Hi,

I am on TB 115.5.0 on Linux. Since some recent update TB is unable to
retrieve mail on my LAN dovecot server which uses a private certificate.

Notice that I can not use a public certificate, because I don't have a
public domain. My domain name is faked.

I had notes from previous occurrences:

+++···························

Thunderbird (2023-07-02):

<2.6> 2023-07-02T13:52:31.144979+02:00 Telcontar dovecot - - -
imap-login: Disconnected: Connection closed: SSL_accept() failed:
error:14094412:SSL routines:ssl3_re
ad_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth
attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS
handshaking: SSL_accept() failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:
SSL alert number 42, session=<2DNWr3//7I5/AAAB>
<2.6> 2023-07-02T13:52:32.244736+02:00 Telcontar dovecot - - -
imap-login: Disconnected: Connection closed: SSL_accept() failed:
error:14094412:SSL routines:ssl3_re
ad_bytes:sslv3 alert bad certificate: SSL alert number 42 (no auth
attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS
handshaking: SSL_accept() failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:
SSL alert number 42, session=<CPtmr3///I5/AAAB>

Regenerate certificates.

cd /etc/dovecot
rm /etc/ssl/private/dovecot.pem
rm /etc/ssl/private/dovecot.crt
bash mkcert.sh
time openssl dhparam -out /etc/dovecot/dh.pem 4096

Delete certificate in Thunderbird (settings, search for "cert"), Manage
Certificates, Servers tab.
Then "Get messages / "cer", authorize cert.
···························++-

Problem is, Thunderbird just can't read the emails, and never prompts
about the certificate, so it is impossible to create an exception. TB
just keeps silent (checking server capabilities).

Is there a way to force TB to just accept the certificate and get along?

--
Cheers, Carlos.

Carlos E.R. wrote:

> TB is unable to retrieve mail on my LAN dovecot server which uses a
> private certificate.

import your server's cert (or your ca's root cert) into TB

Settings/Privacy&Security/ManageCertificates

On 2023-12-29 14:36, Andy Burns wrote:
> Carlos E.R. wrote:
>
>> TB is unable to retrieve mail on my LAN dovecot server which uses a
>> private certificate.
>
> import your server's cert (or your ca's root cert) into TB
>
> Settings/Privacy&Security/ManageCertificates

There is no ca.

--
Cheers, Carlos.

Carlos E.R. wrote:

> Andy Burns wrote:
>
>> Carlos E.R. wrote:
>>
>>> TB is unable to retrieve mail on my LAN dovecot server which uses a
>>> private certificate.
>>
>> import your server's cert (or your ca's root cert) into TB
>>
>> Settings/Privacy&Security/ManageCertificates
>
> There is no ca.

So just import the self-signed cert and tell TB that you trust it

Or if it refuses that, make yourself a mini-ca using openSSL and create
a new cert for your dovecot that way?

On 2023-12-29 15:45, Andy Burns wrote:
> Carlos E.R. wrote:
>
>> Andy Burns wrote:
>>
>>> Carlos E.R. wrote:
>>>
>>>> TB is unable to retrieve mail on my LAN dovecot server which uses a
>>>> private certificate.
>>>
>>> import your server's cert (or your ca's root cert) into TB
>>>
>>> Settings/Privacy&Security/ManageCertificates
>>
>> There is no ca.
>
> So just import the self-signed cert and tell TB that you trust it

How? It doesn't prompt. See below.

>
> Or if it refuses that, make yourself a mini-ca using openSSL and create
> a new cert for your dovecot that way?

That is above my abilities.

I did a test.

I created a new TB profile, and as account I added only my own
dovecot/postfix. TB found them instantly and offered to add an
exception. I said yes and it worked, instantly.

But the main TB profile DOES NOT ASK!

So in the test profile I looked in file "cert_override.txt" where there
is a single line for my private certificate. I stopped the main TB,
copied that line there, then started the main TB. Still can not read
mail from dovecot. It says "checking server capabilities" for a long time.

And Settings/Manage Certificates does not show the line for the local
server that I just wrote. It is ignored. My guess is that it needs
adding the certificate to cert9.db.

So, is there a way to force TB to add an exception?

Following some advice, yesterday I tried to:

<https://unix.stackexchange.com/questions/123367/thunderbird-fails-to-connect-to-dovecot-and-postfix>

+++·····················
* in the problematic email acount in incoming mail server
settings I temporarily changed the address of the mail server,
* I created a new account with correct incoming mails server adress,
when receiving emails I accepted wtih no problem the certificate,
* I deleted the new account.
* and I restored the correct address of the incoming mail server
in the original account.
·····················++-

(on step 1, I had to restart TB. There is no way out).

Nah, doesn't work.

The "new" account only sees "INBOX" folder. Does not ask for certificate
exception, only for the user password.

The old one sees them all (maybe cached), sees the mails (probably
cached), but can read none. It gets stuck at "checking mail server
capabilities" for a long time. Oh, it gave up silently without reading
the message.

--
Cheers, Carlos.

Carlos E.R. wrote:

> On 2023-12-29 15:45, Andy Burns wrote:
>> Carlos E.R. wrote:
>>
>>> Andy Burns wrote:
>>>
>>>> Carlos E.R. wrote:
>>>>
>>>>> TB is unable to retrieve mail on my LAN dovecot server which uses a
>>>>> private certificate.
>>>>
>>>> import your server's cert (or your ca's root cert) into TB
>>>>
>>>> Settings/Privacy&Security/ManageCertificates
>>>
>>> There is no ca.
>>
>> So just import the self-signed cert and tell TB that you trust it
>
> How? It doesn't prompt. See below.

go into settings, certificates as I said above, and there is an import
button on the servers tab ...

