[GTALUG] War Story: Thunderbird vs my mail server

D. Hugh Redelmeier hugh at mimosa.com
Fri Oct 15 10:01:21 EDT 2021 

TL;DR: using self-signed x.509 certs with Thunderbird is hard

I run a mail server for my family.

One of us uses Thunderbird's POP3 to pick up mail.  This is through our 
LAN, not on the public internet.

My server uses self-signed certificates.  I don't care to become a 
customer of any certificate vendor, although I think Let's Encrypt is a 
Good Thing.  I haven't even bothered to create my own Certificate 
Authority.

My certificates expire, so I have to regenerate them.  (Since this happens 
only once a year, I don't always remember the drill.)  I just did that.

Thunderbird stopped being able to pick up mail.  There was NO diagnostic.  
Not to the user, and not to the sysadmin.  It didn't even say that it 
failed to pick up mail.

I soon discovered that I needed to get the new certs into Thunderbird.  
Previously, if I remember correctly, when confronted with a new cert, 
Thunderbird warned the user but could be coaxed to accept it and remember 
it.

How could I get Thunderbird to accept the new cert?  Why was it unhappy 
with the old one?  The lack of diagnostics meant I never did figure out 
why it was unhappy, but I did do a lot of experimenting.

In the end, I decided to manually install the new cert into 
Thunderbird.  Thunderbird has a facility to do this:
	Edit: Preferences: (search for "cert"): manage certificates:
	Add exception.

The Thunderbird facility required me to fill in an HTTPS URL from which to 
get the cert.  At first I thought that this would require me to set up a 
web server.  No, this design actually makes some sense: since Thunderbird 
will use the cert for TLS, why not use TLS and harvesting the cert from 
the negotiation.

The proper URL was HTTPS://my-pop3-server:995.
995 is the port used to serve POP3 (probably not obvious to many users).
But that didn't work!  With no diagnostic!

The answer can be extracted from 
<https://stackoverflow.com/questions/63947262/thunderbird-78-how-to-add-security-exception>

The problem is that Thunderbird seems to have its own firewall, set up to 
block port 995 in some cases.  Which cases?  Not for POP3, but yes for the 
"Add exceptions".  Very Very dumb.

How to punch a hole in this firewall:
- find the registry editor (not called that, but that's what it is)
  Edit Preferences -> General -> Config Editor [at bottom]
  Add a new thing "network.security.ports.banned.override" and set it to 
  the string 995
This is a string so that a list of ports can be used.  This "preference" 
is documented (but not for Thunderbird):
	http://kb.mozillazine.org/Network.security.ports.banned.override

Now you can add the cert through HTTPS (see above).

Optional: remove the security exception.  I left it in so I don't have to 
do this next year.

More information about the talk mailing list