- Did you check View > Message Body As > Original HTML, as well as View > Display Attachments Inline? - Do you see web content at all in Help > What’s new, or Tools > Add-ons > Get more add-ons ? - Did you check Options > Privacy > Allow remote content in messages ? - What happens if you add a domain from an image (use right-click to copy the URL) to Options > Privacy > Exceptions in that Mail content section (to allow it)? Does it override?

Hi thanks for trying to help, To answer your questions

- Did you check View > Message Body As > Original HTML, as well as View > Display Attachments Inline? They're set up like as you recommend and images don't show up

- Do you see web content at all in Help > What’s new, or Tools > Add-ons > Get more add-ons ? Yes I see content normally

- Did you check Options > Privacy > Allow remote content in messages ? Yes I did but it didn't help

- What happens if you add a domain from an image (use right-click to copy the URL) to Options > Privacy > Exceptions in that Mail content section (to allow it)? Does it override? I added the domains, the full url path to the image as well as the <from> mail address domain to the exception list to test but it didn't help either.

Thank you for answering the questions.

- Could you copy the Mail Start Page URL in Options > General elsewhere and replace it by a non-working image URL to see if that opens up in the pane when selecting Go > Mail Start Page (or pressing alt-Home)? - Are you using any antivirus products and if so, which one? You could have a look here for common issues and culprits with regard to SSL or just blocking images.

Did you also read the Signatures article for the proper way to include remote images in HTML? This may not apply to the issue since it happens with other email, but can serve for proper testing.

I thought about Kaspersky first too but it's not it. I completely exited it and even uninstalled it once to test and it doesn't help. The Mail Start Page won't load either with the URL. The problem also occurs if I just use Insert -> Image and paste the image url in the text box. No preview is shown.

But I think I've narrowed it down to ssl certificates in shared hosting environments only after I did a bit more digging but I can't really identify why thunderbird fails to get the certificate but other clients can. When trying to manually add the certificate this is what I get in console.

Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 109" data: no] Source File: chrome://pippki/content/exceptionDialog.js Line: 115

I think it's related to SNI. Do you happen to know if thunderbird supports SNI for images?

I'm trying to include some embedded images for my signatures including a logo from an https:// image url however they're not showing up in thunderbird. The problem also occurs if I just use Insert -> Image and paste the image url in the text box. No preview is shown.

I would recommend that you save the image in folder on your computer first. I have a folder set up to keep all of the signature bumf in one location. In 'Documents', I created a folder called 'Signatures'. This folder contains any images I use in my signatures and also the signature.html files which are used by Thunderbird. Then the image is not remote content, so at least the signature should work.

Info below on creating signature with image. How to create signature with image.

• click on 'Write' to open new write message
• Select all required formatting even if already auto selected by default settings.
• Type signature eg: Regards and name
• 'Insert' > 'Image'
• Select: 'Attach this image to the message'
• click on 'Choose file' button
• locate an image you created that has been saved in a folder on your computer eg: Documents\Signature Folder - not saved in any Thunderbird folder.
• Click on 'Open' - Image should be shown in the small 'Image preview' box.
• Select: 'Don't use alternate text' or type in 'alternate text'

Adjust the dimensions of image to suit

• Click on 'Dimensions' tab
• Select: 'Custom size' and 'Constrain'
• Change width to eg: 200 pixels - Height is auto adjusted

Option to Set image to be a clickable link:

• Click on 'Link' tab
• Enter url: eg: http://www.anje.co.uk

• Click on 'OK' to insert the image.

• Save the file to a folder on computer. You will need to select "HTML Files" in the "Save as type" list box. It must be saved as HTML file.
• Close the Write window.

Attach the HTML signture file:

• Tools > Account Settings of mail account
• Select ; 'Attach the signature frm a file instead'
• Click on 'Choose' button
• locate the html signature file and click on 'Open'
• Click on 'OK'

Open new Write message and signature should be visible.

Does this get the signature issue resolved?

I’m afraid it’s a certificate issue allright, and not limited to signatures. The content such as What’s new is http, so no issue. You could also use the Error console to test for https content in a tab by entering the following:

Components.classes['@mozilla.org/appshell/window-mediator;1'].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('mail:3pane').document.getElementById('tabmail').openTab('contentTab',{contentPage:'https://www.mozilla.org/media/img/sandstone/header-mozilla-stone.5a157cb2c70c.png'})

… or use a page URL instead, but I think it won’t work either, where it probably does for http. Does it display another error message though?

I can’t tell about SNI, sorry.

- How did you manually install the certificate, and which one? - Did you try disabling scanning encrypted connections in Kaspersky as described here when it was installed? - Did you try deleting cert8.db in the profile folder after uninstalling Kaspersky to let it rebuild when TB starts, i.o.w allow TB to use its own certificate store again?

@Toad-Hall

Hi, thanks for the input I hadn't tried it because I assumed it would work OK. I just tested and attaching the images from a local folder works so I can use that for the signature. I wouldn't want to do it for every single image in every message though because then the message sizes would increase too much.

@Tonnes -Did you try disabling scanning encrypted connections in Kaspersky as described here when it was installed?

