My provider doesn't seem to want to renew it and they get testy when I call.

A provider refusing to renew their server cert isn't acceptable. Find a new email provider.

Sorry I haven't responded sooner. I'm in too deep with the provider to change. I was looking for a way to have Thunderbird accept my decisions to make the exception. From time to time it reminds me that the cert is not valid. That is to say out of date and it blocks my email until I notice and once again tell it to make the exception. Right now it seems to be OK, but that could end tomorrow. Thanks

you could just stop using SSL/TLS to connect to the server. after all the encryption provided is between your computer and your ISP's sever, all on their network. Unlike say connecting to a google server which is on the more public part of the internet.

Matt,

I don't think that recommending to ditch TLS is good advice after the Snowden revelations, particularly with a provider who refuses to renew a cert.

Sorry to be so late getting back. Thunderbird appears to only offer SSL/TLS and STARTTLS. So from what I can see I don't have the option to NOT use SSL/TLS. I have attached some files to show you how I'm set up. There is also an article that helps to explain why I'm so frustrated. It's at: https://www.fastmail.com/help/technical/ssltlsstarttls.html In it is this; "By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections." So that explains my set-up. It does not explain the cert problem which continues to elude me. Note the cert for addons.mozilla .org. It's expired. I just went there and the page loaded just fine. Turns out that quite a few certs expired in 2014 which is odd because I rebuilt my computer in 2015. The problem is that TB is complaining about the cal.net cert. and when I look to see if the exception I made is there, it's not or I'm looking in the wrong place.

christ1 said

Matt, I don't think that recommending to ditch TLS is good advice after the Snowden revelations, particularly with a provider who refuses to renew a cert.

My feeling differ obviously, but if you have someone staying with an obviously poor provider that has security issues, having SSL is not going to improve the security scenario much. The email will still be on their server stored as text with their clearly poor security. In all probability, given they can not manage SSL certificates, the email be transmitted on the internet in plain text. I see little or no benefit in securing the first 100 metres when the next thousand kilometres will be done in plain text for anyone with a packet sniffer to read. You do not need Snowdon level invasive techniques to read the information on the back of a post card.

DavidSorge said

Sorry to be so late getting back. Thunderbird appears to only offer SSL/TLS and STARTTLS. So from what I can see I don't have the option to NOT use SSL/TLS. I have attached some files to show you how I'm set up. There is also an article that helps to explain why I'm so frustrated. It's at: https://www.fastmail.com/help/technical/ssltlsstarttls.html In it is this; "By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections." So that explains my set-up. It does not explain the cert problem which continues to elude me. Note the cert for addons.mozilla .org. It's expired. I just went there and the page loaded just fine. Turns out that quite a few certs expired in 2014 which is odd because I rebuilt my computer in 2015. The problem is that TB is complaining about the cal.net cert. and when I look to see if the exception I made is there, it's not or I'm looking in the wrong place.

Your anti virus is, I would think, the actual root cause of your problems, not your mail provider or Thunderbird. Disable email scanning and see the issue disappear into history. IT may well be one of the reasons your provider gets ansy when you ring. they have a renewed and valid certificate perhaps.

Avast has had you insert them a an SSL certifying authority. Real certifying authorities spend very large sums on certification and auditing. Avast just asks you to trust them. They then undertake a sley of hand and thunderbitrd never actually gets to talk to the mail server, it talks o avast as a proxy.

This all sounds really good, as long as avast never ever have any sort of exploit in their code (Mozilla have many identified every year). In that case your security is toast as avast is in fact the sole arbiter of what is and is not a valid certificate, so all your encryption relies on avast and avast alone not having an issue.

Personally I think the reduction in overall security actually negates the benefit of the scanning.

