1273359 - Thunderbird ceased to successfully fetch mail from Dovecot IMAP server with self-signed certs

Status: RESOLVED INVALID

(Thunderbird :: Untriaged, defect)

Description

[mike]

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160503092831

Steps to reproduce:

Server info:

# dpkg -l | egrep 'postfix|dovecot|sasauthd|spamassassin|opendkim'
ii  dovecot-core                          1:2.1.7-7+deb7u1                    amd64        secure mail server that supports mbox, maildir, dbox and mdbox mailboxes
ii  dovecot-imapd                         1:2.1.7-7+deb7u1                    amd64        secure IMAP server that supports mbox, maildir, dbox and mdbox mailboxes
ii  libopendkim7                          2.6.8-4                             amd64        Library for signing and verifying DomainKeys Identified Mail signatures
ii  opendkim                              2.6.8-4                             amd64        Milter implementation of DomainKeys Identified Mail
ii  opendkim-tools                        2.6.8-4                             amd64        Set of command line tools for OpenDKIM
ii  postfix                               2.9.6-2                             amd64        High-performance mail transport agent
ii  spamassassin                          3.3.2-5+deb7u3                      all          Perl-based spam filter using text analysis

Client info:

$ uname -a
Linux fedora 4.4.9-300.fc23.x86_64 #1 SMP Wed May 4 23:56:27 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ sudo dnf info thunderbird
Last metadata expiration check: 0:39:43 ago on Mon May 16 20:58:02 2016.
Installed Packages
Name        : thunderbird
Arch        : x86_64
Epoch       : 0
Version     : 45.0
Release     : 4.fc23
Size        : 127 M
Repo        : @System
From repo   : updates
Summary     : Mozilla Thunderbird mail/newsgroup client
URL         : http://www.mozilla.org/projects/thunderbird/
License     : MPLv1.1 or GPLv2+ or LGPLv2+
Description : Mozilla Thunderbird is a standalone mail and newsgroup client.

- In Thunderbird, choose Edit > Account Settings > Account Actions > Add Mail Account...
- Enter name, email, password


Actual results:

- Thunderbird accurately detects SMTP server settings
- Thunderbird fails to detect IMAP settings
- Upon filling in appropriate IMAP settings and clicking Re-test, "Probing server" is displayed for a long time.
- Dovecot repeated logs messages on the server like "dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<4H7KvAAzgABHDk4U>"
- If I click "Done" instead of "Re-test", I get an endless number of "Confirm Security Exception" pop-ups for the self-signed certificate.


Expected results:

- Thunderbird should have connected to the IMAP server and successfully logged in. Other clients like Gnome Evolution and iOS mail are able to successfully send & receive messages using the same settings. Thunderbird was also able to successfully send & receive up until recently. I'm not sure if a regular update brought about the issue, but nothing else changed on the server or client that I can think of.

Comment 1

[mike]

Follow-up: After hours of troubleshooting, I was able to resolve this issue by appending the text of the CA cert to Dovecot's certificate file. I had installed the CA certificate into Thunderbird's list of trusted CAs, so I'm not entirely sure why the server needed to explicitly provide it as well, but regardless, it's fixed.