Thunderbird keeps asking me to add security exception every time I click "Get Messages"
I've been using Thunderbird for ages without any (real) problems. A few days ago, Thunderbird updated to version 78.5.0. Shortly thereafter the problems started. I can't remember if it started immediately after the update so I'm not sure if the update was the direct cause.
Anyway, every time I try to retrieve my mail (by clicking "Get Messages") a pop-up appears:
(See image attachment)
This pop-up isn't new to me since I'm using my own mail server with a self-signed certificate. So every time I update the certificate, I get this popup. It is new however the pop-up appears while nothing has changed (other than Thunderbird updating).
If I click "Confirm Security Exception", the popup disappears but no mail is retrieved. If I click "Get Messages" again, the pop-up reappears. Oddly enough, If I go to Thunderbird's Certificate Manager, I see the certificate was actually added.
So that's one strange thing. It isn't the strangest thing however. What's even stranger is that the location (email.glasshouse.nl:995) isn't the address of my mail server. If I look under Thunderbird's "Server Settings", I see the correct address. Even if I change the server address to something else (the IP address for instance), the pop-up still displays email.glasshouse.nl as location. I'm not worried this is some kind of hack or virus or malware since I recognize the address - it's the mail server I used well over ten years ago (in Thunderbird).
So what is actually going on here? And more important, how can I solve this so I can get to my email again?
Thanks in advance!
Modified by Wayne Mery
All Replies (9)
I've experienced this too. the devs have been notified and have acknowledged they are aware of this issue. Meanwhile, I did find a "fix" that would be more accurately described as a "work-a-round". But regardless of what you call it, it works. Navigate to C:\Users\<pofile_name>\AppData\Roaming\Thunderbird\Profiles\<profile_in_use>\ and open the Cert_Override.txt file using notepad. List there you will see the data for your self-signed certificate, but only for the incoming mail port. (Port 143) in my case. It will look something like this: my.mail.server:143 OID.2.16.8184.108.40.206.4.2.1 CE:D6:4C: (buch of key gibberish after this)
Copy the above to a new line, and the only thing you need to change is the port number. In my case, I changed it from port 143 to port 465 since that's what I use on the hmailserver program for the SMTP port. Then save the file. Now now the file looks like this: my.mail.server:143 OID.2.16.8220.127.116.11.4.2.1 CE:D6:4C: (buch of key gibberish after this) my.mail.server:465 OID.2.16.818.104.22.168.4.2.1 CE:D6:4C: (buch of key gibberish after this) Now you can restart Thunderbird and when you check the certificate exceptions you'll see the cert listed twice - once for the incoming port and again for the outgoing port. I now have no problem receiving "or" sending e-mail through my end-to-end encrypted hmailserver program.
Thank you for your answer. I had to tailor it a bit but I now have a working workaround and I'm able to retrieve my email again.
My problem wasn't that there was no line in cert_override.txt for the incoming server (because it actually added a line as soon as I click "Confirm security exception" (with "Permanently store this exception" ticked), but that the server name was wrong.
Like I said, for some unknown reason, it adds a line for email.glasshouse.nl (as seen in the pop-up), regardless of what server name I enter in my account settings. Changing the server name to the correct one in cert_override.txt solved my problem.
Question is: where does Thunderbird get the server name email.glasshouse.nl from?
I've experienced this too. the devs have been notified and have acknowledged they are aware of this issue.
Do you have a URL to the report?
I don't have the URL handy. But the bugzilla number is 1665577 if that helps.
I operate my own imap mail server with a lets encrypt certificate which needs to be renewed every 6 month. In the past I had no problems to permanently store the security excpetion in TB I am on TB 76.6.0 64 bit and currently the security exception does not work anymore. Although I selected to permanently store the security exception TB does not accept it and I cannot get the messages from my mail server anymore.
ffsync5, First, make sure you've got the most current version of TB. I experienced this with an earlier release, and it seems to have been fixed in a latest minor release of version 7. If that doesn't work, then if you'll scroll up in this thread you'll see my work-a-round for this, about editing the cert.override file to manually place the exception there.
@Carl1959 sorry for the typo, I am on TB 78.6.0 (64-bit) which says "is up to date" I also had tried the workaround that you described but it did not work. The strange thing is, that I have 2 domains which both have a letsencrypt certificate and one of them is working without problems while the other always comes up with the "Add Security Exception" window. Both domains have an entry for imap...:993 in cert_override.txt. I even closed TB, renamed cert_override.txt, restarted TB and confirmed the security exception again. Both security exceptions then show up again in cert_override.txt but the one in question is not working and always comes up again with the "Add Security Exception" window.
Today I did remove the imap account and added it again with the same settings. This solved the problem although I still don't know why. The only real pain was, to manually re-add my different address identities which I use to separate communication as I could not find a way to export/import identities.
I've the same problem since version 78.6.0 What's even more strange: Thunderbird keeps asking for a security exception for one server even after I deleted the mailbox running on this server. So where is Thunderbird storing the IP of that server which is not needed any more for any mailbox?! (Yes, I restarteted Thunderbird after deleting this mailbox, but it's asking again, not accepting an 'yes')