Matt, You are correct! The Avast cert is the "problem" in my case. If my provider had a cert that was up to date the avast cert would, most likely, not have balked. For the sake of anyone reading this in the future here is what happened. I opened the Avast interface and followed there instructions to export and import there cert into Thunderbird. I viewed the certs and it was there. Within minutes the Avast warning screen showed up. Since I have no idea what else to do, I of course just made the exception. This went on for all the emails that download up to that point. As soon as that was done I checked and the Avast cert was once again gone. So loading the certificate from Avast causes my "problem". This, most likely, because of my provider's out of date certificate. I'm guessing that every time Avast up-dates itself, it installs it's certificate and once again I have to go through the process of eliminating it. Since my provider is using STARTTLS it may be, in there view, that the cert is not important. But certificates are a problem for another day. Thanks for the help. Actually read on.

The Avast cert is the "problem" in my case.

Indeed. I wish you'd have mentioned Avast earlier.

If my provider had a cert that was up to date the avast cert would, most likely, not have balked.

No. fastmail.com is a reputable email provider. As Matt already mentioned, there is no reason to suspect that there is anything wrong with the cert sent by the fastmail.com server.

I opened the Avast interface and followed there instructions to export and import there cert into Thunderbird.

What cert?

Within minutes the Avast warning screen showed up.

What warning?

Since I have no idea what else to do, I of course just made the exception.

Whenever you are asked to create an exception, something is wrong. Creating an exception isn't the solution, it is a workaround at best. https://support.mozilla.org/kb/add-security-exception

So loading the certificate from Avast causes my "problem".

The problem is that Avast is intercepting your secure connection to the fastmail.com server. Avast generates a cert on the fly and is presenting that to you as a cert for fastmail.com. Thunderbird detects that the cert hasn't been issued by a trusted CA and prompts you to create an exception. Also see https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER#w_avast

This, most likely, because of my provider's out of date certificate.

No. I'm fairly certain the fastmail.com cert is fine.

I'm guessing that every time Avast up-dates itself, it installs it's certificate and once again I have to go through the process of eliminating it.

Sort of.

Since my provider is using STARTTLS it may be, in there view, that the cert is not important.

What in the world are you talking about?

Matt said

DavidSorge said

Sorry to be so late getting back. Thunderbird appears to only offer SSL/TLS and STARTTLS. So from what I can see I don't have the option to NOT use SSL/TLS. I have attached some files to show you how I'm set up. There is also an article that helps to explain why I'm so frustrated. It's at: https://www.fastmail.com/help/technical/ssltlsstarttls.html In it is this; "By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections." So that explains my set-up. It does not explain the cert problem which continues to elude me. Note the cert for addons.mozilla .org. It's expired. I just went there and the page loaded just fine. Turns out that quite a few certs expired in 2014 which is odd because I rebuilt my computer in 2015. The problem is that TB is complaining about the cal.net cert. and when I look to see if the exception I made is there, it's not or I'm looking in the wrong place.

Your anti virus is, I would think, the actual root cause of your problems, not your mail provider or Thunderbird. Disable email scanning and see the issue disappear into history. IT may well be one of the reasons your provider gets ansy when you ring. they have a renewed and valid certificate perhaps.

Avast has had you insert them a an SSL certifying authority. Real certifying authorities spend very large sums on certification and auditing. Avast just asks you to trust them. They then undertake a sley of hand and thunderbitrd never actually gets to talk to the mail server, it talks o avast as a proxy.

This all sounds really good, as long as avast never ever have any sort of exploit in their code (Mozilla have many identified every year). In that case your security is toast as avast is in fact the sole arbiter of what is and is not a valid certificate, so all your encryption relies on avast and avast alone not having an issue.

Personally I think the reduction in overall security actually negates the benefit of the scanning.

