Closed Bug 1735803 Opened 3 years ago Closed 2 years ago

Send Message Error->Add Security Exception ->Confirm Security Exception FAILS - due to uppercase letters in outgoing hostname

Categories

(Thunderbird :: Security, defect)

Thunderbird 91
defect

Tracking

(thunderbird_esr102+ fixed)

RESOLVED FIXED
107 Branch
Tracking Status
thunderbird_esr102 + fixed

People

(Reporter: mark.roux, Assigned: rnons)

References

Details

(Whiteboard: [closeme 2022-10-10])

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

I've used Thunderbird for many years. After upgrading to 91.2, when we send mail to our mail server on port 587 with a self-signed certificate, we see the "Send Message Error: The certificate is not trusted because it is self-signed...". Selecting [Ok] segues to "Add Security Exception..." Please see the attached ThunderbirdAddSecurityExceptionFails.png. Selecting "Permanently store this exception: and [Confirm Security Exception] no longer work. The popup closes but the mail is not sent. Oddly, we can pop mail from the same server. This only affects sending mail. Again, this has worked for years. Our mail server has not changed. The change is Thunderbird 91.2
Thank you.

Actual results:

Thunderbird does not allow the exception.

Expected results:

Thunderbird has always and should allow the exception.

Blocks: tb91found
Component: Untriaged → Security
Version: Thunderbird 92 → Thunderbird 91

I just tested it again. Works fine over here with my test setup using a self signed certificate.
We also have no other report about this, so I suspect it's something specific to your setup.

I'm seeing this on Linux using 92.1.0

I should add this is for a mail server I've been using for years whose certificate has not changed recently.

My testing was on linux with 91.2 (I think you meant that as well).

Maybe the cert has some other problem as well...

Yes 91.2.0, sorry

Maybe some add-on interferring. Try Help | Troubleshoot mode

Troubleshoot mode did not help me.

Still a problem in 91.2.1

In another bug someone had something similar and found it was antivirus doing a MITM attack on him. Make sure anti-virus/firewall is turned off.

thank you for the workstation firewall suggestion. I turned it off and unfortunately had the same results. I'll also note that the mail server and my workstation had not changed. The change was installing v. 91.2. Today I'm on 91.3.

Do you have a public test case? We didn't have any other reports, and it's certainly working in the normal case.

Hello, Magnus. What is a "public test case"? My initial post documented what I observed. I'm now on 91.3.2 and the problem persists. Thank you.

We'd need to know the server hostname and port, to be able to test it.

Magnus I emailed you.

The server you sent me works just fine. After I add the exception I can connect to send just fine (actual sending doesn't since I have no pwd).

console.debug: mailnews.smtp: "Connecting to smtp://<redacted>:587"
console.debug: mailnews.smtp: "Connected"
console.debug: mailnews.smtp: "S: 220 li692-198.members.linode.com ESMTP Sendmail 8.14.4/8.14.1; Wed, 1 Dec 2021 18:25:12 GMT\r\n"
console.debug: mailnews.smtp: "C: EHLO [192.168.10.11]"
console.debug: mailnews.smtp: "S: 250-li692-198.members.linode.com Hello 62-ip.example.com [62.x.x.x], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-STARTTLS\r\n250-DELIVERBY\r\n250 HELP\r\n"
console.debug: mailnews.smtp: "C: STARTTLS"
console.debug: mailnews.smtp: "S: 220 2.0.0 Ready to start TLS\r\n"
console.debug: mailnews.smtp: "C: EHLO [192.168.10.11]"
console.debug: mailnews.smtp: "S: 250-li692-198.members.linode.com Hello 62-ip.example.com [62.x.x.x], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-AUTH LOGIN PLAIN\r\n250-DELIVERBY\r\n250 HELP\r\n"
console.debug: mailnews.smtp: "Possible auth methods: PLAIN,LOGIN"
console.debug: mailnews.smtp: "Current auth method: PLAIN"
console.debug: mailnews.smtp: "Authentication via AUTH PLAIN"

I'm glad it's working for you but it isn't working for me. Is there a way for me to clear out my previous exceptions so I can add the exception again?

(In reply to Joseph Shraibman from comment #16)

I'm glad it's working for you but it isn't working for me. Is there a way for me to clear out my previous exceptions so I can add the exception again?

