redacted>:587"
console.debug: mailnews.smtp: "Connected"
console.debug: mailnews.smtp: "S: 220 li692-198.members.linode.com ESMTP Sendmail 8.14.4/8.14.1; Wed, 1 Dec 2021 18:25:12 GMT\r\n"
console.debug: mailnews.smtp: "C: EHLO [192.168.10.11]"
console.debug: mailnews.smtp: "S: 250-li692-198.members.linode.com Hello 62-ip.example.com [62.x.x.x], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-STARTTLS\r\n250-DELIVERBY\r\n250 HELP\r\n"
console.debug: mailnews.smtp: "C: STARTTLS"
console.debug: mailnews.smtp: "S: 220 2.0.0 Ready to start TLS\r\n"
console.debug: mailnews.smtp: "C: EHLO [192.168.10.11]"
console.debug: mailnews.smtp: "S: 250-li692-198.members.linode.com Hello 62-ip.example.com [62.x.x.x], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-AUTH LOGIN PLAIN\r\n250-DELIVERBY\r\n250 HELP\r\n"
console.debug: mailnews.smtp: "Possible auth methods: PLAIN,LOGIN"
console.debug: mailnews.smtp: "Current auth method: PLAIN"
console.debug: mailnews.smtp: "Authentication via AUTH PLAIN"
Comment 16•3 years ago
|
||
I'm glad it's working for you but it isn't working for me. Is there a way for me to clear out my previous exceptions so I can add the exception again?
Comment 17•3 years ago
|
||
(In reply to Joseph Shraibman from comment #16)
I'm glad it's working for you but it isn't working for me. Is there a way for me to clear out my previous exceptions so I can add the exception again?
OK I found out how to do that but it didn't clear my problem :(
Comment 18•3 years ago
|
||
Yes in the preferences in the Certificates section. Choose manage.
If you don't get it working, try in a new profile. If that doesn't work, it's something on your system or network.
Reporter | ||
Comment 19•3 years ago
|
||
This is a reply to Magnus's "We'd need to know the server hostname and port, to be able to test it.": cybertools.biz:587
BTW I noticed that Thunderbird does store the exception in Preferences->Manage Certificates. I will attach as file thunderbird_certificate_manager_showing_cybertoolsbiz.png with the image.
Note that cybertools.biz:995.
Thank you!
Reporter | ||
Comment 20•3 years ago
|
||
Comment 21•3 years ago
|
||
Remove it and store again? Maybe that's why it won't add.
Reporter | ||
Comment 22•3 years ago
|
||
Hello, Magnus.
I've removed it and added it many times since reporting the error. It's odd that it's there & that Thunderbird won't honor it.
What is the name of the file that stores these data? Can I remove the file and try to add it that way?
Thank you.
Comment 23•3 years ago
|
||
I think key4.db and cert9.db
Comment 24•3 years ago
|
||
It might just be the 1024bit key is the issue on the server https://www.immuniweb.com/ssl/cybertools.biz/dkDsm6WJ/
My understanding was V38 saw the end of 1024 bit keys.
Comment 25•3 years ago
|
||
This is still a problem in 91.5.1. The exception is being stored, but when sending mail I'm still blocked. The certificate is 2048 bit.
Comment 26•3 years ago
|
||
(In reply to Joseph Shraibman from comment #25)
This is still a problem in 91.5.1. The exception is being stored, but when sending mail I'm still blocked. The certificate is 2048 bit.
What choice of authentication and connection encryption are you using for the SMTP server?
Comment 27•3 years ago
|
||
These are the only TLS options I see in my sendmail config, apart from the options that set the locations of the cert file:
SMTP STARTTLS server options
O TLSSrvOptions=V
Comment 28•3 years ago
|
||
(In reply to Joseph Shraibman from comment #27)
These are the only TLS options I see in my sendmail config, apart from the options that set the locations of the cert file:
SMTP STARTTLS server options
O TLSSrvOptions=V
In Thunderbird, you will need to go to the account settings, select outgoing server (SMTP) in the account list and then the edit button in the after you select the outgoing server (SMTP)
I have no idea what your sendmail config has to do with this. I guess nothing, as Thunderbird uses the outgoing server setting to send mail, not sendmail.
Comment 29•3 years ago
|
||
Ah I thought you were asking what the settings on my server were.
Connection security: STARTTLS
Authentication method: normal password
Comment 30•2 years ago
|
||
I finally figured it out. I had some uppercase letters in my server name in my outgoing server settings. When I changed to all lowercase letters the problem went away.
Now I'm having a different problem. When I try to send an email I'm not being prompted for my password to authenticate. The sending fails with the server saying "reject=550 5.7.1 <testemail@yahoo.com>... Relaying denied"
Comment 31•2 years ago
|
||
Currently using 91.11.0 BTW
Comment 32•2 years ago
|
||
Relaying denied is a different issue - that means the server won't allow you to send from that address.
Comment 33•2 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #32)
Relaying denied is a different issue - that means the server won't allow you to send from that address.
It shouldn't allow me to, until I authenticate. The question is why is Thunderbird not prompting me for my password?
Reporter | ||
Comment 34•2 years ago
|
||
Thank you, Joseph. I had mixed case in my outgoing server name too (and have had it for many years). Changing to lower case fixed the problem! Hooray!
Comment 35•2 years ago
|
||
Does this still reproduce for you when using version 102, via Help > About ?
Comment 36•2 years ago
|
||
Yes this still happens.
Comment 37•2 years ago
|
||
A fix for this should be Thunderbird converting all server names to lower case I would have thought. In line with RFC 4343 https://datatracker.ietf.org/doc/html/rfc4343
Assignee | ||
Comment 38•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 39•2 years ago
|
||
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/b2697513aaef
Convert server hostname to lowercase before connecting. r=mkmelin
Assignee | ||
Comment 41•2 years ago
|
||
[Approval Request Comment]
Regression caused by (bug #):
User impact if declined: self signed certificate may fail if hostname is not all lowercase
Testing completed (on c-c, etc.): beta
Risk to taking this patch (and alternatives if risky): low
Comment 42•2 years ago
|
||
Comment on attachment 9310600 [details] [diff] [review]
1735803-esr102.patch
[Triage Comment]
Approved for esr102
Comment 43•2 years ago
|
||
bugherder uplift |
Thunderbird 102.7.0:
https://hg.mozilla.org/releases/comm-esr102/rev/3b5cd304f789
Description
•