Sending message fails when SSL set to other than never

VERIFIED INVALID

Status

MailNews Core
Networking: SMTP
--
major
VERIFIED INVALID
16 years ago
9 years ago

People

(Reporter: Sheela Ravindran, Assigned: Scott MacGregor)

Tracking

Trunk
x86
Windows 98

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
commercial trunk and branch builds:  2001-10-03-05

Sending message fails on an imap account migrated from 4.x to 6.2.  I have a 
valid certificate and have choosen in the prefrence to ask every time I send 
mail to authenticate. I also have two other secure preferences checked for both 
sending and receiving.
Use secure connection and Outgoing smtp server settings -set to when available.

But in a new profile created in branch build sending is fine when you have when 
available selected.  It is only with certification authentication combined with 
having outgoing server as when available is when it fails to send the message. 

Steps:

Migrate an imap account from 4.x to 6.2
Make sure you have a valid certificate for that account. 
Change outgoing server to - when available
Also check Use Secure connection - so that it prompts for the certificate. It 
should also prompt for the password dialog with every send.
Compose a new message
Try to send that message

Actual result:  You get the certificate dlg. Ok to that dlg. Then you are 
prompted with your account password dlg. Enter the password and click ok
Results in failing to send message. The dlg is "sending message failed.

I have seen this work when you have a new profile with and have outgoing server 
set to when available.
(Reporter)

Comment 1

16 years ago
I used the same profile with 6.1 RTM build. I see the same problem and was not 
able to send mail when the ssl option was set to when available. I was able to 
send the mail after changing the option from when available to never.  I know we 
had few bugs regarding this problem with 6.1. 
This is not a recent regression and has been there since 6.1 and still is a 
problem in 6.2

I also have a new profile without any certificates involved which is in 6.2 an 
imap account.  If you have SSL checked to when available I was able to send the 
message.  
As per esther changing qa contact. 
QA Contact: nbaca → junruh
(Reporter)

Comment 2

16 years ago
John,
I searched your bug list and was not able to find any send failing bugs. So I 
logged a new one. I am not sure if there is an open bug which fails to send in 
the particular scenario on which I filed this bug. Sorry if this is a dup.  

But I just wanted to repeat that creating a new profile which does not have any 
certification and having out going smtp server set to when available does work 
in the 0.9.4 -2001-10-04-06 branch build.
It is only when you have you have a vaild certificate which prompts when you 
open mail and sending message with outgoing smtp when available fails to send 
the message. 

Comment 3

16 years ago
ssl/smtp should not prompt you for the name/pwd. If it does that means that the
signing cert you're using is not valid.

It may be valid as per validity dates, but is may not be valid as per the
ssl/imap and smtp/ssl server. These servers actually take the cert you present
and compares it to the cert stored for you on the LDAP server.

They may not be the same.

You can check this by using N6 to read the serial number off the cert viewer for
your signing/client-auth cert.  You can then ask a buddy to use communicator to
import your cert from phonebook (there a link in your entry) and read the serial
number off of that. If they don't match, then your cert is not valid.  The SN
from the phonebook cert will most probably be higher than that from your cert db.

You could have entered into this cert situation if you've recently obtained a
cert using N6, and didn't import the cert into 4.7X. Can you use ssl/smtp from
4.7x using that profile?

Find the p12 you may have created when you got the cert that's on the phonebook,
or failing that, get a new cert from certificate.netscape.com.

Please let me know what you find.

Comment 4

16 years ago
Sheelar has two certs in the corporate directory:
----
Serial Number: 16466 (0x4052)
Validity:     Not Before: Wed Aug 08 20:02:00 2001
              Not After: Mon Feb 04 20:02:00 2002
Encryption cert
----
Serial Number: 16467 (0x4053)
Validity:     Not Before: Wed Aug 08 20:02:00 2001
              Not After: Mon Feb 04 20:02:00 2002
Signing cert
----
Sheelar: when you look in the cert viewer, do you see these certs? If not,
that's the likely to be the cause of your problems.
Please also select "Ask every time" from the prefs window (Privacy &
Security/Certificates).  That will help troubleshoot the problem.

Comment 5

16 years ago
Even if the cert is not valid, the user should be able to authenticate with a 
password.