On 2023-12-29 21:25, Andy Burns wrote:
> Carlos E.R. wrote:
>
>> On 2023-12-29 15:45, Andy Burns wrote:
>>> Carlos E.R. wrote:
>>>
>>>> Andy Burns wrote:
>>>>
>>>>> Carlos E.R. wrote:
>>>>>
>>>>>> TB is unable to retrieve mail on my LAN dovecot server which uses
>>>>>> a private certificate.
>>>>>
>>>>> import your server's cert (or your ca's root cert) into TB
>>>>>
>>>>> Settings/Privacy&Security/ManageCertificates
>>>>
>>>> There is no ca.
>>>
>>> So just import the self-signed cert and tell TB that you trust it
>>
>> How? It doesn't prompt. See below.
>
> go into settings, certificates as I said above, and there is an import
> button on the servers tab ...

What button?

Import certificate? Doesn't work. It demands an https:// address. What
do I put there, my local machine? Doesn't respond on https. I would have
to put the certificate on some reachable path, before TB can download it.

TB. Settings. Search for "cert".

Certificates
When a server requests my personal certificate:
( ) Select one automatically (*) Ask me every time

[*] Query OCSP responder servers to confirm the current validity of
certificates

[Manage Certificates]. Click.

Servers tab. There is an [Add Exception]. Click.

Location: [https:// ]

[Get Certificate] Grayed out, does not respond.

What now?

I fill: Location: [https://telcontar.valinor ]

Now click on [Get Certificate]

Responds:

No information Available
Unable to obtain information status for this site.

Telcontar:~ # ls -ltr /var/log/apache2/
total 2136
-rw-r--r-- 1 root root 10 Jun 7 2013 rcapache2.out
-rw-r--r-- 1 root root 782632 Dec 20 22:18 error_log
-rw-r--r-- 1 root root 1386721 Dec 29 20:04 access_log
Telcontar:~ #

Telcontar:~ # tail /var/log/apache2/access_log
....
192.168.1.14 - - [28/Dec/2023:20:57:09 +0100] "GET
/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=yo%40telcontar.valinor
HTTP/1.1" 404 1009 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:115.0)
Gecko/20100101 Thunderbird/115.5.0"
127.0.0.1 - - [29/Dec/2023:20:04:53 +0100] "GET
/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=cer%40telcontar.valinor
HTTP/1.1" 404 1009 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:115.0)
Gecko/20100101 Thunderbird/115.5.0"

I would have to setup some path on https on my simple internal apache
server, which currently does not do https, and no intention to, just to
be able to allow TB to import some certificate?

REALLY?

--
Cheers, Carlos.

Carlos E.R. wrote:

> What now?

ok, so you probably do need to setup your own mini-ca, to issue your own
cert to dovecot, it's pretty simple in a DOS windows for openSSL

then you can import your ca's root cert in the TB authorities tab, then
your mail server cert is trusted, because the ca is trusted.

https://jamielinux.com/docs/openssl-certificate-authority/

On 2023-12-29 14:28, Carlos E.R. wrote:
> Hi,
>
> I am on TB 115.5.0 on Linux. Since some recent update TB is unable to
> retrieve mail on my LAN dovecot server which uses a private certificate.
>
> Notice that I can not use a public certificate, because I don't have a
> public domain. My domain name is faked.
>
>
> I had notes from previous occurrences:
>
>
> +++···························
>
> Thunderbird (2023-07-02):
>
....
> Regenerate certificates.
>
> cd /etc/dovecot
> rm /etc/ssl/private/dovecot.pem
> rm /etc/ssl/private/dovecot.crt
> bash mkcert.sh
> time openssl dhparam -out /etc/dovecot/dh.pem 4096
>
> Delete certificate in Thunderbird (settings, search for "cert"), Manage
> Certificates, Servers tab.
> Then "Get messages / "cer", authorize cert.
> ···························++-
>
>
> Problem is, Thunderbird just can't read the emails, and never prompts
> about the certificate, so it is impossible to create an exception. TB
> just keeps silent (checking server capabilities).
>
>
>
> Is there a way to force TB to just accept the certificate and get along?

Found the trick (actually Andrei Borzenkov found it).

Click on the INBOX folder. Then click on the "GET Messages" icon, which
is a tiny cloud icon at the top left of the left hand panel. Then, and
only then, TB asks about the certificate and offers to make an exception.

--
Cheers, Carlos.

On 2023-12-30 14:22, Carlos E.R. wrote:
> On 2023-12-29 14:28, Carlos E.R. wrote:
>> Hi,

....

>> Is there a way to force TB to just accept the certificate and get along?
>
> Found the trick (actually Andrei Borzenkov found it).
>
> Click on the INBOX folder. Then click on the "GET Messages" icon, which
> is a tiny cloud icon at the top left of the left hand panel. Then, and
> only then, TB asks about the certificate and offers to make an exception.
>

More information:

<https://bugzilla.mozilla.org/show_bug.cgi?id=1764770>

Comments 49..52 are quite interesting.

Some comments say that you have to click the get messages button several
times, it is random.

--
Cheers, Carlos.