Closed Bug 1658689 Opened 5 years ago Closed 4 years ago

Issue to connect to Exchange IMAP server using self-signed certificate with 78.1.1, works with 68.11.0

Categories

(MailNews Core :: Networking: IMAP, defect)

Product:
MailNews Core
Component:
Networking: IMAP
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: david.mentre, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0

Steps to reproduce:

At work I connect Thunderbird to an MS Exchange IMAP server with following parameters:
Port: 143
Security: STARTTLS
Auth method: Normal password
I used this setting for years with Thunderbird on Exchange IMAP server.

Actual results:

With Thunderbird 78.1.1 (32bits), connections fails with "Authentication method is not supported" error message. In particular, in the log I have following result:
"""
2020-08-11 16:38:03.717000 UTC - [(null) 18072: IMAP]: D/IMAP Try to log in
2020-08-11 16:38:03.717000 UTC - [(null) 18072: IMAP]: D/IMAP IMAP auth: server caps 0x40486631, pref 0x1006, failed 0x0, avail caps 0x0
2020-08-11 16:38:03.717000 UTC - [(null) 18072: IMAP]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000)
2020-08-11 16:38:03.717000 UTC - [(null) 18072: IMAP]: D/IMAP No remaining auth method
"""

Expected results:

With Thunderbird 68.11.0 (64bits) that I reinstalled on the same machine, with the same account parameters, connection to Exchange IMAP server succeeds without any issue. In the log I have:
"""
2020-08-12 06:40:58.940000 UTC - [(null) 17584: Unnamed thread 000001E09D177400]: D/IMAP Try to log in
2020-08-12 06:40:58.940000 UTC - [(null) 17584: Unnamed thread 000001E09D177400]: D/IMAP IMAP auth: server caps 0x41587635, pref 0x1006, failed 0x0, avail caps 0x1004
2020-08-12 06:40:58.940000 UTC - [(null) 17584: Unnamed thread 000001E09D177400]: D/IMAP (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000)
2020-08-12 06:40:58.940000 UTC - [(null) 17584: Unnamed thread 000001E09D177400]: D/IMAP Trying auth method 0x1000
"""

Please notice server caps is different: 0x41587635 in 68.11.0 (64bits), 0x40486631 in 78.1.1 (32bits).

I have not tested 64 bits version of 78.1.1 to check if the error is the same.

Let me know if you need additional information. Thanks!

IMAP server is Exchange 2016.

Which server? Is it using too old SSL version? We now require TLS 1.2.
Check nmap --script ssl-enum-ciphers -p <port> <hostname>

As I said, server is Microsoft Exchange 2016. TLSv1.2 is supported. Here is result of nmap command:
"""
PORT STATE SERVICE
143/tcp open imap
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
"""

For your information, we tested with 64 bits version of Thunderbird 78.1.1 and beta 80 and in both cases connection to IMAP of MS Exchange 2016 server was impossible.

Component: Untriaged → Networking: IMAP
Product: Thunderbird → MailNews Core

Probably need to see the imap capability response reported by exchange from the imap log. But to me it looks like with 78, exchange is not supporting any of the typical userid/password auth methods like login, old login or plain based on my reading of the capability bit masks. But with 68 exchange is reporting that it does support old login and plain so no problem occurs.

I suspect this may be due to use of a different TLS versions but not sure. I guess STARTTLS is succeeding since the login step are attempted but since there are no auth capabilities reported by exchange, no userid/password is sent so the login attempt is reported as failed.

FYI, the capability bit mask are defined here: https://searchfox.org/comm-central/rev/c25f688917f090fb02d31f0160e484fd2b8ad93e/mailnews/imap/src/nsImapCore.h#111

Reporter David, I don't know if it is supported, but with 78 you might try using TLS/SSL on port 993. That may then cause exchange to report the needed capabilities to login with normal password.

startls can have its own can of issues, so yeah, using direct SSL port is encouraged since its more secure. IIRC it may require to enable SSL port since it may not enabled by default

(In reply to gene smith from comment #6)

Reporter David, I don't know if it is supported, but with 78 you might try using TLS/SSL on port 993. That may then cause exchange to report the needed capabilities to login with normal password.

David??

Flags: needinfo?(david.mentre)

Sorry for the delay. I will have a look and report with TLS/SSL on port 993. Is it possible to install 78 without breaking my current 68 installation used for daily work?

Is it possible to install 78 without breaking my current 68 installation used for daily work?