An SMTP debug log would be helpful.  setenv NSPR_LOG_MODULES SMTP:5
(Reporter)

Comment 6

16 years ago
Bob, 
I don't see the certificates that you listed here on my system.  The only one I
see in the viewer is valid from Fri Jun 15, 2001 to Wed Dec 12, 2001.
I got this certificate using 4.x and not 6.x. Then I migrated the profile from 
4.x to 6.x(0.9.4-2001-10-04-05) branch build. 
I did go back and check the preference and it has Ask me everytime checked.
Should I get a new certificate again?
How do I make sure the certificate I see is the same as the one on the LDAP server? 
The one you have listed on the server is expired. So how come the new
certificate I got is not refelecting in the LDAP server? 
(Reporter)

Comment 7

16 years ago
Created attachment 52238 [details]
SMTPLOG
(Reporter)

Comment 8

16 years ago
Sorry on my previous comments. I said the certificates mentioned by Bob was 
expired but they are not. They expire much later than what I see on my system.

As per Stephane Saux I do have the conflict on certs not matching with what I 
see on the LDAP server.  As per her instructions I did go to the communicator 
and checked my certificate from the phone book and the expiration is as what Bob 
has mentioned which is Serial Number: 16466 (0x4052)
Validity:     Not Before: Wed Aug 08 20:02:00 2001
              Not After: Mon Feb 04 20:02:00 2002
Encryption cert

So this is a problem specific to my machine. I am not sure how I got into this 
state. I was wondering how I would be able to fix this problem?

Comment 9

16 years ago
According to the protocol log, the server is advertising no authentication 
mechanisms before negotiating TLS and only the EXTERNAL authentication mechanism 
after negotiating TLS.  When the EXTERNAL authentication fails (due to the cert 
mismatch against the directory) there is no other authentication mechanism to 
try.

Is mozilla prompting for the SMTP server password or the password for the 
certificate?  If the former, then Mozilla is unnecessarily prompting before the 
necessary failure--as there are no password-based mechanisms advertised by the 
server, there is no point to prompt for an SMTP server password.

Aside from the password prompting issue, this is basically a server bug and/or 
misconfiguration.  The server should not be advertising the EXTERNAL mechanism 
if authentication is not needed.  Newer versions of Messaging server are even 
smart enough to not ask for a client cert when authentication is not needed.

Comment 10

16 years ago
Sheela:  I'm not sure how you got into this state.  One likely possibility:
-You got cert "A" from the internal CA, and saved it in a .p12 file.  The CA
published cert "A" to the directory.
-You got cert "B" from the internal CA, but did not back it up.  The CA
published cert "B" to the directory and deleted cert "A"
-You recreated your profile, and restored the cert "A" .p12 file
In this scenario, when you try to visit the mail server you present cert A, but
the mail server notes that only cert B is on file.  Since you don't have the
most current cert, it fails-over to name/password.

I think there are two options for getting you back to a cert-enabled state:
1. Find the backup of cert B, if you have one   -or-
2. Get a new cert from the internal CA (and back it up! :-) )  

Option 2 is probably the most straightforward. Unless anyone else has other
ideas or wants to inspect your machine, I'd recommend that option.

Comment 11

16 years ago
John G. Myers:
The password prompt can also be the IMAP pwd. If the user uses SSL/IMAP and the
cert is not accepted, then IMAP server on nsmail does fall back to name/pwd, and
the prompt would come up because the send mail needs to access the sent folder
on the IMAP folder.

Sheela:
certificates.netscape.com is the place to get a cert.  If you use N6.x you'll
get a dual-key cert. And as Bob Lord advised, you should back it up.
(Reporter)

Comment 12

16 years ago
Stephane,
Is it better for me to get the certificate again using 4.x. Because I could at
some point delete my profiles on 6.x and migrate from 4.x again. So it is better
for me to get a new certificate again from 4.x and then migrate the profile
correct? Then I will probably eliminate the confusion of having certificates
different one on 4.x and 6.x.  
(Reporter)

Comment 13

16 years ago
I got a new certificate from 4.7. Yes! backed up this time:) And I migrated the 
profile and I was able to send the message with SSL settings set to when 
available. I am not getting any send failure.

Thanks everyone here who helped me to get through this problem. I really 
appreciate the timely response.  I will mark this bug as invalid since this is 
actually not a bug.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
(Reporter)

Comment 14

16 years ago
Verified bug as invalid. 
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.