Closed
Bug 103041
Opened 23 years ago
Closed 23 years ago
Sending message fails when SSL set to other than never
Categories
(MailNews Core :: Networking: SMTP, defect)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: sheelar, Assigned: mscott)
Details
Attachments
(1 file)
2.06 KB,
text/plain
|
Details |
commercial trunk and branch builds: 2001-10-03-05 Sending message fails on an imap account migrated from 4.x to 6.2. I have a valid certificate and have choosen in the prefrence to ask every time I send mail to authenticate. I also have two other secure preferences checked for both sending and receiving. Use secure connection and Outgoing smtp server settings -set to when available. But in a new profile created in branch build sending is fine when you have when available selected. It is only with certification authentication combined with having outgoing server as when available is when it fails to send the message. Steps: Migrate an imap account from 4.x to 6.2 Make sure you have a valid certificate for that account. Change outgoing server to - when available Also check Use Secure connection - so that it prompts for the certificate. It should also prompt for the password dialog with every send. Compose a new message Try to send that message Actual result: You get the certificate dlg. Ok to that dlg. Then you are prompted with your account password dlg. Enter the password and click ok Results in failing to send message. The dlg is "sending message failed. I have seen this work when you have a new profile with and have outgoing server set to when available.
Reporter | ||
Comment 1•23 years ago
|
||
I used the same profile with 6.1 RTM build. I see the same problem and was not able to send mail when the ssl option was set to when available. I was able to send the mail after changing the option from when available to never. I know we had few bugs regarding this problem with 6.1. This is not a recent regression and has been there since 6.1 and still is a problem in 6.2 I also have a new profile without any certificates involved which is in 6.2 an imap account. If you have SSL checked to when available I was able to send the message. As per esther changing qa contact.
QA Contact: nbaca → junruh
Reporter | ||
Comment 2•23 years ago
|
||
John, I searched your bug list and was not able to find any send failing bugs. So I logged a new one. I am not sure if there is an open bug which fails to send in the particular scenario on which I filed this bug. Sorry if this is a dup. But I just wanted to repeat that creating a new profile which does not have any certification and having out going smtp server set to when available does work in the 0.9.4 -2001-10-04-06 branch build. It is only when you have you have a vaild certificate which prompts when you open mail and sending message with outgoing smtp when available fails to send the message.
Comment 3•23 years ago
|
||
ssl/smtp should not prompt you for the name/pwd. If it does that means that the signing cert you're using is not valid. It may be valid as per validity dates, but is may not be valid as per the ssl/imap and smtp/ssl server. These servers actually take the cert you present and compares it to the cert stored for you on the LDAP server. They may not be the same. You can check this by using N6 to read the serial number off the cert viewer for your signing/client-auth cert. You can then ask a buddy to use communicator to import your cert from phonebook (there a link in your entry) and read the serial number off of that. If they don't match, then your cert is not valid. The SN from the phonebook cert will most probably be higher than that from your cert db. You could have entered into this cert situation if you've recently obtained a cert using N6, and didn't import the cert into 4.7X. Can you use ssl/smtp from 4.7x using that profile? Find the p12 you may have created when you got the cert that's on the phonebook, or failing that, get a new cert from certificate.netscape.com. Please let me know what you find.
Sheelar has two certs in the corporate directory: ---- Serial Number: 16466 (0x4052) Validity: Not Before: Wed Aug 08 20:02:00 2001 Not After: Mon Feb 04 20:02:00 2002 Encryption cert ---- Serial Number: 16467 (0x4053) Validity: Not Before: Wed Aug 08 20:02:00 2001 Not After: Mon Feb 04 20:02:00 2002 Signing cert ---- Sheelar: when you look in the cert viewer, do you see these certs? If not, that's the likely to be the cause of your problems. Please also select "Ask every time" from the prefs window (Privacy & Security/Certificates). That will help troubleshoot the problem.