Matt, I have no reason to trust Avast, Microsoft, Digicert, Mozilla, Google, or Donald Trumps friend Slob, the three hundred pound hacker sitting on his bed. Slob could send Digicert a check, for one day be the nicest person you will ever meet, and get a certificate. Know, I don't think Avast is a bad actor and like Mozilla sends out patches for bugs all the time. A security expert ( Steve Gibson ) who's Podcast I listen to said that some of the certificate authorities after the first contact never call again. Digicert is not one of them, by the way. As I said I don't know enough about the certificate back room to judge. In the certificate store in TB Avast has an entry for cal.net. If they are an authority then they are not auditing there flock. On the other hand neither is The USERTRUST network that certifies addons.mozilla.org who's cert expired in 2014. If Thunderbird is forcing me to use a TLS connection to my provider then I want to believe that my provide continues to send my mail TLS across the internet and that the receiving provider refuses to accept any mail that is not TLS. But what they do is out of my control. I can encrypt the body of my message but there is no method in place to do that without a key exchange. I can envision every email user being given a public and private key and the private key being stored on a provider sites. During negotiations my key is encrypted in the message and my provider reaches out for the recipients key which is delivered to TB. TB uses the two keys to encrypt the message and it gets sent. Lastpass has a method of keeping keys that they have no personal access to. If my recipient is not on line, no matter. when they download everything they need to decrypt is already in the message. All of the code in various forms is already on the net. Know, in all this I don't see a certificate involved. At some point I have to trust someone or I'll have to drive to the house. Is Avast intercepting my email? In so much as it scans it for malware I guess it is. Does my provider see an email coming from Avast and not me. Who knows? That might not be a bad thing. After all, proxies are set up to hide your identity from the internet. Mozilla finding exploits in Avast. In a Pwn2Own contest someone won $100 thousand cracking Mozilla in a few minutes. I'm not going to stop using FF. Experts find exploits all the time and the good guys need to work together to close the holes. The only server on the net Avast reaches out to from TB is my provider so that's the only cert involved in the case of TB. Does TB occasionally check for up-dated certs. Not to my knowledge and I have no idea how to force it to. As you said the root cause of my problem is not TB or my provider. We'll actually it is the provider. Avast did the right thing when it flagged the cal.net cert. Since trust is the issue and i trust my provider the cert isn't necessary. If I'm visiting a site unknown to me seeing a cert gives me a little reassurance. But I still need to be careful. Huffington post had an embedded with crypto locker that they were not aware of. They should have had Avast running on there site. Thanks for letting me vent. David

Is Avast intercepting my email?

Yes. And they have full visibility of everything you send and receive, including your email password.

Does my provider see an email coming from Avast and not me.

Avast is talking to the fastmail.com server, on behalf of Thunderbird.

Who knows? That might not be a bad thing.

To make such a statement you'll have to have a lot of faith in Avast. In your previous post you stated 'I have no reason to trust Avast' though.

Does TB occasionally check for up-dated certs.

CA certs Thunderbird trusts are kept up to date. Your email provider's cert is sent by the fastmail.com server (and any intermediate certificate in case it exists).

Not to my knowledge and I have no idea how to force it to.

What are you talking about?

Since trust is the issue and i trust my provider the cert isn't necessary.

Trust is indeed the issue. Without a cert how can you be certain the server you're connected to is indeed the server you think it is?

I'm visiting a site unknown to me seeing a cert gives me a little reassurance.

This is nonsense. When a server sends you a cert, Thunderbird (or Firefox) verifies whether it has been issued by a CA Thunderbird trusts. That confirms that you're indeed connected to the server you think you're, i.e. it authenticates the server. No more and no less. A cert doesn't tell anything about the reputation of a site. In other words, a server presenting a cert can still infect your computer with malware.

They should have had Avast running on there site.

OMG

christ1 said

The Avast cert is the "problem" in my case.

Indeed. I wish you'd have mentioned Avast earlier.

If my provider had a cert that was up to date the avast cert would, most likely, not have balked.

No. fastmail.com is a reputable email provider. As Matt already mentioned, there is no reason to suspect that there is anything wrong with the cert sent by the fastmail.com server.

I opened the Avast interface and followed there instructions to export and import there cert into Thunderbird.

What cert?

Within minutes the Avast warning screen showed up.

What warning?

