Possible to deactivate certificate check?

[Markus-Go]

Prerequisites

• Tried the most recent nightly build
• Checked if your issue is already reported.

Is your feature request related to a problem?

My server is in a DMZ and listening on two hostnames (internal/ external). The SSL certificate is for the external hostname only. External connections to 4190 work well. Internal connections to 4190 fail due to wrong certificate (hostname). For IMAPS in TB I am able to accept the certificate and ignore the hostname error for internal connections. For the sieve plugin this does not work.

Describe the solution you'd like

I would like to be able to disable certificate/hostname checks for the sieve TB plugin

Describe alternatives you've considered

Additional context

[thsmi]

The webextensions as well as the app implement overriding certificate validation errors. Which makes your request confusing.

In case you connect to a server with a broken certificate you should see a dialog with the fingerprints as well as the validation details. When you accept the error and exception will be added to Thunderbird's cert store. After the exception was added you need to reconnect. Each exception is a unique combination of the certificate's fingerprint, the validation error as well as host and port. So in case you host changes or the validation error changes you will be prompted again.

What kind of error is displayed when you connect to your internal host?
Do you see such a Dialog notifying you about a broken certificate? Or is is just a generic connection error dialog?

Typically TLS connections should be verified on both sides. In case this feature is enabled on you server, it will reject your connection. And you endup with a connection error because the server disconnected the untrusted connection.

What happens if you connect with the standalone app? Do you see the same behavior? If so it is most likely due to your server configuration.

Further more the WebExtension always uses the mail account's host name. So in your scenario you would need to have an account for the external hostname as well as one for the internal hostname. Which also sounds a bit odd. Are you sure the correct hostname is used?

To really see what is happening logs are needed. How To enable and collect logs refer to the wiki page:
https://github.com/thsmi/sieve/wiki/FAQ---WebExtension#webextension-logging--debugging

[Markus-Go]

Thanks for your answer!
I tried to get more debug information on that.

First of all, I verified that my server setup is OK for internal use (I am using a Debian 10/Dovecot). Using
$ sieve-connect --server cubus --notlsverify -u myuser
I can connect and list my filters on the command line.

1. When using the standalone app, I can only see a "Connecting ..." without happening anything. On the server side, I see a timeout in the logs after a while:
   cubus dovecot: managesieve-login: Aborted login (no auth attempts in 192 secs): user=<>, rip=192.168.., lip=192.168.., TLS, session=

2. When using the Thunderbird webextension, it connects and disconnects immediately (I am sure, hostname is correct). No validation error is shown. The debug log is as follows:
   `[22:21:55.925 account1] Connecting to cubus:4190 ...
   [22:21:55.925 account1] Using Proxy: Direct
   [22:21:55.938 account1] Connected to cubus:4190 ...
   [22:21:55.939 account1] Server -> Client [Byte Array]
   [...]

[22:21:55.939 account1] Server -> Client
"IMPLEMENTATION" "Dovecot (Debian) Pigeonhole"

"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"

"NOTIFY" "mailto"

"SASL" ""

"STARTTLS"

"VERSION" "1.0"

OK "Dovecot (Debian) ready."

[22:21:55.942 account1] Client -> Server:
STARTTLS

[22:21:55.943 account1] Client -> Server [Byte Array]:
[...]
[22:21:55.944 account1] Server -> Client [Byte Array]
[...]
[22:21:55.945 account1] Server -> Client
OK "Begin TLS negotiation now."

[22:21:55.945 account1] Client -> Server:
CAPABILITY

[22:21:55.945 account1] Client -> Server [Byte Array]:
[...]
[22:21:55.951 account1] Disconnected from cubus:4190 with status 2153394164
[22:21:55.951 account1] Checking for certificate errors...
[22:21:55.951 account1] ... certificated considered bad (2153394164,2)
[22:21:55.952 account1] Disconnecting cubus:4190...
[22:21:55.952 account1] Disconnected ...
Error while validating Certificate SieveRequire.jsm:167
SieveException jar:file:////Thunderbird/Profiles/.default/extensions/sieve@mozdev.org.xpi!/modules/SieveRequire.jsm:167
SieveClientException jar:file:////Thunderbird/Profiles/.default/extensions/sieve@mozdev.org.xpi!/modules/SieveRequire.jsm:173
SieveCertValidationException jar:file:////Thunderbird/Profiles/.default/extensions/sieve@mozdev.org.xpi!/modules/SieveRequire.jsm:205
onStopRequest jar:file:////Thunderbird/Profiles/.default/extensions/sieve@mozdev.org.xpi!/modules/SieveRequire.jsm:606
uncaught exception: Unknown action script-show-certerror
[22:21:55.965 account1] Disconnecting cubus:4190...
`

[Markus-Go]

I was finally able to use the plugin with Thunderbird :o)

According to this post it is not possible to add certain certificate exceptions for Thunderbird any more (TB 78.4). Probably this is the reason why I am not seeing the security exception dialog. They were discussing about port 993 and I found out this holds true for port 4190 as well. I followed their workaround and did the following:

• Use the certificate on a webserver with SSL
• Manually add a TB certificate exception for that webserver using HTTPS port 443 (that works)
• Exit TB
• Edit the file C:\Users<pofile_name>\AppData\Roaming\Thunderbird\Profiles<profile_in_use>\Cert_Override.txt and change the port from 443 to 4190.
• Start Thunderbird and check that the correct exception for port 4190 exists now in the Certificate Manager.
• -> Plugin works!

[thsmi]

Thank for your research on this topic.

Sadly there seems to be more broken. The startTLS call behaves strange. It used to be blocking and trigger a signal as soon as the handshake completed. But now it seems as if it is neither blocking nor the signals are send. Which results in a race in case the certificate is bad. In the good case the cert info is populated before starttls call returns. Then overriding should work. In the bad case the cert info gets populated after the startts returns. Which makes overriding impossible.

The good news is, in case the cert validation is overwritten it will work reliable. And it is no security leak, as Thunderbird will disconnect the connection in any case. Furthermore the disconnect callback still contains the information about the broken cert. So it should be possible to have a workaround.