Yes that was the first thing I did since I got Kaspersky because it gives warnings for self-signed certificates and it was really annoying. I also deleted cert8.db and cert_override.txt from my profile folder Also tested in a new clean profile.

- How did you manually install the certificate, and which one?

I added it by going to Tools->Options -> Advanced -> View Certificates -> Servers -> Import and I imported the .pem certificate for the website.

The piece of code

Components.classes['@mozilla.org/appshell/window-mediator;1'].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('mail:3pane').document.getElementById('tabmail').openTab('contentTab',{contentPage:'https://www.mozilla.org/media/img/sandstone/header-mozilla-stone.5a157cb2c70c.png'})

worked but it didn't work for example for

https://goo.gl/eb8geI

---EDIT-- PS: I forgot to add that no errors occur when using the code to open a new tab only a [Object Object] informational message

I rechecked opening in new tab with the code you suggested and I did get an error after all but only after I closed the tab. That's why I didn't notice it earlier sorry.

Error: [Exception... "Unexpected error"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/highlighters/utils/markup.js :: CanvasFrameAnonymousContentHelper.prototype._insert :: line 236"  data: no]: CanvasFrameAnonymousContentHelper.prototype._insert@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/highlighters/utils/markup.js:236:21
CanvasFrameAnonymousContentHelper.prototype._onNavigate@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/highlighters/utils/markup.js:242:7
EventEmitter_emit@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/event-emitter.js:147:11
HighlighterEnvironment.prototype.relayTabActorNavigate@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/highlighters.js:655:5
emitOnObject@resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/event/core.js:112:9
emit@resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/event/core.js:89:38
TabActor.prototype._navigate@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webbrowser.js:1776:1
DebuggerProgressListener.prototype.onStateChange<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webbrowser.js:2242:7
makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js:87:14

Source File: resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/event-emitter.js
Line: 152

Does this image display in your Thunderbird? If not; Select another message Open the error console and clear it. Select this mail. What messages appear in the error console?

No, it didn't appear unfortunately. Doing as you said gave me only this error. I've also attached what I saw in the mail.

Error: uncaught exception: 2147746065 Source File: resource:///modules/activity/autosync.js Line: 210

Beware not to get distracted by side effects - it seems you can expect the above error for other reasons. I would try to focus on (any) https content getting loaded.

- What Thunderbird version are you using? That may sound like an odd question, but if it is a nightly version, expect the image above or other https content on that domain not to be loaded since the current nightly version will distrust Startcom certificates used by the website hosting it. Perhaps you may want to notify the owner or fix that yourself. However, you should be able to see the Mozilla image in the URL supplied, and get a certificate warning for the one above.

- Above you wrote the tab content worked for the given Mozilla image (correct?), and "no errors occur when using the code to open a new tab". Did you only try the image using the goo.gl URL afterwards, or also try an https page URL, and if not, can you load that instead of an image? You could try https://www.mozilla.org (as intended above by "or use a page URL instead" - I expect to see a different error. In other words, did you test with other https domains than the yfantidis domain at all?

- (^ In case you didn’t:) I presume you have run a test at SSLlabs? It seems to look fine, though there is a small complaint about a 2nd certificate, as well as the remark about SNI. However I do think SNI supported by Thunderbird.

- I’m not sure if importing the website’s .pem certificate is the right way to overcome this, but please make sure only the default store (cert8.db) is used for now.

- Don’t you exprience any issues in Firefox?

- Could you open about:config (Options > Advanced > General tab > Config Editor), enter ssl and verify that all preference names other than mail.smtpserver.smtpn.try_ssl are set to default, i.e. not display as bold?

- Since some issues related to security/SSL can originate from modems and/or routers, did or could you try to reset them?

- Please have a look at this and this mozillaZine KB article and see if there is anything new that could apply and did not come up here yet.

Thank you for the detailed info. I'll try my best to provide info and also what I've also noticed when trying to debug.

- What Thunderbird version are you using? That may sound like an odd question, but if it is a nightly version, expect the image above or other https content on that domain not to be loaded since the current nightly version will distrust Startcom certificates used by the website hosting it. Perhaps you may want to notify the owner or fix that yourself. However, you should be able to see the Mozilla image in the URL supplied, and get a certificate warning for the one above.

For the record this happens with Comodo, Let's Encrypt and Startcom certificates as far as I can test for the sites I manage. So I don't think it's related to the Startcom authority. I'm using 45.5.0 version 32 bit thunderbird.

- Above you wrote the tab content worked for the given Mozilla image (correct?), and "no errors occur when using the code to open a new tab". Did you only try the image using the goo.gl URL afterwards, or also try an https page URL, and if not, can you load that instead of an image? You could try https://www.mozilla.org (as intended above by "or use a page URL instead" - I expect to see a different error. In other words, did you test with other https domains than the yfantidis domain at all?

To further avoid confusion I always test too using the real https links and not redirections. I only shortened the url for simplicity on the forum and also I test on other similar URLs too. This was just a test case. Unfortunately the error logs aren't really any different that what I mentioned in my original post. Mozilla and Microsoft for example work on HTTPS without producing errors. These images sometimes produce the error I mentioned earlier but on the other tests I saw nothing different.

