RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1852998 - Thunderbird 68.9 doesn't properly connect to RedHat mail servers
Summary: Thunderbird 68.9 doesn't properly connect to RedHat mail servers
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: thunderbird
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Jan Horak
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-01 17:31 UTC by Bill Sanford
Modified: 2020-09-01 13:04 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-01 13:04:25 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Bill Sanford 2020-07-01 17:31:29 UTC 
Description of problem:
Thunderbird 68.9 connects to the email server, but doesn't populate the folders and messages from the server. Sending emails results in an error message:

Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to smtp.redhat.com must be corrected. 

Testing setup is:
Incoming:     mail.corp.redhat.com    port 993   SSL/TLS     Normal Password
Outgoing:     smtp.redhat.com         port 25    SSLTLS      Normal Password

Installed certificates from: https://mojo.redhat.com/docs/DOC-1023655

bmilar downgraded to 60.9.0 and Thunderbird works.

I configured my personal Google account in TB 68.9 and this works, too.

Version-Release number of selected component (if applicable):
RHEL-8.3.0-20200620.n.0
thunderbird-68.9.0-1.el8

How reproducible:
100%

Steps to Reproduce:
1. Install Thunderbird and import certificates.
2. Add email account from Red Hat.
3.

Actual results:
Does not completely connect to server.

Expected results:
Connects to server, imports messages and folders and can send messages.

Additional info:
Comment 1 Bohdan Milar 2020-07-02 16:46:58 UTC 
I have the same problems on RHEL 8 with my RH Zimbra account.

Today, I tested thunderbird-68.9.0-1.el7_8.x86_64 on RHEL 7. It works!
Comment 2 Bohdan Milar 2020-07-03 10:05:57 UTC 
Tested again on a fresh installation of RHEL 8.3 - TB does not see my folders and e-mails on IMAP server. It does not ask for password (which I do not store in TB), thus it can not be connected. I found no valuable info in TB's Error Console (ctrl+shift+j).

If I mistype the IMAP address (e.g. imap.corp.redhat.com) and click to Inbox (the only folder shown for the account), I get a correct error message "Thunderbird - Failed to connect to server imap.corp.redhat.com" (via Gnome notifications) and "bmilar: Looked up imap.corp.redhat.com..." in TB status bar.

After I set correct IMAP address again (i.e. mail.corp.redhat.com) and click Inbox, there is no error via notifications. In TB status bar, 2 messages appear shortly:
"bmilar: Connecting to mail.corp.redhat.com"
"bmilar: Connected to mail.corp.redhat.com"

But no dialog for password appears.

When I try to send e-mail, I get the error message:

Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to smtp.redhat.com must be corrected.

and another dialog to add security exception for int-mx.corp.redhat.com, S/N 0F:FF:0E:15

After I add the exception and try to send the e-mail again, the "Sending of the message failed." error appears no more. TB tried to send the message, but got stuck at "Copying message to Sent folder" with progress bar moving left and right for many minutes till I canceled it.

I compared linked libraries of TB 68.9.0-1 on RHEL 7 (working) and RHEL 8 (not working)...

RHEL 7:
$ ldd /usr/lib64/thunderbird/thunderbird
	linux-vdso.so.1 =>  (0x00007ffe7258b000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3c8d03a000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f3c8ce36000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f3c8cb2e000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f3c8c82c000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f3c8c616000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f3c8c248000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3c8d48c000)

RHEL 8:
$ ldd /usr/lib64/thunderbird/thunderbird
	linux-vdso.so.1 (0x00007fff67bfa000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd97876c000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fd978568000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fd9781d3000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fd977e51000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fd977c39000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fd977876000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fd978bc4000)
Comment 3 Bohdan Milar 2020-07-09 12:25:53 UTC 
I tried TB 68.10.0 (64-bit) on RHEL 8.
I downloaded it from
https://download.mozilla.org/?product=thunderbird-68.10.0-SSL&os=linux64&lang=en-US

Shortly: it works!

In detail:
- After creating a new profile and configuring my Zimbra account, I clicked the Inbox folder.
- "Add security exception" dialog for mail.corpredhat.com:993 appeared (this does not happen in TB 68.9.0-1 from rpm).
- When I cancel the dialog, TB 68.10.0 behaves the same way as 68.9.0-1 from rpm - I see only Inbox and Local Folders, no password dialog, nothing is downloaded. The only difference is that when I click the Inbox folder, the "Add security exception" dialog appears again.
- When I click the Confirm Security Exception button in the dialog, TB asks for password and (after get it) starts to download my IMAP folders from the server and everything works as expected.

So it seems the problem of TB 68.9.0-1 from rpm on RHEL 8 is that it silently fails to use a certificate with unknown identity - i.e. TB does not open the dialog to add a security exception.
Comment 4 Bohdan Milar 2020-07-13 14:47:02 UTC 
I tested the new thunderbird-68.10.0-1.el8.x86_64 - problem reproduced. It does not ask for password, while the same upstream version (thunderbird-68.10.0.tar.bz2) does and works.
Comment 5 Bohdan Milar 2020-08-07 07:53:04 UTC 
Problem reproduced with thunderbird-68.11.0-1.el8.x86_64
Comment 6 Jan Horak 2020-08-07 08:09:35 UTC 
This is most likely problem with system nss. The upstream binaries use own nss libraries, while rpm based TB use system nss. Maybe the TLS version for mail.corpredhat.com:993 is deprecated, there's a reason why you have to add security exception (please check which exception is required). 

Daiki: do you have any hints how to debug SSL with nss? Some environment variables to show additional info?
Comment 7 Daiki Ueno 2020-08-31 11:52:46 UTC 
Sorry for the delay. This is probably because mail.corp.redhat.com offers a smaller DH key share (1024 bits) than the ones allowed by the crypto-policies in RHEL-8 (2048 bits or larger):

  $ /usr/lib64/nss/unsupported-tools/tstclnt -d nssdb -h mail.corp.redhat.com -p 993
  tstclnt: read from socket failed: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY: SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.

See also:
https://access.redhat.com/articles/3642912

The workaround would be to switch to LEGACY policy with update-crypto-policies command:
https://access.redhat.com/articles/3666211
or customize the policy:
https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82
Comment 8 Tomas Popela 2020-09-01 13:04:25 UTC 
Closing per comment 7. The problem is not in Thunderbird, but with mail.corp.redhat.com server.
Note You need to log in before you can comment on or make changes to this bug.