On 09/27/2017 11:14 PM, Phil Perry wrote: > On 28/09/17 04:19, Alice Wonder wrote: >> With the current Thunderbird I can not connect to one of my IMAP >> servers that uses a self-signed cert. Virtually identical IMAP servers >> that use CA signed certs work >> >> I was a bit out of date when I updated to 7.4 and was running >> Thunderbird 45.6.x and it worked. >> >> When I connected from evolution (which I do not like) it worked. >> >> When I connected with my laptop still running 45.6.x it works. >> >> so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't >> 5x.x.x series) and did an --oldpackage update with RPM and it works >> again. >> >> When rebuilding the old thunderbird in mock I had to add the following: >> >> BuildRequires: dbus-glib-devel >> >> Either the build system used by CentOS automatically includes that, or >> a build dependency use to pull that it but no longer does. >> >> Anyway if anyone is having a similar problem, that's a solution. >> >> -=- >> >> This is what I see in the mail server log when current CentOS >> thunderbird tries to connect: >> >> Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth >> attempts in 1 secs): user=<>, >> rip=2600:1010:b064:f260:e83e:562d:2316:18df, >> lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept() >> failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert >> unknown ca: SSL alert number 48, >> session=<u7agQAlasK8mABAQsGTyYOg+Vi0jFhjf> >> >> --- >> >> Since it works with current evolution and with older thunderbird, I >> assume it is a bug in current thunderbird when the server is using a >> self-signed cert. >> >> Don't know if same thing happens on pop. >> >> I use IMAP on 143 using starttls > > I have no problem using a self-signed cert on my own private mail > server, although admittedly I'm using POP, not IMAP. > > Have you imported your certificate(s) in thunderbird? > > Preferences > Advanced > Certificates When Thundirbird first attempts it offers to import. Under older version it only asks once, and when I import, it's fine until I replace the certificate (once a year, cert is good for three years but I generate new once a year - I just make it good for three in case life gets in the way). The nee thunderbird continually asks but still fails to connect. However as soon as I switched back to the older version, it didn't even need to ask because I had already made an exception for that certificate. Old thunderbird works as expected, new doesn't.