I now would not like to accept the security exception permanently. I think this is best practice not to accept such a exception?

That would be a reasonable approach. However, it's ultimately up to you to decide whether you want to trust a cert or not. In this particular case the cert from the 3rd screenshot looks legitimate to me. It's been issued on Jan 3 2023, exactly the time the trouble started. Have you checked a support forum for t-online.de email, whether there were more complaints about this? I wouldn't be surprised if that was the case.

The problem seems to be the lack of a complete certificate chain, up to a trusted root certificate Thunderbird knows. This may well be a configuration problem at t-online.de. Have you checked with them yet?

Also in your 3rd screenshot, further down there's a link 'PEM (chain)'. Clicking the link should reveal a .pem file with the cert(s) for the entire certificate chain. You can try to import the .pem file into Thunderbird Certificate Manager underneath the 'Authorities' tab. See if that helps.

Dear christ1, thank you for your reply.

I have contacted t-online.de, but only via phone, there was no one who really understands my problem and they denied that it is t-online.de 's fault, and proposed it would rather be a Thunderbird issue... I will now set up a proper ticket to them...

Just for additional input: I have visited a Telekom subsidiary which I assume is responsible for all the certificate management: https://telesec.de/de/aktuelles/

There they say (translated): "New CPS version 19.0 online A new version was made available in Business.ID on January 10, 2023. From January 10th, 2023, the CPS Public will apply to all certificates below the public root CAs. the public certificates of Business.ID (SBCA). The CPS Business.ID continues to apply to the certificates from Business.ID below the internal root CAs. Your Business.ID (SBCA) team"

May this clarify anything? The date 10.Jan 2023 closely corresponds also with the time beginning of my issue.

Regarding your last paragraph. I see the link to 'PEM (chain)' but I do not know what to do with the data, FF offers me either to open the file or save to disk. What should / could I do at this point?

Same question with the Authority Info (AIA) ocspr file from http://ocsp.serverid.telesec.de/ocspr and http://crt.serverid.telesec.de/crt/Telekom_Security_ServerID_OV_Class_2_CA.crt What should / could I do at this point?

How do import the .pem file into Thunderbird Certificate Manager underneath the 'Authorities' tab. Where will i find the 'Authorities' tab?

kind regards

May this clarify anything?

I have no idea what they are talking about. But it seems on that website you can download any of the root and/or intermediate CA certs you may be missing.

I see the link to 'PEM (chain)' but I do not know what to do with the data

Download the .pem file and save it to your disk. Then import it into Thunderbird as described above using the Certificate Manager. At the top right of the Thunderbird window, click the menu button ≡ > Settings > Privacy & Security > Manage Certificates

Same question with the Authority Info (AIA) ocspr file

I'm not sure what this is for, but I don't think it's relevant for you.

and http://crt.serverid.telesec.de/crt/Telekom_Security_ServerID_OV_Class_2_CA.crt What should / could I do at this point?

That is the certificate for the CA which issued your new secureimap.t-online.de cert on 01/03/23. It's the intermediate CA certificate you need to import into Thunderbird.

In turn the intermediate CA certificate has been issued by the T-TeleSec GlobalRoot Class 2 root CA. That root cert is already present in Thunderbird's certificate store, assuming you're using a recent version of Thunderbird.

Dear christ1,

thank you very much for your replay and your answers! On of your hints got me to the solution of my issue, see below.

At the top right of the Thunderbird window, click the menu button ≡ > Settings > Privacy & Security > Manage Certificates

and

In turn the intermediate CA certificate has been issued by the T-TeleSec GlobalRoot Class 2 root CA. That root cert is already present in Thunderbird's certificate store, assuming you're using a recent version of Thunderbird.

This was the your direct hint to find the reason of my issue. :-) I had a look into Thunderbird Certificate Manager underneath the 'Authorities' (Zertifizierunsgstellen, in German) tab the CA certificate T-TeleSec GlobalRoot Class 2 with 'Edit Trust' (Vertrauen bearbeiten, in German). There I found that the check box for 'this certificate can identify websights' was not checked. I switched that on, restarted Thunderbird - bingo - the issue was gone :) DONE.

Thank you very much for your help, with this I now do have a slightly better understanding of this CA stuff. Kind regards