[CentOS] Thunderbird in CentOS 7.4

Thu Sep 28 06:50:41 UTC 2017
Alice Wonder <alice at domblogger.net>

On 09/27/2017 11:14 PM, Phil Perry wrote:
> On 28/09/17 04:19, Alice Wonder wrote:
>> With the current Thunderbird I can not connect to one of my IMAP
>> servers that uses a self-signed cert. Virtually identical IMAP servers
>> that use CA signed certs work
>> I was a bit out of date when I updated to 7.4 and was running
>> Thunderbird 45.6.x and it worked.
>> When I connected from evolution (which I do not like) it worked.
>> When I connected with my laptop still running 45.6.x it works.
>> so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't
>> 5x.x.x series) and did an --oldpackage update with RPM and it works
>> again.
>> When rebuilding the old thunderbird in mock I had to add the following:
>> BuildRequires:  dbus-glib-devel
>> Either the build system used by CentOS automatically includes that, or
>> a build dependency use to pull that it but no longer does.
>> Anyway if anyone is having a similar problem, that's a solution.
>> -=-
>> This is what I see in the mail server log when current CentOS
>> thunderbird tries to connect:
>> Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth
>> attempts in 1 secs): user=<>,
>> rip=2600:1010:b064:f260:e83e:562d:2316:18df,
>> lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept()
>> failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
>> unknown ca: SSL alert number 48,
>> session=<u7agQAlasK8mABAQsGTyYOg+Vi0jFhjf>
>> ---
>> Since it works with current evolution and with older thunderbird, I
>> assume it is a bug in current thunderbird when the server is using a
>> self-signed cert.
>> Don't know if same thing happens on pop.
>> I use IMAP on 143 using starttls
> I have no problem using a self-signed cert on my own private mail
> server, although admittedly I'm using POP, not IMAP.
> Have you imported your certificate(s) in thunderbird?
> Preferences > Advanced > Certificates

When Thundirbird first attempts it offers to import. Under older version 
it only asks once, and when I import, it's fine until I replace the 
certificate (once a year, cert is good for three years but I generate 
new once a year - I just make it good for three in case life gets in the 

The nee thunderbird continually asks but still fails to connect.

However as soon as I switched back to the older version, it didn't even 
need to ask because I had already made an exception for that certificate.

Old thunderbird works as expected, new doesn't.