- (^ In case you didn’t:) I presume you have run a test at SSLlabs? It seems to look fine, though there is a small complaint about a 2nd certificate, as well as the remark about SNI. However I do think SNI supported by Thunderbird.

Hehe yes that's why I'm puzzled. SNI error is to be expected in shared hosting environments no matter what setup you use because of the way SSL Handshake is performed and SNI compatible browsers should never reach that certificate which is the server certificate. However non SNI browsers will always get that certificate to initiate HTTPS connections and it's really unavoidable in shared hosting environments. That second certificate is self-signed when the server OS with Plesk installed and it's used in non-sni browser cases. I don't even know if there's a way to replace it. I'm sure if it was the reason for everything PLESK wouldn't install it in the first place or it would bring out a warning about it.

- I’m not sure if importing the website’s .pem certificate is the right way to overcome this, but please make sure only the default store (cert8.db) is used for now.

It was a desperate attempt :) I 've reset everything back to a fresh install of Thunderbird to test. I've actually installed a fresh thunderbird on a fresh virtual machine runnning windows 10 too to test it.

- Don’t you exprience any issues in Firefox? From what I tested absolutely no errors on normal firefox, edge, chrome, firefox developer edition, waterfox, windows safari, android 6 browser, android 4.4 browser, ios 10, ios 9.3 email app and safari, gmail apps, gmail itself, yahoo mail, outlook 2013,2016. It's really amazing only thunderbird stumbles with it and it's the first time I ever see it happening. Usually outlook is the culprit hehe.

- Could you open about:config (Options > Advanced > General tab > Config Editor), enter ssl and verify that all preference names other than mail.smtpserver.smtpn.try_ssl are set to default, i.e. not display as bold?

Everything seems to be default. Only mail.smtpserver.smtpn.try_ssl records are bold.

- Since some issues related to security/SSL can originate from modems and/or routers, did or could you try to reset them?

Yes I have reset it a couple times.

- Please have a look at this and this mozillaZine KB article and see if there is anything new that could apply and did not come up here yet.

I'll look those up in the next days and see if there's anything I missed and get back to you on that point.

In the meantime I've found some other very interesting info too while trying to remotely debug thunderbird at function checkcert() there is an exception that is logged.

//mozilla/security/manager/pki/resources/content/exceptionDialog.js:109
 var req = new XMLHttpRequest();
  try {
    if(uri) {
      req.open('GET', uri.prePath, false);
      req.channel.notificationCallbacks = new badCertListener();
      req.send(null);
    }
  } catch (e) {
    // We *expect* exceptions if there are problems with the certificate
    // presented by the site.  Log it, just in case, but we can proceed here,
    // with appropriate sanity checks
    Components.utils.reportError("Attempted to connect to a site with a bad certificate in the add exception dialog. " +
                                 "This results in a (mostly harmless) exception being thrown. " +
                                 "Logged for information purposes only: " + e);
  } finally {
    gChecking = false;
  }

This exception is triggered but I'm wondering why Thunderbird is checking for remote certs using XMLHttpRequest(). Isn't that function subject to same origin policy restrictions to avoid XSS attacks? Could it be for some reason it's failing due to that? I'm thinking this is the real culprit. Do you know if there Is a developer forum maybe to post this as a possible bug to investigate?

Thanks for your elaborate replies.

As I understand remote images from https://www.mozilla.org do work, the issue is most likely site / certificate related. Agree?

To cut it short: I think the issue goes beyond my expertise so I wanted to point you to bug 626988 where some discussion about remote content took place recently, although that bug is more about managing permissions. However, I also found bug 812796 and bug 1007646. Can you see if that last bug in particular applies to your issue? Note that a lacking certificate error message is mentioned there - even though the console does show a clear one in that case as opposed to yours - as well as the way to add an exception and hence work around and/or confirm it. For info: if I try to create an exception for your domain, Thunderbird says the site provides valid, verified identification and there is no need to add an exception.

Feel free to comment in one of those bugs or file a new one in Bugzilla if you think that’s better. I couldn’t manage to get a reply from developers about the issue so far, but Bugzilla should be the best place. Please keep in mind that in order to have a bug confirmed, steps for reproducing are required in general. That means your system setup has to be known, and if possible, what makes things work, even if it was another OS, network connection or even ISP. That could be seen as fixing your own bug, but you’ll probably get the idea. ;)

Hi,

when I posted this I was hoping mostly it would be something people have encountered in the past and there was a quick fix :) Now I've started to feel this is a new bug unfortunately so I'll probably try to create a concrete bug report for bugzilla.

Bug 1007646 was a really interesting find. I tried to add an exception like that person did and this is where I hit this exception

Timestamp: 5/12/2016 5:07:08 μμ
Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 109"  data: no]
Source File: chrome://pippki/content/exceptionDialog.js
Line: 115

Which interestingly enough is caused by the same piece of code I saw when debugging for the images loading.

It seems to be site/server related indeed but it also seems to be a bug in thunderbird regarding this configuration since it works pretty much everywhere else.

In any case thank you for your assistance and ideas.