July 25, 2015 Work Around
If you like Mozilla’s email client Thunderbird you may have downloaded and applied the recent 38.1.0 update and suddenly had a problem with sending and receiving secure mail, known as SSL.
Well take heart, it’s not you. It’s a conflict between Tbird and your mail server. The problem lies in the detection of the authentication methods supported by the mail server. You can try to notify your mail host, but they may not respond to your note or do anything about the issue. So you’ll need a work around.
Even though this is a known issue, Mozilla says it’s not on their end. It’s in the default configuration of the email server installation. So there won’t be a Tbird fix coming down the pike.
There are a few different ways you might see this error:
- Cannot Fetch mail using IMAP and send mail using SMTP
- Authentication Method Not Detected
- An error occurred during a connection to mail host
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser, in this case Thunderbird’s mail browser. This link ensures that all data passed between the web server and browsers remain private and integral.
Part of this security is something called DHE (Diffie–Hellman) key exchange is a specific method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle.
Essentially the problem lie with the configuration of the DHE key in the mail server itself. Not your email client, but your email host server. The length of a DHE key must be 1023 bits or greater to work properly. However many mail server installation defaults set this key to 768 bits. When the connection fails, the error console will display a message: eMail servers use a default setting for DHE environments. But if System Engineers aren’t looking at the console, they may not ever see this, or may not know what the error is referring to.
You can try to notify your mail host about this issue and ask them to modify the key length, but there’s no guarantee their going to listen to you or do anything about it. If you’re a techie or a System Engineer, you’ll find a complete discussion about this issue on Bugzilla.
Thunderbird Work Around
You can implement a work around within your desktop Thunderbird client however. It will require you to manually edit the configuration, so you’ll have to be careful. But here’s a step by step process for implementing the change.
- Open Tbird
- Go to Tools and select Options
- Go to the Advanced section and then the General tab.
- At the bottom of this window you’ll see a button labeled “Config Editor…”, select it.
You’ll receive a soft warning message. Click the button that says you’ll be careful.
- The Config Editor will appear. In the search field, type security.ssl
The config window will take you to the security configurations.
- If you have the DHE strings, right click on the line and a small popup window will appear. Select Toggle to switch the value from true to false.
- If you don’t have all 4 of the dhe strings, you’ll need to add them. Inside the config window click your right mouse button and the same popup menu will appear. This time, select New and then String.
- You’ll be given another popup window where you need to add the string.
- Click ok, and Tbird will give you a window to add the value.
- Click the ok and add the next string the same way. Continue until all 4 strings are added. Then click ok until you back out to the General menu again.
- Close Tbird and then restart it. Test your SSL connection.
You’ll need to have the following strings to disable the DHE settings:
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_rsa_des_ede3_sha
Unless you made a mistake or there’s another misconfiguration in your settings, this should fix the problem.
Good luck.
© 1997-2015 Springwolf, D.D., Ph.D., Springwolf’s Creations. All Rights Reserved.