Closed Bug 455666 Opened 16 years ago Closed 16 years ago

installation of client certificate causes every first SMTP connection to fail

Categories

(SeaMonkey :: MailNews: Backend, defect)

Product:
SeaMonkey
Component:
MailNews: Backend
Version:
SeaMonkey 1.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: tilman, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.16) Gecko/20080702 SeaMonkey/1.1.11 Mnenhy/0.7.5.666
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.16) Gecko/20080702 SeaMonkey/1.1.11 Mnenhy/0.7.5.666

On a perfectly working SeaMonkey profile with an outgoing mail server configured with TLS (always) and without authentication (as the client is authorized to relay through this server because of its IP address) I installed an SSL client certificate from CAcert for authentication to certain websites. Ever since, the first attempt to send mail fails, first asking for the certificate to use but not offering the alternative "none" which would be the correct one, and then declaring incorrectly that the mail server refused the connection.
The mail server log shows that SeaMonkey connected and authenticated (unneccessarily) via TLS but disconnected again without issueing any mail commands.
If "remember this decision" is selected in the certificate selection dialog, subsequent mail transmissions work normally, though SeaMonkey continues to use the unneeded client certificate.

Reproducible: Always

Steps to Reproduce:
1. Configure SeaMonkey Mail outgoing mail SMTP server to use TLS, but no username and password.
2. Install an SSL client certificate, keeping the default setting of "client certificate selection: ask every time"
3. Restart SeaMonkey.
4. Send mail.
Actual Results:  
1. A dialog pops up:

User Identification Request
This site has requested that you identify yourself by a certificate.
Choose a certificate to use for identification.

It presents a dropdown list which contains a single entry with the installed client certificate, already selected, and a checkbox "remember this decision".

2. After accepting that dialog, an error message dialog pops up saying:

Error: send message
Sending of the message failed.
The message could not be sent because no connection could be established with the mail server mail.phnxsoft.com. The server is either unavailable or rejecting SMTP connections.

3. After dismissing that message, another dialog pops up asking for the master password for the software cryptography module.

4. After entering the correct password, the message composition window with the unsent message is still on the screen. Clicking the Send button again sends it without further problems.

5. As long as SeaMonkey is kept running, subsequent mail messages are sent without problems on the first attempt.

Expected Results:  
a) continue working as before the installation of the certificate, connecting to the SMTP server with TLS but not even attempting to use the client certificate because it is not needed

or (if there is no way for SeaMonkey to detect that client authentification is not needed)

b) ask for selection of the client certificate to use but offer the choice "none" resulting in an unauthenticated connection as before the installation of the certificate,

or

c) not even present the certificate selection dialog if I don't have any choice, anyway, but proceed directly to connect via TLS with the certificate,

but in any case, send the mail on the first attempt.

Log entries on the mail server (Sendmail) from the failed attempt:

Sep 17 09:55:38 posthamster sendmail[32037]: STARTTLS=server, relay=ws-tilman.phnxsoft.com [10.0.1.11], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 17 09:55:38 posthamster sendmail[32037]: m8H7oWej032037: ws-tilman.phnxsoft.com [10.0.1.11] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Log entries from the subsequent successful retry:

Sep 17 09:56:11 posthamster sendmail[32147]: STARTTLS=server, relay=ws-tilman.phnxsoft.com [10.0.1.11], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 17 09:56:12 posthamster sendmail[32147]: m8H7uBLU032147: from=<t.schmidt@phoenixsoftware.de>, size=3099, class=0, nrcpts=1, msgid=<48D0B81A.5060502@phoenixsoftware.de>, proto=ESMTP, daemon=MTA, relay=ws-tilman.phnxsoft.com [10.0.1.11]
Version: unspecified → SeaMonkey 1.1 Branch
Ok, not sure if you already mentioned this in the bug report, but what happens when you click on the Cancel button in the client cert dialog? As far as I know this dialog is only presented when the server offers the possibility to authenticate via client cert.
Ok, choosing Cancel in that dialog causes the mail to be sent without using the certificate and without failure, so it effectively provides the choice "none" I asked for in alternative (b) of "expected behaviour". Thanks for pointing this out. (I had expected "Cancel" to cancel the entire mail, but have to admit never even tried it.)

The server is Sendmail, configured with a server certificate for encryption and with SMTP AUTH for relaying from external clients. I haven't knowingly set it up for SSL client authentication but obviously it does offer it anyway, as shown by the log entries I quoted. I don't know yet whether that behaviour can be influenced, but that is of course not a Mozilla question.

So from my point of view this bug can be closed as resolved.
Take a look at http://sial.org/howto/sendmail/tips/#s9.4, I think this tells you how to disable the cert request from the server.

Closing this bug as INVALID then as no real bug was found in SeaMonkey.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.