Unable to get SSL working correctly in Thunderbird

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Spazzma
New user
New user
Posts: 5
Joined: 2013-10-14 12:45

Unable to get SSL working correctly in Thunderbird

Post by Spazzma » 2013-10-14 15:05

Hi,
I am running HMail version 5.4.
I am trying to secure all POP and IMAP traffic as well as internal SMTP traffic.
My knowledge of certificates are limited so bear with me.
I used the StartSSL website to generate free certificates for me. I received pfx files from them.
I got my key and cert files using the following openssl commands:
Certificate: openssl.exe pkcs12 -in "c:\Certs\IQRetail.pfx" -clcerts -nokeys -out "c:\Certs\Cert.pem"
Key: openssl.exe pkcs12 -in "c:\Certs\IQRetail.pfx" -nocerts -out "C:\Certs\Key.pem" -nodes
I then added the files into HMail and the HMail service restarted. I checked the logs and no errors.

***Outlook (Incoming IMAP: SSL on port 993)
When I opened Outlook and hit "Send and Receive" Outlook comes up with the following prompt:
The server you are connected to is using a security certificate that cannot be verified.
The target principal name is incorrect.
Do you want to continue using this server?
If I click "Yes" then Outlook seems to work correctly. I can receive mails.

***Thunderbird (Incoming IMAP: SSL on port 993) version 24.0.1
When I opened Thunderbird and hit "Get Mail" Thunderbird shows "Connected to xxx" at the bottom or it shows nothing at all.
It does not request a certificate to be allowed / imported or any other visible error.
The HMail logs simply show: "TCPIP" 2704 "2013-10-14 14:57:12.782" "TCP - x.x.x.x connected to x.x.x.x:993."

1) Any idea what the problem is on Thunderbird?
2) Can I get Outlook to trust the certificate without promping?

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Unable to get SSL working correctly in Thunderbird

Post by mattg » 2013-10-15 01:13

toggle through your open windows.

The Thunderbird accept certificate window is often hidden.
If it is not visible, try forcing a manual download of all mail.

Did you remove the password from the certificate?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Spazzma
New user
New user
Posts: 5
Joined: 2013-10-14 12:45

Re: Unable to get SSL working correctly in Thunderbird

Post by Spazzma » 2013-10-15 09:20

Hi,
I Closed all my applications before trying to "Get mail" and I then checked for open windows. The certificate acceptance window was not present.
How would I force a download of all mail? Via POP3? I also tested POP3, but had the same problem.

I did not explicitly remove a password from the key file. How would I go about doing this?
I do think that this a problem though as Outlook does work and I did get a "Password not supported" type error message in the logs when I converted the pfx file using different commands with openssl previously.


I checked the logs again and found this:
"TCPIP" 4016 "2013-10-15 09:02:50.664" "TCP - 10.0.3.5 connected to 10.0.3.5:993."
"IMAPD" 4016 92 "2013-10-15 09:02:50.805" "10.0.3.5" "SENT: * Welcome"
"TCPIP" 4016 "2013-10-15 09:03:50.592" "TCP - 10.0.3.5 connected to 10.0.3.5:993."
"TCPIP" 4016 "2013-10-15 09:03:51.149" "TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 10.0.3.5"

I then enabled all the log types and got this:
"APPLICATION" 4952 "2013-10-15 09:14:38.657" "Stopping servers..."
"APPLICATION" 4952 "2013-10-15 09:14:39.198" "Servers stopped."
"APPLICATION" 4952 "2013-10-15 09:14:39.198" "Starting servers..."
"DEBUG" 2616 "2013-10-15 09:14:39.198" "SMTPDeliveryManager::Start()"
"DEBUG" 1072 "2013-10-15 09:14:39.198" "ExternalFetchManager::Start()"
"APPLICATION" 4952 "2013-10-15 09:14:39.213" "Servers started."
"TCPIP" 916 "2013-10-15 09:14:59.244" "TCP - 10.0.3.5 connected to 10.0.3.5:993."
"DEBUG" 916 "2013-10-15 09:14:59.244" "Creating session 95"
"IMAPD" 916 95 "2013-10-15 09:14:59.322" "10.0.3.5" "SENT: * Welcome"
"DEBUG" 3184 "2013-10-15 09:15:09.431" "The read operation failed. Bytes transferred: 0 Remote IP: 10.0.3.5, Session: 95, Code: 336151574, Message: sslv3 alert certificate unknown"
"DEBUG" 3184 "2013-10-15 09:15:09.431" "Ending session 95"
"TCPIP" 916 "2013-10-15 09:15:47.589" "TCP - 10.0.3.5 connected to 10.0.3.5:993."
"DEBUG" 916 "2013-10-15 09:15:47.589" "Creating session 96"
"IMAPD" 916 96 "2013-10-15 09:15:47.698" "10.0.3.5" "SENT: * Welcome"
"DEBUG" 2952 "2013-10-15 09:15:57.810" "The read operation failed. Bytes transferred: 0 Remote IP: 10.0.3.5, Session: 96, Code: 336151574, Message: sslv3 alert certificate unknown"
"DEBUG" 2952 "2013-10-15 09:15:57.810" "Ending session 96"

Any advice?
Thanks

Spazzma
New user
New user
Posts: 5
Joined: 2013-10-14 12:45

Re: Unable to get SSL working correctly in Thunderbird

Post by Spazzma » 2013-10-15 09:35

I read through the SSL manual yesterday (http://www.hmailserver.com/forum/viewto ... 12&t=22371).
Please let me know if you need to output and I will PM.
Thanks

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Unable to get SSL working correctly in Thunderbird

Post by mattg » 2013-10-15 09:56

Spazzma wrote:I did not explicitly remove a password from the key file. How would I go about doing this?
StartSSL has a control panel, one of the options is to remove password
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Unable to get SSL working correctly in Thunderbird

Post by mattg » 2017-01-26 03:14

This thread came up in a search for me yesterday.
Follow-up post here >> viewtopic.php?f=10&t=30860
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply