317138 - Unable to send when personal S/MIME cert exists and auth-smtp is required

Status: RESOLVED WORKSFORME

(Thunderbird :: Security, defect)

Description

[lk]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: version 1.0.7 (20050923)

If a personal S/MIME SSL certificate is installed, the user is prompted for the "Software Security Device" password even when sending unsigned unencrypted messages. This was not the case in older product versions.   In addition, if the smtp server reqires auth-smtp, Thunderbird the user is prompted for the Software Security Device, and if supplied, the message will not be sent.  If message is not signed or encrypted, such that the cert if not actually required, then the user can select "cancel" when prompted for the Software Security Device password, the second prompt for the Auth-SMTP password will be presented and the message will be sent. The server involved is Sun (iPlanet) messaging server v5.2 using SSL on port 465 for inbound SMTP. It requires Auth-SMTP only when the user is sending from outside a corporate WAN to a non-local recipient.

Reproducible: Always

Steps to Reproduce:
1. Install an S/MIME certificate (mine is Thawte freemail)
2. Send an unsigned message (unnecessary prompt for Security Device password)
3. Have an SMTP server available which requires auth-smtp.

Actual Results:  
Sending a message which is not signed nor encrypted should not require the password for the Software Security Device. If the password for the Software Security Device IS required, a second prompt should permit entry of an auth-smtp password.

Expected Results:  
When both Software Security Device and auth-smtp passwords are required, sequential password prompts should permit entry of both of them.

The only workaround I've identified is to avoid use of S/MIME digital signatures or encryption when working outside the corporate WAN. This permits use of the "cancel" button when prompted for the Software Security Device password and then having the opportunity to enter the auth-smtp password.  I am the administrator of this particular smtp server.

Comment 1

[lk]

Typo corrections to description:
If a personal S/MIME SSL certificate is installed, the user is prompted for the
"Software Security Device" password even when sending unsigned unencrypted
messages. This was not the case in older product versions. In addition, if
the smtp server reqires auth-smtp, The Thunderbird user is prompted for the
Software Security Device, and if supplied, the message will not be sent (hangs with send pending). If the message is not signed or encrypted, such that the cert is not actually required, then the user can select "cancel" when prompted for the Software Security Device password, the second prompt for the Auth-SMTP password will be presented and the message can be sent. The server involved is Sun (iPlanet) messaging server v5.2 using SSL on port 465 for inbound SMTP. It requires Auth-SMTP only when the user is sending from outside a corporate WAN to a non-local recipient.

Comment 2

[Bob Lord]

Can you try this on a fresh profile?  Is it possible you have FIPS mode turned on, or use a hardware token?

Comment 3

[lk]

Wow. After 28 months I figured this was long dead and have not checked it's status in some time. I had confirmed the problem with a couple different systems, so there would have been fresh profiles. I definitely did not have a hardware token. FIPS being enabled would have been accidental and is highly unlikely. I did note the behavior changed with a subsequent release and is no longer a problem with Thunderbird 2x. Perhaps it was inadvertently resolved along with some other update. I don't see any point in re-installing an older version just to reproduce the problem, so this bug should probably be closed, canceled or otherwise labeled as obsolete.