Comment 5•23 years ago
|
||
Even if the cert is not valid, the user should be able to authenticate with a password. An SMTP debug log would be helpful. setenv NSPR_LOG_MODULES SMTP:5
Reporter | ||
Comment 6•23 years ago
|
||
Bob, I don't see the certificates that you listed here on my system. The only one I see in the viewer is valid from Fri Jun 15, 2001 to Wed Dec 12, 2001. I got this certificate using 4.x and not 6.x. Then I migrated the profile from 4.x to 6.x(0.9.4-2001-10-04-05) branch build. I did go back and check the preference and it has Ask me everytime checked. Should I get a new certificate again? How do I make sure the certificate I see is the same as the one on the LDAP server? The one you have listed on the server is expired. So how come the new certificate I got is not refelecting in the LDAP server?
Reporter | ||
Comment 7•23 years ago
|
||
Reporter | ||
Comment 8•23 years ago
|
||
Sorry on my previous comments. I said the certificates mentioned by Bob was expired but they are not. They expire much later than what I see on my system. As per Stephane Saux I do have the conflict on certs not matching with what I see on the LDAP server. As per her instructions I did go to the communicator and checked my certificate from the phone book and the expiration is as what Bob has mentioned which is Serial Number: 16466 (0x4052) Validity: Not Before: Wed Aug 08 20:02:00 2001 Not After: Mon Feb 04 20:02:00 2002 Encryption cert So this is a problem specific to my machine. I am not sure how I got into this state. I was wondering how I would be able to fix this problem?
Comment 9•23 years ago
|
||
According to the protocol log, the server is advertising no authentication mechanisms before negotiating TLS and only the EXTERNAL authentication mechanism after negotiating TLS. When the EXTERNAL authentication fails (due to the cert mismatch against the directory) there is no other authentication mechanism to try. Is mozilla prompting for the SMTP server password or the password for the certificate? If the former, then Mozilla is unnecessarily prompting before the necessary failure--as there are no password-based mechanisms advertised by the server, there is no point to prompt for an SMTP server password. Aside from the password prompting issue, this is basically a server bug and/or misconfiguration. The server should not be advertising the EXTERNAL mechanism if authentication is not needed. Newer versions of Messaging server are even smart enough to not ask for a client cert when authentication is not needed.
Comment 10•23 years ago
|
||
Sheela: I'm not sure how you got into this state. One likely possibility: -You got cert "A" from the internal CA, and saved it in a .p12 file. The CA published cert "A" to the directory. -You got cert "B" from the internal CA, but did not back it up. The CA published cert "B" to the directory and deleted cert "A" -You recreated your profile, and restored the cert "A" .p12 file In this scenario, when you try to visit the mail server you present cert A, but the mail server notes that only cert B is on file. Since you don't have the most current cert, it fails-over to name/password. I think there are two options for getting you back to a cert-enabled state: 1. Find the backup of cert B, if you have one -or- 2. Get a new cert from the internal CA (and back it up! :-) ) Option 2 is probably the most straightforward. Unless anyone else has other ideas or wants to inspect your machine, I'd recommend that option.
Comment 11•23 years ago
|
||
John G. Myers: The password prompt can also be the IMAP pwd. If the user uses SSL/IMAP and the cert is not accepted, then IMAP server on nsmail does fall back to name/pwd, and the prompt would come up because the send mail needs to access the sent folder on the IMAP folder. Sheela: certificates.netscape.com is the place to get a cert. If you use N6.x you'll get a dual-key cert. And as Bob Lord advised, you should back it up.
Reporter | ||
Comment 12•23 years ago
|
||
Stephane, Is it better for me to get the certificate again using 4.x. Because I could at some point delete my profiles on 6.x and migrate from 4.x again. So it is better for me to get a new certificate again from 4.x and then migrate the profile correct? Then I will probably eliminate the confusion of having certificates different one on 4.x and 6.x.
Reporter | ||
Comment 13•23 years ago
|
||
I got a new certificate from 4.7. Yes! backed up this time:) And I migrated the profile and I was able to send the message with SSL settings set to when available. I am not getting any send failure. Thanks everyone here who helped me to get through this problem. I really appreciate the timely response. I will mark this bug as invalid since this is actually not a bug.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•