Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Certificate errors - smtp.googlemail.com

  • 6 replies
  • 1 has this problem
  • 7 views
  • Last reply by Matt

more options

This problem has been around for ages, but since a clean install of Windows 11 Pro (64-bit, v21H2) a few days ago it's gotten much worse. I'm using Thunderbird 91.2.0 (64-bit). Used to be that every few days I'd get the "Add security exception" failure (see image) when trying to connect to smtp.googlemail.com (209.85.232.16:465). See the images for the details from viewing the certificates. (I've already worked with Bitdefender to try to resolve this problem -- after completely disabling it the error still occurs, but with different certificates. The Bitdefender cert goes away and I get the smtp one plus one for "GTS CA 1C3" and another for "GTS Root R1" which weren't there before disabling BitDefender). None of the certs have expired in either case. Once I add the security exception, telling Tbird to remember it, things will work fine for a couple hours then it happens again. The frequency of these errors has gotten a whole lot worse since running on Windows 11. I'd rate it as having left "annoying" and entering "frustrating". Anybody have any ideas? Thanks, DougP

Attached screenshots

Chosen solution

Lets be clear. In your original posting you supplies this image.

See the common name? That is what makes us certain that bit defender was the root cause in the beginning. Bitdefender is not a part of the web of trust, has not submitted the the rather exensive audit of their practices required to becaome a certifying authority. Actually they have done nothing but expect you to trust them to insert certificate that allow them to view encrypted communications.

However there is the anomaly that google have not used the googlemail domain for a very long time for their mail servers. The server should be smtp.gmail.com but Google provide full information here.

ratnip3 said

As I said in the question, I spent some time with Bitdefender support. After completely disabling Bitdefender, the problem persists, just with different certificates, one for "GTS CA 1C3" and another for "GTS Root R1". So it doesn't seem to have anything to do with Bitdefender.

Check that the setting security.enterprise_roots.enabled is set to false in the Config Editor some anti virus programs change this setting to true so they can force feed their certificates via the windows certificate store instead of the Thunderbird /Firefox ones. Each has it's own. Bitdefender actually offer changing it to true to fix the debacle their product creates. (google security.enterprise_roots.enabled) There is also no use checking the entries in the Thunderbird store if this is set to true.

Finally the server name in your error is being returned as an IP address 209.85.232.16, not a server name. That in itself indicates there is a problem. I have no idea what, perhaps basic configuration is the issue. I do know it does not resolve to a google mail server it resolves to qt-in-f16.1e100.net. That is certainly part of the google network. But what that device is or does I have no idea. It might be a part of a mail cluster or an SMTP server cluster.

I think you need to start at some basics, like checking the setting in account settings are those recommended by the provider that I linked to earlier and most certainly not expressed as ip address. While it might work for a local server, it is not something that could scale to something like google.

Read this answer in context 👍 0

All Replies (6)

more options

If you disable the bitdefender mail scanning do you no longer have an issue? If so your issue is with bitdefender, approach them for support with their hacking.

Helpful?

more options

As I said in the question, I spent some time with Bitdefender support. After completely disabling Bitdefender, the problem persists, just with different certificates, one for "GTS CA 1C3" and another for "GTS Root R1". So it doesn't seem to have anything to do with Bitdefender.

Helpful?

more options
After completely disabling Bitdefender, the problem persists

As per your screenshots, evidently Bitdefender is not disabled. https://support.mozilla.org/en-US/kb/error-codes-secure-websites#w_bitdefender

Bitdefender is intercepting your connection and injecting a certificate in a way that is not trusted by Thunderbird. It is scanning encrypted connections, and replacing the legitimate server certificate with it's own cert generated on the fly.

Why do people still fall for this 'fake security' advertised by anti-virus vendors?

Modified by christ1

Helpful?

more options

Once again, as stated in the original question, after the screenshots were taken I worked with Bitdefender TO COMPLETELY DISABLE IT and the problem persisted. As mentioned there, the Bitdefender certificate disappeared from the problem report after that, but the problem persisted. This isn't StackOverflow, folks, snarking for the sake of snark isn't necessary. Here are the certificates that it shows AFTER BITDEFENDER HAS BEEN COMPLETELY DISABLED AND IT STILL FAILS. OK? I have already determined that Bitdefender is NOT THE PROBLEM. Sorry for shouting, but actual help is needed here, not opinion about other products.

Helpful?

more options
Once again, as stated in the original question, after the screenshots were taken I worked with Bitdefender TO COMPLETELY DISABLE IT and the problem persisted.

What is the error code now? Please post a screenshot.

I have already determined that Bitdefender is NOT THE PROBLEM.

Bitdefender certainly was the problem in the first place as proved by your first set of screenshots.

Modified by christ1

Helpful?

more options

Chosen Solution

Lets be clear. In your original posting you supplies this image.

See the common name? That is what makes us certain that bit defender was the root cause in the beginning. Bitdefender is not a part of the web of trust, has not submitted the the rather exensive audit of their practices required to becaome a certifying authority. Actually they have done nothing but expect you to trust them to insert certificate that allow them to view encrypted communications.

However there is the anomaly that google have not used the googlemail domain for a very long time for their mail servers. The server should be smtp.gmail.com but Google provide full information here.

ratnip3 said

As I said in the question, I spent some time with Bitdefender support. After completely disabling Bitdefender, the problem persists, just with different certificates, one for "GTS CA 1C3" and another for "GTS Root R1". So it doesn't seem to have anything to do with Bitdefender.

Check that the setting security.enterprise_roots.enabled is set to false in the Config Editor some anti virus programs change this setting to true so they can force feed their certificates via the windows certificate store instead of the Thunderbird /Firefox ones. Each has it's own. Bitdefender actually offer changing it to true to fix the debacle their product creates. (google security.enterprise_roots.enabled) There is also no use checking the entries in the Thunderbird store if this is set to true.

Finally the server name in your error is being returned as an IP address 209.85.232.16, not a server name. That in itself indicates there is a problem. I have no idea what, perhaps basic configuration is the issue. I do know it does not resolve to a google mail server it resolves to qt-in-f16.1e100.net. That is certainly part of the google network. But what that device is or does I have no idea. It might be a part of a mail cluster or an SMTP server cluster.

I think you need to start at some basics, like checking the setting in account settings are those recommended by the provider that I linked to earlier and most certainly not expressed as ip address. While it might work for a local server, it is not something that could scale to something like google.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.