[CentOS] Thunderbird in CentOS 7.4

Fri Sep 29 08:44:41 UTC 2017
ken <gebser at mousecar.com>

On 09/28/2017 02:50 AM, Alice Wonder wrote:
> On 09/27/2017 11:14 PM, Phil Perry wrote:
>> On 28/09/17 04:19, Alice Wonder wrote:
>>> With the current Thunderbird I can not connect to one of my IMAP
>>> servers that uses a self-signed cert. Virtually identical IMAP servers
>>> that use CA signed certs work
>>>
>>> I was a bit out of date when I updated to 7.4 and was running
>>> Thunderbird 45.6.x and it worked.
>>>
>>> When I connected from evolution (which I do not like) it worked.
>>>
>>> When I connected with my laptop still running 45.6.x it works.
>>>
>>> so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't
>>> 5x.x.x series) and did an --oldpackage update with RPM and it works
>>> again.
>>>
>>> When rebuilding the old thunderbird in mock I had to add the following:
>>>
>>> BuildRequires:  dbus-glib-devel
>>>
>>> Either the build system used by CentOS automatically includes that, or
>>> a build dependency use to pull that it but no longer does.
>>>
>>> Anyway if anyone is having a similar problem, that's a solution.
>>>
>>> -=-
>>>
>>> This is what I see in the mail server log when current CentOS
>>> thunderbird tries to connect:
>>>
>>> Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth
>>> attempts in 1 secs): user=<>,
>>> rip=2600:1010:b064:f260:e83e:562d:2316:18df,
>>> lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept()
>>> failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
>>> unknown ca: SSL alert number 48,
>>> session=<u7agQAlasK8mABAQsGTyYOg+Vi0jFhjf>
>>>
>>> ---
>>>
>>> Since it works with current evolution and with older thunderbird, I
>>> assume it is a bug in current thunderbird when the server is using a
>>> self-signed cert.
>>>
>>> Don't know if same thing happens on pop.
>>>
>>> I use IMAP on 143 using starttls
>>
>> I have no problem using a self-signed cert on my own private mail
>> server, although admittedly I'm using POP, not IMAP.
>>
>> Have you imported your certificate(s) in thunderbird?
>>
>> Preferences > Advanced > Certificates
>
> When Thundirbird first attempts it offers to import. Under older 
> version it only asks once, and when I import, it's fine until I 
> replace the certificate (once a year, cert is good for three years but 
> I generate new once a year - I just make it good for three in case 
> life gets in the way).
>
> The nee thunderbird continually asks but still fails to connect.
>
> However as soon as I switched back to the older version, it didn't 
> even need to ask because I had already made an exception for that 
> certificate.
>
> Old thunderbird works as expected, new doesn't. 

The "no auth attempts" strikes me as suspicious.  This along with the 
fact that your old thunderbird works suggests to me that there might 
have been some security bits left out of the new thunderbird build.  My 
experience compiling Tbird pre-dates rpm, so this might have become 
irrelevant, but used to be a that a build would still succeed even when 
some capability was left out.  The fact that your imap server is cool 
with your several other clients would also seem to isolate the problem 
back onto the new tbird.