Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

S/MIME digitally signed emails sent from Thunderbird showing as "There are problems with the signature" after v91

  • 10 replies
  • 4 have this problem
  • 100 views
  • Last reply by Matt_Brz

more options

Hello - I upgraded from TB 78 to 91 a couple weeks ago, and my boss just let me know today that in Outlook, which most of my coworkers use, my digitally signed emails are showing the error "There are problems with the signature" for all of my emails since the upgrade to v91. Specifically digging into the Outlook error shows:

"Error: The message contents may have been altered. Signed by heise@wisc.edu using RSA/SHA256 at 9:15:07 AM 2021-10-22."

I did not change my certificate, and emails sent using Nine (Android email client) and Outlook show up as fine. It's the same problem that this user describes here from several months ago.

https://old.reddit.com/r/Thunderbird/comments/p66eb1/smime_broken_in_tb_91/

I'm on version 91.2.1

Chosen solution

Solved by release of Thunderbird 91.3

Read this answer in context 👍 0

All Replies (10)

more options

Oh, I should clarify - whoops - the emails I sent, when viewed in my sent folder in Thunderbird, look just fine and aren't reporting any problems at all, and it thinks everything is fine. I had a mac-using coworker confirm for me that my emails look fine to him in Mac Mail, though.

Helpful?

more options

Ok, I just tried s/mime to another of my accounts. when I open it it looks good, but the message when synced to another installation of Thunderbird without the smime certificate installed, I get an error about the message having no digital signature. (even if it is in the send folder.)

But I digress. Do you have some fool in admin adding to your emails after they are signed. (part of the SMTP process usually) Things like the email being intended for the recipient only or other such unenforceable contractual obligations on the recipient. Or text like scanned by such and such anti virus that needs free advertising. This sounds unlikely, but it may only be mail leaving the organization that gets this treatment.

Or your recipient may have software that modifies the subject or body of the email

The signing process creates a checksum of the content of the email. So if your recipient has something in place to modify the received mail then there will be an error about it being altered, because it has.

Helpful?

more options

(whoops, accidental multi-post - doesn't look like I can delete them, just edit them)

Modified by zach.heise

Helpful?

more options

(whoops, accidental multi-post)

Modified by zach.heise

Helpful?

more options

Hi Matt - I walked back through everything:

Created a VM, installed Thunderbird version 78, which had been working fine with Outlook + SMIME (from http://ftp.mozilla.org/pub/thunderbird/releases/78.9.1/win32/en-US/) added my office 365 work account to it sent test emails to my gmail address.

everything worked fine!

Updated VM's thunderbird from 78 -> 91 via regular in-application updater. Emails sent from TB 91... still worked fine? That blew my theory out of the water.

After a lot more trial and error and trying to make everything between my regular TB 91 install and the test TB 91 install on my VM, I found the issue: it's the the signature, but not the digital signature! it's the "signature text" block right on the very first page of the account settings.

!!!!

On my regular TB instance, with Office 365 (this is the only email account I have a digital certificate with so I can't test to see if this affects other accounts I sent from), this email signature (with the "Use HTML" checked in Account settings) has been working great for 7 years now:

Zach Heise < br /> Social Sciences Computing Cooperative < br /> <a href="https://www.sscc.wisc.edu/about-the-ssc/sscc-staff/">Work and Contact Information</a> < br />< br />

However, I find that now, with Thunderbird 91 on both the test VM and my regular account, having that <a href="link">link looks like this</a> results in the signature breaking.

This might be because Office 365 is doing some sort of email scanning on signature links (only for Thunderbird or IMAP perhaps; sending email with the exact same HTML signature works fine from outlook) and something about how TB 91+ is handling HTML <a> tags in signatures is causing something that is making the email be modified in transit.

If I change my email signature to: Zach Heise < br /> Social Sciences Computing Cooperative < br /> and send that in Thunderbird 91+ with HTML turned on, outlook likes it just fine. It's only when the <a> is added that breakage aoccurs.

It is clear, however, that something changed in Thunderbird between 78 and 91 pertaining to how email signatures work, probably with HTML in particular, because I confirmed a final time that I can still go back to TB 78, use that same HTML email signature, and Outlook reports email sent with that signature is not broken. So my Office 365 tenant administrators didn't change anything on their end. But whatever change that Thunderbird made... I wonder if it is possible to change it so that we can use HTML <a> tags again in our email signatures?

"View Source" in Outlook for my test message results in the following: <meta http-equiv="content-type" content="text/html; charset=UTF-8">

Okay, here's with the full email signature + HTML does this still work in tb78?

--
Zach Heise
Social Sciences Computing Cooperative
Work and Contact Information


then, I update from TB78 -> 91 and do the exact same email, and view source in that message from outlook: <meta http-equiv="content-type" content="text/html; charset=UTF-8">

Okay, here's with the full email signature + HTML does this still work in tb91?

--
Zach Heise
Social Sciences Computing Cooperative
Work and Contact Information


Looks identical I know! But Outlook says that this message has been modified in transit, and it doesn't say that about the message from TB78.

Okay this has been a long hour of testing. I hope perhaps something can be figured out, but I guess in the meantime, I have a workaround.

Helpful?

more options

Argh, a lot of my HTML got broken by putting it in this form. Is there a guide to this support forum for how to post HTML code in a box that doesn't get parsed by the HTML renderer?

Helpful?

more options

Seems like I spoke too soon - emails that I digitally signed that are replies, containing someone else's previous email, are still a problem, even with my email signature entirely turned off.

The one way I can force it to work with replies, I have just found, is by doing Options -> Delivery Format -> Plain Text Only. The digitally-signed emails resulting from this, when I view in my sent folder (or when the recipient gets my email in their inbox) are not showing as broken.

Helpful?

more options

Found a bugzilla report for this, will be following this since it's where it's most likely to be fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=1731529

Helpful?

more options

Chosen Solution

Solved by release of Thunderbird 91.3

Helpful?

more options

Unfortunately we still have this problem. 91.3 did not work in our case. If I manually set Options → Delivery Format to Plain and Rich (HTML) Text and there is any part of HTML (it can be a content of the message or a company's signature in html) the S/MIME signature is displayed as incorrect. If I manually set Options → Delivery Format to Plain Text S/MIME signature is ok but company's signature and any messages written by a second person are converted to plain text which looks not so good.

This might be important: Even if delivery format is set to html or text and html but there is only pure text in the message, the signature is correct. Any use of html causes problem.

My tech-colleagues have found out that the real problem is on Outlook side but the reason is the change of encoding messages in TB 91 from Content-Transfer-Encoding: quoted-printable to Content-Transfer-Encoding: 8bit (not supported by different versions of Outlooks).

I wonder if it is possible to enable previous encoding on Thunderbird side.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.