Since I have no idea what else to do, I of course just made the exception.

Whenever you are asked to create an exception, something is wrong. Creating an exception isn't the solution, it is a workaround at best. https://support.mozilla.org/kb/add-security-exception

So loading the certificate from Avast causes my "problem".

The problem is that Avast is intercepting your secure connection to the fastmail.com server. Avast generates a cert on the fly and is presenting that to you as a cert for fastmail.com. Thunderbird detects that the cert hasn't been issued by a trusted CA and prompts you to create an exception. Also see https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER#w_avast

This, most likely, because of my provider's out of date certificate.

No. I'm fairly certain the fastmail.com cert is fine.

I'm guessing that every time Avast up-dates itself, it installs it's certificate and once again I have to go through the process of eliminating it.

Sort of.

Since my provider is using STARTTLS it may be, in there view, that the cert is not important.

What in the world are you talking about?

Christ1, Your reply came in while I was composing my rant. These answers follow your sequence aproximately. By the way how do you install separate quotes like you have done? Fastmail.com is not my provider. It's cal.net. When I left out the part about Avast it was because I was absolutely positive it had nothing to do with Avast. Well, as we know know. I was wrong. OK, the plot thickens. MailShield.der is the Avast cert. I checked. I have three Certs from Cal.net two dated july 2015 the other 2016. The 2015 certs are in the certificate manager and the 2016 cert will not import. I tried to delete one of the 2015 certs and the message reads something like this; "Are you sure you want to delete these security exceptions". To me that's weird. I though these were security certificates not exceptions. The warning screen is from TB but it looks like a standard windows modal screen. Yes, it's a work around. I don't really care. When there is a mad bull in the road you tend to work around it. It's not a bull, but it's a problem I can't reason with. That's why tutorials get written. The old teach a man to fish idea. As to the STARTTLS, that is a guess. Teach a man to fish! I have to leave it at this for now. Please continue to respond as I want to get to the bottom of this. Thanks David

how do you install separate quotes like you have done?

blockqote

I have three Certs from Cal.net

No, you may have three certs for Cal.net issued by Avast. However, the cert(s) you should get are:

 > openssl s_client -connect mail.cal.net:993 </dev/null
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.cal.net
verify error:num=10:certificate has expired
notAfter=Jul 30 23:59:59 2016 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.cal.net
notAfter=Jul 30 23:59:59 2016 GMT
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.cal.net
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgIRAKw4xI+HY69pv4e6O8rFyrswDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUwNzMwMDAwMDAwWhcNMTYwNzMwMjM1OTU5WjBVMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHDAaBgNVBAsTE0NPTU9ETyBTU0wgV2ls
ZGNhcmQxEjAQBgNVBAMMCSouY2FsLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAM4yW6bPNe+02RBaLZk4omia++/DLZ/hM8CyOGVRHmW1w+TutDK2
xh6ufJDLrSrlqo1uy15eO/SRCJlqJshKm6xEMFe3EJh3XPRagvxpu0F7Sqmp7LXk
SuK2bG8uS1NENuOyu7RoLorArxbWJQjKAefLy4Hw2W0zlK+w6TIzTRdseu6wgNfz
TImBTUXK/7bsGn0O6iZNqfh+0d/pYUfVKOQVQe1uL+cRyDuPQo28lh8Nw55BTQXf
HBvxqcAs9c7kuWQi6zzkvYsBfLJPW2KHGwmEVDKZteVOhtWc2tgoJQ9kL+VqxnnZ
3cnHbKpSMoMNg0CMnvo/yqsZDTBTGuwdk88CAwEAAaOCAc8wggHLMB8GA1UdIwQY
MBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBRZOFxzWFGgQBgxLjwB
t9KJ3V5TTDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzAr
MCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZn
gQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYI
KwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHQYDVR0RBBYwFIIJ
Ki5jYWwubmV0ggdjYWwubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQBkKbM8U5Kt2NB4
TG4WmGlZEktzmI/wMuP5QD80Y/T/xYRmGLJ7mu56i0NqCBGG2/fptK1BCXlFFJT+
/yzsP93urdxkec0EGsNrWUd3eWfSTp4E6AQSG0aq239bVg24owzot9JR5xx4ofYJ
4z9+KfI1RG4UMHLIXu3LIjv5BsJ24hGkYRboibWatGhwBoorvZYDG6JA18t0Phpb
DjZ+emIo5cfS2aNuRt9d3GhuTRiUnExMx44VNP38OHICSBdau5QDxOwNJph7J4+k
g6Ro+vjueXm6YF74k4/+FOnHCFK7ovm3ynotrBQmO2+vxi2YnQvSiBjEfIwYY4lI
YN9ncnbu
END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.cal.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6229 bytes and written 451 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 8FEECB9944919FDA4823E859C769D2AABC2C3E9CB791B37406D64AECF30EDB0C
    Session-ID-ctx: 
    Master-Key: 909D8DF06FFF8C7A4DEED91071AA35EAF7197E6C5BB8CAE7D38AB188C63B7239915D853692459A651F205A45DE0AB3BB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a4 b7 b4 97 5e 3d 38 e6-0f 64 92 88 75 46 84 a5   ....^=8..d..uF..
    0010 - 3e 24 8d a7 84 b3 a8 9e-e5 5b e6 d2 22 d1 36 ca   >$.......[..".6.
    0020 - 48 9d 88 1f 70 e3 2e fc-5f 32 62 8f d8 e5 97 16   H...p..._2b.....
    0030 - 94 72 ae 09 09 e2 03 1a-25 5d cb 35 a4 73 5f 33   .r......%].5.s_3
    0040 - e5 6c be 6a ef b9 28 1e-58 ed d7 bd 42 d8 4d ae   .l.j..(.X...B.M.
    0050 - b6 76 c6 2f 25 27 2d 93-11 73 aa 50 28 dc 5f 31   .v./%'-..s.P(._1
    0060 - ec 87 5d a7 17 87 00 8a-fb d2 76 1c 73 cf 8b 93   ..].......v.s...
    0070 - 4c bd e8 ca 87 5b 62 78-ef 86 57 af 93 29 aa bc   L....[bx..W..)..
    0080 - 5f cc c8 84 d1 d6 71 01-bf dd 2f 5e 65 af 2a af   _.....q.../^e.*.
    0090 - 82 48 ee 33 48 51 ed 69-46 90 66 45 9d c0 68 81   .H.3HQ.iF.fE..h.

    Start Time: 1483728070
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
DONE

The bad news is, the cal.net cert has indeed expired. Therefore, as said before, find a new email provider.

</pre> No, you may have three certs for Cal.net issued by Avast. However, the cert(s) you should get are: </blockquote>

blockqote

Try opening the < blockquote > Like all HTML tags they are in pairs and the one without the / opens and the / closes

DavidSorge said

No, you may have three certs for Cal.net issued by Avast. However, the cert(s) you should get are:

The above is just practice. I have no clue how to use the "

blockqote

tag."

Try opening the < blockquote > Like all HTML tags they are in pairs and the one without the / opens and the / closes

Here goes!

Nope! I'll try it this way. < blockquote >

Try opening the < blockquote > Like all HTML tags they are in pairs and the one without the / opens and the / closes

< blockquote >

Nope! I'll try it this way. < blockquote >

Try opening the < blockquote > Like all HTML tags they are in pairs and the one without the / opens and the / closes

< /blockquote >

just remove the spaces and you will be there. If we do not put them in there you don't get to the the keyword, the forum software just tries to execute it.

Got it! Thanks Well this thing has gotten to be a bit overwhelming. So for the moment I'm going to call it. I got a fast Mail account and the same thing happened. So the quest for answers moves on to Avast. Thanks for All the help and sorry for all the trouble. Too bad Mozilla and Avast can't get together and work things out. David