We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Using StartTLS with IMAP connection to Exchange is giving me different certificates for machines different to the IMAP server, security exception each time

  • 3 réponses
  • 1 a ce problème
  • 16 vues
  • Dernière réponse par Matt

more options

I'm using Thunderbird with my work email account, which is using Exchange, this is not officially supported but access is allowed via IMAP.

The problem is when I'm using StartTLS or SSL I'm getting multiple different self signed certificates being returned, seeming depending on which specific backend server is handling the request, each time it causes the Confirm Security Exception dialog to be displayed. If I confirm the exception I get the dialog being displayed again until eventually I get a certificate that seems to match the first certificate I confirmed, at which point I can download or send my pending mail.

Thus is seems that there is only one certificate being stored as an exception for each server connection. Is there some way round this?

Thanks.

I'm using Thunderbird with my work email account, which is using Exchange, this is not officially supported but access is allowed via IMAP. The problem is when I'm using StartTLS or SSL I'm getting multiple different self signed certificates being returned, seeming depending on which specific backend server is handling the request, each time it causes the Confirm Security Exception dialog to be displayed. If I confirm the exception I get the dialog being displayed again until eventually I get a certificate that seems to match the first certificate I confirmed, at which point I can download or send my pending mail. Thus is seems that there is only one certificate being stored as an exception for each server connection. Is there some way round this? Thanks.

Toutes les réponses (3)

more options

What is the reason for the exception prompt in the first place?

more options

This the output from the error console:

Timestamp: 06/03/2015 10:51:46 Error: YYYYYY.XXXX.com:143 uses an invalid security certificate.

The certificate is not trusted because it is self-signed. The certificate is only valid for the following names:

 HQ-X10PRDCAS6, HQ-X10PRDCAS6.ZZZ.XXXX.com  

(Error code: sec_error_unknown_issuer)

This gets repeated several times until eventually the connection works and I can send and receive mail for a while until it starts again.

Note that I have a root certificate and an issuing certificate from my company installed in my Thunderbird certificate store, but this doesn't seem to help.

Also in the Thunderbird certificate store I also see:

HQ-X10PRDCAS5 YYYYYY.XXXX.COM:143 permanent 11/11/2019

Which seems to be one of the certificates above, however it seems Thunderbird will only allow one certificate per server connection, which perhaps might be relevant.

Note that I'm using Thunderbird 31.5.0 On Mac OS X 10.10.2 (Yosemite)

more options

Your employer, like many companies who have invested huge amounts of money in software from Microsoft are using self signed certificates to save a few dollars.

Personally I love the way companies will give Microsoft half a million dollars for software licenses and then skimp on the last point one percent of the expense and save a few bucks issuing their own self signed certificates that only they trust.

It is also questionable if your corporate tech people actually understand clustering if they are giving a separate certificate to each server. But none of that help you.

Given port 143 is actually designated for IMAP without security, I would suggest turning off the TLS and/or try port 993 which is the designated port for TLS. It might be the server admin only set up proper certificates for the TLS port.

Please view the details of the certificates and note the issuer shown. My guess in one of these corp you have in your store and the rest for some slight variation of spelling or name, thus breaking the actual chain of trust.