This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Confirm security exception won't confirm certificate for non-matching site

  • 1 ŋuɖoɖo
  • 1 masɔmasɔ sia le esi
  • 15 views
  • Nuɖoɖo mlɔetɔ Matt

more options

Naturally, the "Confirm Security Exception" dialog comes up when I change the incoming email server from somename.com:993 to 192.168.0.1:993 for a self-hosted email instance. However, accepting the security exception does not cause mail to flow and the same exception dialog is presented the next time I manually fetch email.

It smells as if Thunderbird is not storing the exception relative to the address it used to contact the server, but may be storing the exception based only on the contents of the certificate: The certificate vended by the target server does not mention its private IP address (only somename.com and *.somename.com).

This situation arises when there are DNS issues or other problems requiring direct "by IP address" access to the server. Under such conditions it would be ideal to be able to fetch mail through the raw IP address, but it seems the security exception mechanism is disallowing this. The status on the Thunderbird window just stays on "Connected to <ip address>..." forever, and no mail comes.

Am I right about why this isn't working? If not, any ideas on how to make it work (short of modifying the certificate)? If it is not working for the reason I guessed, doesn't it make sense that it *should* work, and that Thunderbird should remember an exception to accept any arbitrary vended certificate for which a security exception has been confirmed, based on the target IP address?

Naturally, the "Confirm Security Exception" dialog comes up when I change the incoming email server from somename.com:993 to 192.168.0.1:993 for a self-hosted email instance. However, accepting the security exception does not cause mail to flow and the same exception dialog is presented the next time I manually fetch email. It smells as if Thunderbird is not storing the exception relative to the address it used to contact the server, but may be storing the exception based only on the contents of the certificate: The certificate vended by the target server does not mention its private IP address (only somename.com and *.somename.com). This situation arises when there are DNS issues or other problems requiring direct "by IP address" access to the server. Under such conditions it would be ideal to be able to fetch mail through the raw IP address, but it seems the security exception mechanism is disallowing this. The status on the Thunderbird window just stays on "Connected to <ip address>..." forever, and no mail comes. Am I right about why this isn't working? If not, any ideas on how to make it work (short of modifying the certificate)? If it is not working for the reason I guessed, doesn't it make sense that it *should* work, and that Thunderbird should remember an exception to accept any arbitrary vended certificate for which a security exception has been confirmed, based on the target IP address?

All Replies (1)

more options

The issue will be the self signed certificate used. But then I fail to understand why you would even use encrypted connections to a self hosted mail server. Surely you are confident that your local network is secure. That is after all the firewalls job, to keep outsiders out.