I've moved from older tb to 78 and later with no problems on any server and I have a lot. However, I'm not using exchange. If you are not the exchange administrator, first just change this setting in tb:

Connection security: change from STARTTLS to SSL/TLS
Authentication method: to Normal Password (probably already set to this)
Make sure port is 993.

Then restart tb to ensure new methods take effect or just click on some folders in the exchange account and you should see a password prompt (I think).

If this doesn't help, ask the exchange administrator if IMAP is still supported on the server. If so, ask also if TLS on port 993 or STARTTLS on port 143 are supported. If these are supported and tb still won't connect, we will need to do a lower level diagnosis maybe using a network sniffer like wireshark and filter on imap and TLS frames.

P/S: where I worked years ago I used tb with imap on exchange. I was probably the only one since they had standardized on M/S products. Then they upgraded the exchange server and the default was IMAP turned off so after that I couldn't use tb.

Hello,

The upgrade of my Thunderbird 68 was forced to version 78. :-( And of course, as I said initially, it does not work.

I tried with SSL/TLS on port 993: again, I am not able to get my emails from Microsoft Exchange server.

Here are the logs:
"""
2020-11-02 08:26:30.000000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop entering [this=00000208F9F69800]
2020-11-02 08:26:30.097000 UTC - [(null) 28852: Main Thread]: I/IMAP 00000208F9F69800:server11:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN
2020-11-02 08:26:30.098000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F9F69800:server11:NA:ProcessCurrentURL: entering
2020-11-02 08:26:30.098000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F9F69800:server11:NA:ProcessCurrentURL:imap://ANON_SERVER%5CAnon_Login@anon_server:993/select%3E/INBOX: = currentUrl
2020-11-02 08:26:30.164000 UTC - [(null) 28852: IMAP]: D/IMAP ReadNextLine [rv=0x805a1ff3 stream=00000208FA1711F0 nb=0 needmore=1]
2020-11-02 08:26:30.164000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F9F69800:server11:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1ff3
2020-11-02 08:26:30.185000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F9F69800:server11:NA:TellThreadToDie: close socket connection
2020-11-02 08:26:30.185000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F9F69800:server11:NA:CreateNewLineFromSocket: (null)
2020-11-02 08:26:30.185000 UTC - [(null) 28852: IMAP]: D/IMAP SetConnectionStatus(0x805a1ff3)
2020-11-02 08:26:30.185000 UTC - [(null) 28852: IMAP]: D/IMAP URL failed with code 0x805a1ff3 (imap://ANON_SERVER%5CAnon_Login@anon_server:993/select%3E/INBOX)
2020-11-02 08:26:30.205000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F9F69800:server11:NA:ProcessCurrentURL: aborting queued urls
2020-11-02 08:26:30.218000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop leaving [this=00000208F9F69800]
2020-11-02 08:26:30.422000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop entering [this=00000208FF919000]
2020-11-02 08:26:30.422000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop entering [this=00000208FF913800]
2020-11-02 08:26:30.489000 UTC - [(null) 28852: Main Thread]: I/IMAP 00000208FF919000:server11:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN
2020-11-02 08:26:30.489000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF919000:server11:NA:ProcessCurrentURL: entering
2020-11-02 08:26:30.489000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF919000:server11:NA:ProcessCurrentURL:imap://ANON_SERVER%5CAnon_Login@anon_server:993/select%3E/INBOX: = currentUrl
2020-11-02 08:26:30.490000 UTC - [(null) 28852: Main Thread]: I/IMAP 00000208FF913800:server11:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN
2020-11-02 08:26:30.490000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF913800:server11:NA:ProcessCurrentURL: entering
2020-11-02 08:26:30.490000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF913800:server11:NA:ProcessCurrentURL:imap://ANON_SERVER%5CAnon_Login@anon_server:993/folderstatus%3E/00-ToKeep: = currentUrl
2020-11-02 08:26:30.540000 UTC - [(null) 28852: IMAP]: D/IMAP ReadNextLine [rv=0x805a1ff3 stream=00000208FD9D5C10 nb=0 needmore=1]
2020-11-02 08:26:30.540000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF919000:server11:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1ff3
2020-11-02 08:26:30.541000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF919000:server11:NA:TellThreadToDie: close socket connection
2020-11-02 08:26:30.541000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF919000:server11:NA:CreateNewLineFromSocket: (null)
2020-11-02 08:26:30.541000 UTC - [(null) 28852: IMAP]: D/IMAP SetConnectionStatus(0x805a1ff3)
2020-11-02 08:26:30.541000 UTC - [(null) 28852: IMAP]: D/IMAP URL failed with code 0x805a1ff3 (imap://ANON_SERVER%5CAnon_Login@anon_server:993/select%3E/INBOX)
2020-11-02 08:26:30.541000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF919000:server11:NA:ProcessCurrentURL: aborting queued urls
2020-11-02 08:26:30.544000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop leaving [this=00000208FF919000]
2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: D/IMAP ReadNextLine [rv=0x805a1ff3 stream=00000208FDC5B8B0 nb=0 needmore=1]
2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF913800:server11:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1ff3
2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF913800:server11:NA:TellThreadToDie: close socket connection
2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF913800:server11:NA:CreateNewLineFromSocket: (null)
2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: D/IMAP SetConnectionStatus(0x805a1ff3)
2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: D/IMAP URL failed with code 0x805a1ff3 (imap://ANON_SERVER%5CAnon_Login@anon_server:993/folderstatus%3E/00-ToKeep)
2020-11-02 08:26:30.567000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208FF913800:server11:NA:ProcessCurrentURL: aborting queued urls
2020-11-02 08:26:30.567000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop leaving [this=00000208FF913800]
2020-11-02 08:26:52.501000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop entering [this=00000208F87AC000]
2020-11-02 08:26:52.518000 UTC - [(null) 28852: Main Thread]: I/IMAP 00000208F87AC000:server11:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN
2020-11-02 08:26:52.518000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F87AC000:server11:NA:ProcessCurrentURL: entering
2020-11-02 08:26:52.518000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F87AC000:server11:NA:ProcessCurrentURL:imap://ANON_SERVER%5CAnon_Login@anon_server:993/fetch%3EUID%3E/INBOX%3E162192: = currentUrl
2020-11-02 08:26:52.564000 UTC - [(null) 28852: IMAP]: D/IMAP ReadNextLine [rv=0x805a1ff3 stream=00000208F8C49B80 nb=0 needmore=1]
2020-11-02 08:26:52.564000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F87AC000:server11:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 805a1ff3
2020-11-02 08:26:52.565000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F87AC000:server11:NA:TellThreadToDie: close socket connection
2020-11-02 08:26:52.565000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F87AC000:server11:NA:CreateNewLineFromSocket: (null)
2020-11-02 08:26:52.565000 UTC - [(null) 28852: IMAP]: D/IMAP SetConnectionStatus(0x805a1ff3)
2020-11-02 08:26:52.565000 UTC - [(null) 28852: IMAP]: D/IMAP URL failed with code 0x805a1ff3 (imap://ANON_SERVER%5CAnon_Login@anon_server:993/fetch%3EUID%3E/INBOX%3E162192)
2020-11-02 08:26:52.565000 UTC - [(null) 28852: IMAP]: I/IMAP 00000208F87AC000:server11:NA:ProcessCurrentURL: aborting queued urls
2020-11-02 08:26:52.565000 UTC - [(null) 28852: IMAP]: D/IMAP ImapThreadMainLoop leaving [this=00000208F87AC000]
"""