OK I found out how to do that but it didn't clear my problem :(

Yes in the preferences in the Certificates section. Choose manage.
If you don't get it working, try in a new profile. If that doesn't work, it's something on your system or network.

This is a reply to Magnus's "We'd need to know the server hostname and port, to be able to test it.": cybertools.biz:587
BTW I noticed that Thunderbird does store the exception in Preferences->Manage Certificates. I will attach as file thunderbird_certificate_manager_showing_cybertoolsbiz.png with the image.
Note that cybertools.biz:995.

Thank you!

Remove it and store again? Maybe that's why it won't add.

Hello, Magnus.
I've removed it and added it many times since reporting the error. It's odd that it's there & that Thunderbird won't honor it.
What is the name of the file that stores these data? Can I remove the file and try to add it that way?
Thank you.

I think key4.db and cert9.db

It might just be the 1024bit key is the issue on the server https://www.immuniweb.com/ssl/cybertools.biz/dkDsm6WJ/

My understanding was V38 saw the end of 1024 bit keys.

This is still a problem in 91.5.1. The exception is being stored, but when sending mail I'm still blocked. The certificate is 2048 bit.

(In reply to Joseph Shraibman from comment #25)

This is still a problem in 91.5.1. The exception is being stored, but when sending mail I'm still blocked. The certificate is 2048 bit.

What choice of authentication and connection encryption are you using for the SMTP server?

These are the only TLS options I see in my sendmail config, apart from the options that set the locations of the cert file:

SMTP STARTTLS server options

O TLSSrvOptions=V

(In reply to Joseph Shraibman from comment #27)

These are the only TLS options I see in my sendmail config, apart from the options that set the locations of the cert file:

SMTP STARTTLS server options

O TLSSrvOptions=V

In Thunderbird, you will need to go to the account settings, select outgoing server (SMTP) in the account list and then the edit button in the after you select the outgoing server (SMTP)

I have no idea what your sendmail config has to do with this. I guess nothing, as Thunderbird uses the outgoing server setting to send mail, not sendmail.

Ah I thought you were asking what the settings on my server were.

Connection security: STARTTLS
Authentication method: normal password

I finally figured it out. I had some uppercase letters in my server name in my outgoing server settings. When I changed to all lowercase letters the problem went away.

Now I'm having a different problem. When I try to send an email I'm not being prompted for my password to authenticate. The sending fails with the server saying "reject=550 5.7.1 <testemail@yahoo.com>... Relaying denied"

Currently using 91.11.0 BTW

Relaying denied is a different issue - that means the server won't allow you to send from that address.

Summary: Send Message Error->Add Security Exception ->Confirm Security Exception FAILS → Send Message Error->Add Security Exception ->Confirm Security Exception FAILS - due to uppercase letters in outgoing hostname

(In reply to Magnus Melin [:mkmelin] from comment #32)

Relaying denied is a different issue - that means the server won't allow you to send from that address.

It shouldn't allow me to, until I authenticate. The question is why is Thunderbird not prompting me for my password?

Thank you, Joseph. I had mixed case in my outgoing server name too (and have had it for many years). Changing to lower case fixed the problem! Hooray!

Does this still reproduce for you when using version 102, via Help > About ?

Whiteboard: [closeme 2022-10-10]

Yes this still happens.

A fix for this should be Thunderbird converting all server names to lower case I would have thought. In line with RFC 4343 https://datatracker.ietf.org/doc/html/rfc4343

Assignee: nobody → remotenonsense
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → 107 Branch

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/b2697513aaef
Convert server hostname to lowercase before connecting. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Perhaps worth uplifting.

Attached patch 1735803-esr102.patch (deleted) — Splinter Review

[Approval Request Comment]
Regression caused by (bug #):
User impact if declined: self signed certificate may fail if hostname is not all lowercase
Testing completed (on c-c, etc.): beta
Risk to taking this patch (and alternatives if risky): low

Attachment #9310600 - Flags: approval-comm-esr102?

Comment on attachment 9310600 [details] [diff] [review]
1735803-esr102.patch

[Triage Comment]
Approved for esr102

Attachment #9310600 - Flags: approval-comm-esr102? → approval-comm-esr102+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: