Thunderbird 78 failed to connect to server
Okay, I am using a really ancient SME Server 7 email system on a machine under my desk, and today Thunderbird updated itself from 68 to 78 without my say so. For reasons beyond the scope of this missive, I am a month behind on accessing the emails on that machine and was trying to get back up and running again. Bear in mind, that email machine self-certificates, generating a new certificate for itself each time you restart that machine.
Under 68, it had started connecting and was apparently getting the new emails, but in a distracted moment I wasn't eagle-eyed watching it when I fired up Thunderbird, and I had forgotten that when Thunderbird encounters a new cert, it will complain that the cert changed (and that this might be security shenanigans) and will wait for me to override it. Trouble is, if you don't catch it IMMEDIATELY, it quietly accumulates a ton of these alerts that you now have override also, even though you've already told it to accept the new cert on the first pop up... and the only way to get out of redoing that action 1000 times in a row is to kill out of Thunderbird via Task Manager and launch it again, at which point it should already recognize the new cert and simply start loading the mails.
Well, when I went to launch Thunderbird again after killing it, it instead installed the update to 78.... without giving me the choice to NOT update it. Some while back, I needed to reinstall 68, and had to go through hoops to get it working again. But I digress.
The existing mails from up to a month ago are all showing up in Thunderbird (because it has a local copy of all those), but Thunderbird is giving me an error about Failed to connect to server server, and simply isn't bringing in any of the new mails.
What do I do? I need this to simply work.
Chosen solution
Well, I did the downgrade back to 68, and so far it seems to be working as needed. Thank you for the instructions for all these means of fixing things.
Read this answer in context 👍 0All Replies (12)
(ANSWER-1) if you want to continue to use v78 TB now, then you may do option-3 (transfer specific data/settings) shown here.
if you want to downgrade to v68 series TB, then you may read+do downgrade,
other options are here (using second-TB, etc).
and please keep Auto-Update option disabled (if you want to) , a link for detail instruction of that, is shown here > then press Ctrl+F to search & type "STOP AUTO-UPDATE" to goto the LINK > click on it.
TB = Thunderbird.
in any version TB , you will have to accept the self-signed certificate from that mail-server , to connect with it for accessing/viewing mails from TB via IMAPS/993 or POP3S/995 , & for sending mails from TB via SMTPS/465 or MAIL-SUBMISSION/587.
may be an antivirus (AV) or firewall (FW) or security suite (SS) software is intercepting & blocking the connection to mail-servers from TB. many AV/FW/SS does that. How to handle AV/FW/SS is here.
if after handling AV/FW/SS related factors , TB still has problem connecting with your mail-server , then
you may have to use value 1 for "security.tls.version.min" setting , in newer-TB's about:config (Config-Editor),
value 1 allows TB to use older+unsafe TLS protocols,
if you're not-sure which TLS is used/supported by your mail-server then use the value 1 & TEST,
if you are sure your mail-server is using last safe TLS protocol , then do not change the "security.tls.version.min" setting value to 1 in newer v78 series TB, instead keep new-TB's that setting at default value 3.
and if you use older v68 TB in some computer/device, then in older v68 series TB set value of "security.tls.version.min" setting to 3 to use last+safe TLS.
more info here.
what exact mail-server are you using ? can it use free SSL/TLS cert from "LetsEncrypt" ?
and please also wait for others to help you on these issues.
EDIT : added more info on minimum TLS protocol version,
EDIT : added questions on mail-server, etc.
Modified by atErik
Well, the main question I have right now is... why am I getting that Failed to connect to server... message, and what do I do to get connection to the server working again? The machine-name I access it through is working (I can get to it via my web-browser from my WIndows 10 machine), so the machine-name is showing up on the LAN like normal.
edit: The make and model of the server info is:
SME Server 7.6 Copyright 1999-2006 Mitel Corporation All rights reserved. Copyright 2006 SME Server, Inc.
Modified by Nomad of Norad
(ANSWER-2) if a firewall in your computer is not blocking traffic from your computer (and your TB in it) into the server computer in your LAN , then ROUTER device may be the cause of network/LAN/internet data-packet traffic/connection blocking , in ROUTER enable LAN+WAN traffic that allows server computer to accept INCOMING connections.
server computer must be allotted+using a specific FIXED IP-address. configure Router, to assign fixed IP-adrs. ROUTER must ALLOW/OPEN PORT 993 (imaps), 143 (imap), 995 (pop3s) , 110 (pop) , smtps (465), mail-submission (587), 25 (smtp), etc INTO the server-computer's fixed IP-address. if server has software firewall , then ALSO OPEN/ALLOW those mail PORTs (and other necessary ports) also inside the iptables, nftables, etc, iptables/nftables in server-computer must allow inbound traffic (data packets) into those specific port(s) into server-computer , etc which are coming from both LAN & WAN facing NIF (network-interface adapter/card) address , then server will be able to receive connection from both LAN based computers & also internet/WAN based computers.
EDIT: added more info on iptbales/nftables,etc, etc.
Modified by atErik
Well, nothing at all has changed on my Win10 machine, other than TB updated itself from 68 to 78. I haven't touched any of the settings on the router or the email server since this was last working. I'm pretty sure it all was working fine when my Win10 machine was running TB 68. It was connecting fine with TB 68 (other than complaining about the changed certs), I quit out of TB 68 to relaunch it, it installed TB 78, and then TB couldn't connect to the server, so apparently whatever changed is in TB 78.
(ANSWER-3) SME Server might have updated something , its possible, it appears SME Server 7.6 is based on CentOS.
if v68 TB in Win10 computer could connect & work with mail-server, and after TB updated into v78 TB , TB cannot connect or work with mail-server anymore, and nothing else has changed (no ant-virus was loaded or updated), then it should not be mail-server issue (unless mail-server's CentOS linux OS has also auto-updated something),
if we assume, nothing was updated in mail-server, then it is very likely TLS issue in TB in Win10 computer , new-TB can by-default only use safe/last TLS , cannot use old TLS, so please see in above my earlier post , i mentioned about TLS settings, to use old TLS, please change that TLS security setting value to 1 in TB, restart TB, & try again.
if mail-server also updated something, then you need to go into it's config/settings , and check Mail-Server software version/status, etc. you may need to delete the self-signed cert from TB, and add again. may be the CentOS linux based mail-server did not complete some settings , may be mail server software/processes have not started inside the mail-server computer. check in mail-server, which services are off.
EDIT: changed instructions.
EDIT: added info on server-update, etc.
Modified by atErik
Okay, lowered security.tls.version.min to 1, exited and restarted TB, and I'm still getting Failed to connect to server...
edit: On the other hand, when I go to the Certificate Manager in TB and look at the Your Certificates tab, there's nothing in there. Also, I have Certificates set to Ask me every time, and I have unchecked Query OCSP Responder servers to confirm the current validity of certificates
Modified by Nomad of Norad
(PART-1) (mail-server simple test)
for example & for the purpose of discussion here let us assume these settings : inside the LAN side network in your location , your mail-server has fixed IP-adrs is 10.10.10.10 , & your Win10 computer's ip-adrs is dynamic ip-adrs is 10.10.10.101 which is allotted by your network-Router device , you have a fixed internet-routable (public) IP-adress 192.192.192.192 assigned to your location by your ISP , your domain name is: example.com , your pop & imap mail-server has same domain name: mail.example.com , your smtp server uses this domain name: smtp.example.com , etc.
let us assume, that, in Win10 computer, in TB's mail-account you normally use these: inbound server adrs: mail.example.com , protocol: IMAP(s) , port: 993 , auth-method: "Normal Password" , security: SSL/TLS , user-name: user@example.com , outbound server adrs: smtp.example.com , protocol: SMTP(s) , port: 587 , auth-method: "Normal Password" , security: STARTTLS , user-name: user@example.com ,
so for TEST purpose, use LCOAL ip-address directly like this in TB: inbound server adrs: 10.10.10.10 , protocol: IMAP(s) , port: 993 , auth-method: "Normal Password" , security: SSL/TLS , user-name: user@10.10.10.10 , outbound server adrs: 10.10.10.10 , protocol: SMTP(s) , port: 587 , auth-method: "Normal Password" , security: STARTTLS , user-name: user@10.10.10.10 ,
again TEST with public IP-adrs in TB: inbound server adrs: 192.192.192.192 , protocol: IMAP(s) , port: 993 , auth-method: "Normal Password" , security: SSL/TLS , user-name: user@192.192.192.192 , outbound server adrs: 192.192.192.192 , protocol: SMTP(s) , port: 587 , auth-method: "Normal Password" , security: STARTTLS , user-name: user@192.192.192.192 ,
in both case, TB will/may warn about cert mismatch when it will try to connect with mail-server, accept the cert & try to connect.
start Command-Prompt in win10 computer.
manually test mail-server's IMAP/POP3 services from win10 computer: copy-paste the URL in you web-browser: https://wiki.dovecot.org/TestInstallation above linked page shows how to test dovecot service in mail-server, that allows TB to connect with mail-server's IMAP/POP3 service to obtain+view received emails.
manually TEST mail-server's SMTP services from win10 computer: copy-paste the URL in you web-browser: https://stackoverflow.com/a/16393831/3553808 above linked page shows how to test postfix service in mail-server, if it can send test message out. change command shown inside above webpage's answer, from "telnet localhost 25" into "telnet smtp.example.com 25" results (when connection is successful) : Trying 192.192.192.192... Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ... results (when connection is Not-successful) : Trying 192.192.192.192... telnet: Unable to connect to remote host: Connection refused
if that does not work also try this: telnet 10.10.10.10 25 if that does not work also try this: telnet 192.192.192.192 25
then manually TEST if win10 computer can send a mail via mail-submission port 587, like these,
in Command-Prompt:
telnet smtp.example.com 587
if port 587 is not-blocked, then you should receive response 220 , something similar to below (but not-exactly like below):
220 ESMTP [SME Server 7.6]
If you receive Unable to connect or Connection refused messages, that means port 587 is blocked / inaccessible.
very likely a firewall or similar or other intercepting software is blocking the communication.
obtain openssl tool for windows:
( from: https://indy.fulgan.com/SSL/ ,
or from: https://github.com/curl/curl-for-win#binary-package-downloads ,
or from: https://sourceforge.net/projects/openssl-for-windows/ )
( optional step : obtain ISC BIND (non-debug installer) *.x64.zip file from here: https://downloads.isc.org/isc/bind9/cur/ , unzip , start the installer, choose only Bind Util package, do not select Bind or other items , you need the "dig" tool from BindUtil for further test )
you can also TEST mail-server's services status, cert, etc like these, from Win10 computer:
openssl s_client -connect smtp.example.com:25 -starttls smtp
openssl s_client -connect smtp.example.com:465
( more info: https://www.admin-enclave.com/en/articles/exchange/353 )
openssl s_client -connect -starttls smtp smtp.example.com:587
( more info: https://serverfault.com/a/840925/217110 )
openssl s_client -starttls smtp -crlf -connect 10.10.10.10:587
( more info: https://serverfault.com/a/156700/217110 )
openssl s_client -connect smtp.example.com:465
( more info: https://serverfault.com/a/64417/217110 )
check if your dns rr record MX for your domain-name is working or not:
dig MX example.com +short
result should look like this:
10 mail.example.com.
...
i will add more info here, later.
Modified by atErik
try to use IP-address directly as mailserver address, instead of domain, & try again.
for example & for the purpose of discussion here let us assume these settings : inside the LAN side network in your location , your mail-server has fixed IP-adrs is 10.10.10.10 , & your Win10 computer's ip-adrs is dynamic ip-adrs is 10.10.10.101 which is allotted by your network-Router device , you have a fixed internet-routable (public) IP-adress 192.192.192.192 assigned to your location by your ISP , your domain name is: example.com , your pop & imap mail-server has same domain name: mail.example.com , your smtp server uses this domain name: smtp.example.com , etc.
let us assume, that, in Win10 computer, in TB's mail-account you normally use these: inbound server adrs: mail.example.com , protocol: IMAP(s) , port: 993 , auth-method: "Normal Password" , security: SSL/TLS , user-name: user@example.com , outbound server adrs: smtp.example.com , protocol: SMTP(s) , port: 587 , auth-method: "Normal Password" , security: STARTTLS , user-name: user@example.com ,
so for TEST purpose, use LCOAL ip-address directly like this in TB: inbound server adrs: 10.10.10.10 , protocol: IMAP(s) , port: 993 , auth-method: "Normal Password" , security: SSL/TLS , user-name: user@10.10.10.10 , outbound server adrs: 10.10.10.10 , protocol: SMTP(s) , port: 587 , auth-method: "Normal Password" , security: STARTTLS , user-name: user@10.10.10.10 ,
again TEST with public IP-adrs in TB: inbound server adrs: 192.192.192.192 , protocol: IMAP(s) , port: 993 , auth-method: "Normal Password" , security: SSL/TLS , user-name: user@192.192.192.192 , outbound server adrs: 192.192.192.192 , protocol: SMTP(s) , port: 587 , auth-method: "Normal Password" , security: STARTTLS , user-name: user@192.192.192.192 ,
in both case, TB will/may warn about cert mismatch when it will try to connect with mail-server, accept the cert & try to connect. SAVE THE CERT ALSO AS A CRT FILE , or get the actual public-CRT file from mail-server directly. lets say you saved it here "%APPDATA%\MyCertsKeys\mail-server-name-pub-01.crt"
start "Command-Prompt" in win10 computer.
manually test mail-server's IMAP/POP3 services from win10 computer: copy-paste the URL in you web-browser: https://wiki.dovecot.org/TestInstallation above linked page shows how to test dovecot service in mail-server, that allows TB to connect with mail-server's IMAP/POP3 service to obtain+view received emails.
manually TEST mail-server's SMTP services from win10 computer: copy-paste the URL in you web-browser: https://stackoverflow.com/a/16393831/3553808 above linked page shows how to test postfix service in mail-server, if it can send test message out. change command shown inside above webpage's answer, from "telnet localhost 25" into "telnet smtp.example.com 25" results (when connection is successful) : Trying 192.192.192.192... Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ... results (when connection is Not-successful) : Trying 192.192.192.192... telnet: Unable to connect to remote host: Connection refused
if that does not work also try this: telnet 10.10.10.10 25 if that does not work also try this: telnet 192.192.192.192 25
then manually TEST if win10 computer can send a mail via mail-submission port 587, like these,
in Command-Prompt:
telnet smtp.example.com 587
if port 587 is not-blocked, then you should receive response 220 , something similar to below (but not-exactly like below):
220 ESMTP [SME Server 7.6]
If you receive Unable to connect or Connection refused messages, that means port 587 is blocked / inaccessible.
very likely a firewall or similar or other intercepting software is blocking the communication.
obtain openssl tool for windows:
( from: https://indy.fulgan.com/SSL/ ,
or from: https://github.com/curl/curl-for-win#binary-package-downloads ,
or from: https://sourceforge.net/projects/openssl-for-windows/ )
( optional step : you may also obtain ISC BIND (non-debug installer) *.x64.zip file from here: https://downloads.isc.org/isc/bind9/cur/ , unzip , start the installer, choose only Bind Util package, do not select Bind or other items , you need the "dig" tool from BindUtil for further test )
you can also TEST mail-server's services status, cert, etc like these, from Win10 computer:
openssl s_client -connect smtp.example.com:25 -starttls smtp
openssl s_client -connect smtp.example.com:465
( more info: https://www.admin-enclave.com/en/articles/exchange/353 )
openssl s_client -connect -starttls smtp smtp.example.com:587
( more info: https://serverfault.com/a/840925/217110 )
openssl s_client -starttls smtp -crlf -connect 10.10.10.10:587
( more info: https://serverfault.com/a/156700/217110 )
openssl s_client -connect smtp.example.com:465
( more info: https://serverfault.com/a/64417/217110 )
as mail-server is using SELF-SIGNED CERT, so add these extra parameters in commandline: -CAfile "CRT-filename" and/or -CApath "folder-PATH-name-to-CRT-files" for-example: openssl s_client -connect smtp.example.com:465 -CAfile "%APPDATA%\MyCertsKeys\mail-server-name-pub-01.crt" ( more info: https://security.stackexchange.com/a/211089/238458 )
check if your dns rr record MX for your domain-name is working or not: dig MX example.com +short result should look like this: 10 mail.example.com. ...
i will add more info here, later.
EDIT : addded info on Self-Signed Certs
Modified by atErik
PART-2 (mail-server simple test)
as mail-server using SELF-SIGNED cert , use these extra parameters in openssl commandline: -CAfile "CRT-etc-file-path-and-filename" and/or -CApath "PATH-folder-names-to-CRT-etc-file-location" so for-example: openssl s_client -connect smtp.example.com:465 -CAfile "%LOCALAPPDATA%\MyCertsKeys\mail-server-name-pub-01.crt"
in earlier of running above openssl commands, get/obtain the public cert file from mail-server directly or when TB prompts to verify it. and save into such folder, if folder does not exists then create it: "%LOCALAPPDATA%\MyCertsKeys\"
http://kb.mozillazine.org/Network_tools_for_server_connections
and check earlier links, what can you do when you connect with server via openssl client. write down or take screenshots of output/results.
Modified by atErik
(ANSWER-4) please obtain self-signed cert file (public cert crt file) from mail-server & save into your win10 computer, and please add those manually first in TB's cert db, by using the TB's GUI. please keep OCSP ON/enabled, if you use other email-account(s) from other MSP(s) (mail-service-providers), then that is helpful (to verify certs) , though now many software is pinning certs together , but not all software.
and try to use IP-address directly as mailserver address in TB, instead of your domain-name, & try again. see above "Mail Server Simple Test" (PART 1 , 2 ) messages for further info. (if PART-1 is not-appearing , wait , it needs a TB Admin/Mod's approval ).
Modified by atErik
Modified by atErik
Chosen Solution
Well, I did the downgrade back to 68, and so far it seems to be working as needed. Thank you for the instructions for all these means of fixing things.