Any idea how to debug this blocking issue?

Best regards,
david

Flags: needinfo?(david.mentre)

For the record, above log was generated with version 78.4.0 (64 bits) on Windows 10.

Best regards,
david

(In reply to David MENTRÉ from comment #11)

2020-11-02 08:26:30.562000 UTC - [(null) 28852: IMAP]: D/IMAP URL failed with code 0x805a1ff3

https://james-ross.co.uk/mozilla/misc/nserror?0x805A1FF3 that's SEC_ERROR_UNKNOWN_ISSUER

I guess that means you're using a self signed certificate?? In 78.4.0+ when you click "Get messages" you should get a certificate override dialog if that's the case.

Hello Magnus,

Yes, it is a self-signed certificate and I accept the certificate using the override dialog.

Good news: I created a brand new profile (using -P option) and now it works! Strangely enough, auto-detection feature of Thunderbird chose STARTTLS for IMAP and SMTP. With a minor change on SMTP Authentication method, it now works. My old profile was probably corrupted in some way.

Is there a way to reimport part of my past profile ? (LDAP configuration, addressbook, ...)

Best regards,
david

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Summary: Issue to connect to Exchange IMAP server with 78.1.1, works with 68.11.0 → Issue to connect to Exchange IMAP server using self-signed certificate with 78.1.1, works with 68.11.0
You need to log in before you can comment on or make changes to this bug.