Bug 1852998
Summary: | Thunderbird 68.9 doesn't properly connect to RedHat mail servers | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Bill Sanford <bsanford> |
Component: | thunderbird | Assignee: | Jan Horak <jhorak> |
Status: | CLOSED NOTABUG | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.3 | CC: | bmilar, cschalle, dueno, jkoten, mboisver, tpelka, tpopela |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-01 13:04:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bill Sanford
2020-07-01 17:31:29 UTC
I have the same problems on RHEL 8 with my RH Zimbra account. Today, I tested thunderbird-68.9.0-1.el7_8.x86_64 on RHEL 7. It works! Tested again on a fresh installation of RHEL 8.3 - TB does not see my folders and e-mails on IMAP server. It does not ask for password (which I do not store in TB), thus it can not be connected. I found no valuable info in TB's Error Console (ctrl+shift+j). If I mistype the IMAP address (e.g. imap.corp.redhat.com) and click to Inbox (the only folder shown for the account), I get a correct error message "Thunderbird - Failed to connect to server imap.corp.redhat.com" (via Gnome notifications) and "bmilar: Looked up imap.corp.redhat.com..." in TB status bar. After I set correct IMAP address again (i.e. mail.corp.redhat.com) and click Inbox, there is no error via notifications. In TB status bar, 2 messages appear shortly: "bmilar: Connecting to mail.corp.redhat.com" "bmilar: Connected to mail.corp.redhat.com" But no dialog for password appears. When I try to send e-mail, I get the error message: Sending of the message failed. Unable to communicate securely with peer: requested domain name does not match the server’s certificate. The configuration related to smtp.redhat.com must be corrected. and another dialog to add security exception for int-mx.corp.redhat.com, S/N 0F:FF:0E:15 After I add the exception and try to send the e-mail again, the "Sending of the message failed." error appears no more. TB tried to send the message, but got stuck at "Copying message to Sent folder" with progress bar moving left and right for many minutes till I canceled it. I compared linked libraries of TB 68.9.0-1 on RHEL 7 (working) and RHEL 8 (not working)... RHEL 7: $ ldd /usr/lib64/thunderbird/thunderbird linux-vdso.so.1 => (0x00007ffe7258b000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3c8d03a000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f3c8ce36000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f3c8cb2e000) libm.so.6 => /lib64/libm.so.6 (0x00007f3c8c82c000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f3c8c616000) libc.so.6 => /lib64/libc.so.6 (0x00007f3c8c248000) /lib64/ld-linux-x86-64.so.2 (0x00007f3c8d48c000) RHEL 8: $ ldd /usr/lib64/thunderbird/thunderbird linux-vdso.so.1 (0x00007fff67bfa000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd97876c000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fd978568000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fd9781d3000) libm.so.6 => /lib64/libm.so.6 (0x00007fd977e51000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fd977c39000) libc.so.6 => /lib64/libc.so.6 (0x00007fd977876000) /lib64/ld-linux-x86-64.so.2 (0x00007fd978bc4000) I tried TB 68.10.0 (64-bit) on RHEL 8. I downloaded it from https://download.mozilla.org/?product=thunderbird-68.10.0-SSL&os=linux64&lang=en-US Shortly: it works! In detail: - After creating a new profile and configuring my Zimbra account, I clicked the Inbox folder. - "Add security exception" dialog for mail.corpredhat.com:993 appeared (this does not happen in TB 68.9.0-1 from rpm). - When I cancel the dialog, TB 68.10.0 behaves the same way as 68.9.0-1 from rpm - I see only Inbox and Local Folders, no password dialog, nothing is downloaded. The only difference is that when I click the Inbox folder, the "Add security exception" dialog appears again. - When I click the Confirm Security Exception button in the dialog, TB asks for password and (after get it) starts to download my IMAP folders from the server and everything works as expected. So it seems the problem of TB 68.9.0-1 from rpm on RHEL 8 is that it silently fails to use a certificate with unknown identity - i.e. TB does not open the dialog to add a security exception. I tested the new thunderbird-68.10.0-1.el8.x86_64 - problem reproduced. It does not ask for password, while the same upstream version (thunderbird-68.10.0.tar.bz2) does and works. Problem reproduced with thunderbird-68.11.0-1.el8.x86_64 This is most likely problem with system nss. The upstream binaries use own nss libraries, while rpm based TB use system nss. Maybe the TLS version for mail.corpredhat.com:993 is deprecated, there's a reason why you have to add security exception (please check which exception is required). Daiki: do you have any hints how to debug SSL with nss? Some environment variables to show additional info? Sorry for the delay. This is probably because mail.corp.redhat.com offers a smaller DH key share (1024 bits) than the ones allowed by the crypto-policies in RHEL-8 (2048 bits or larger): $ /usr/lib64/nss/unsupported-tools/tstclnt -d nssdb -h mail.corp.redhat.com -p 993 tstclnt: read from socket failed: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY: SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. See also: https://access.redhat.com/articles/3642912 The workaround would be to switch to LEGACY policy with update-crypto-policies command: https://access.redhat.com/articles/3666211 or customize the policy: https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82 |