8

In previous versions of Thunderbird, when connecting to a server with a self-signed certificate, a warning was displayed, but the option was offered to create a security exception for that server with this dialog:

enter image description here

I could click on "Confirm Security Exception" and thereafter, TB could communicate with the server.

But in this version of TB, I only see a message:

Sending of message failed.
The certificate is not trusted because it is self-signed.
The configuration related to [server name] must be corrected.

There is no indication of what "must be corrected" for TB to trust the certificate.

The Certificate Manager in the Privacy settings section does open the dialog above. But once the correct IP:port is entered, the "Get Certificate" button does nothing apart from displaying "No Information Available". This renders the dialog pretty useless.

I'm not concerned about man in the middle attacks due to the lack of CA signing because the mail server is on an intranet.

Is there any other way to get TB 78 to work with self-signed certificates?

ARX
  • 1,040
  • 2
  • 14
  • 20
  • Next version of Thunderbird (91.*) fixes this issue. – Fumisky Wells May 28 '22 at 00:52
  • 1
    Not for me. For some tests, I recently installed TB 91 Portable (x64, Windows) and configured it from scratch. I still had this problem (the test server was using a self-signed certificate which in addition had expired). – Binarus Jun 23 '22 at 18:07

3 Answers3

16

I also suffer from this issue for hours. Finally, I figure it out to solve it.

At first, I tried to download the certificate from Firefox. When I try to access https://bad-mail-admin.com:465 and it tells me:

This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.

Then I googled it and found the solution: https://support.mozilla.org/en-US/questions/1083282

Just go to about:config, right-click anywhere on the page and choose New > String. Create an option named network.security.ports.banned.override, with the value: 465

Then firefox show https://bad-mail-admin.com:465 successfully.

Immediately I realized that Firefox and TB use the same browser engine. So I repeat do it in "Config Editor" of TB.

Then go to Certificate Manager of TB, enter https://bad-mail-admin.com:465. Press "Get Certificate" and finally I can get the certificate and add it to the security exception.

Komeiji Kuroko
  • 176
  • 1
  • 4
  • 1
    Yes, sir. You are so right. Thanks, my friend. I would have not guessed this on my own. Great sleuthing. – ARX Sep 19 '20 at 03:05
  • Thanks! Almost got to it but ended up that this doesn't work with STARTTLS. But there is a good thing - seems the issue is fixed within Thunderbird 78.5.0, and I was able to get security exception dialogs for both IMAP and SMTP – Nickolay Olshevsky Nov 23 '20 at 10:56
  • 2
    Ah, I see, @NickolayOlshevsky. One has to add the `network.security.ports.banned.override` exception (in my case, IMAP/S on port 993), and then all the magic starts to work once more – roaima Nov 23 '20 at 16:33
  • 3
    Ah indeed, on Thunderbird 78.11 it is necessary to do 2 steps -- step (1) is to add the `network.security.ports.banned.override` via the Configuration Manager that can be accessed via "Preferences" -> "General" -> scroll all the way down -> "Config Editor", and step (2) is to go to "Preferences" -> "Privacy & Security" -> "Certificates" -> "Manage Certificates" -> "Servers", click "Add Exception", enter the certificate location with the previously banned port number under "Location", and then click "Get Certificate". – maratbn Aug 13 '21 at 05:20
0

I had this issue and after going around in circles (suffereing lol).. i finally discovered that the proxy config was set incorrectly. It was set to "use system proxy settings" and i simply put it to "no proxy".. Issue resolved.

thunderbird->settings->general->(network+diskspace config how thunderbird connects to the internet) Settings -> Config Proxy -> no proxy.

TristanB
  • 1
  • 1
-1

only problem is that when the user has multiple email accounts that use different ports. That port override doesn't take multiple ports. I tried comma space colon semi-colon separated list with no success.

JOHN BOND
  • 1
  • 1