Add Thunderbird security exception for self-signed SSL certificate

ssl openssl ssl-certificate thunderbird hmail-server
JacopoStanchi picture JacopoStanchi · Apr 7, 2020 · Viewed 9.8k times · Source

I have created a self-signed SSL certificate using OpenSSL, and I added it to hMailServer accessible in the private network. I used this certificate on port 465 and 993 to run SMTP and IMAP respectively with SSL:

Then I restarted the server and added inbound and outbound firewall rules to allow connection to the ports opened by hMailServer. But when I try to connect to my mail server with SSL from another computer in the local network, it fails:

I strongly suspect that it's because Thunderbird doesn't allow self-signed certificates by default, because when I switch the "SSL" value back to "Autodetect" it finds well the account settings, but only on "unencrypted" ports, i.e. 587 for SMTP and 143 for IMAP.

So now I want to add a security exception for my SSL certificate in Thunderbird in order to use it. I go to Thunderbird Preferences > Advanced > Certificates tab > Manage Certificates > Servers tab > Add exception and then type the IP and port of the SMTP (or IMAP) server that uses the SSL certificate, but it doesn't find it:

What did I do wrong? I followed this tutorial to add a new exception on Thunderbird. When I try to do openssl s_client -connect 192.168.1.15:465, I get a SSL certificate but it's not the same than the one I imported in hMailServer and I don't know if it's normal.

Thank you for your help.

Answer

JacopoStanchi picture JacopoStanchi · Apr 7, 2020

I think it is because of a stupid bug on Thunderbird. If we add the security exception directly on the certificate manager of Thunderbird, clicking on the "Get Certificate" doesn't find the certificate.

How I got it working is by first connecting to a mail account on unencrypted ports (i.e. 587 for SMTP and 143 for IMAP):

Then, I switched the connection security in the account settings to "SSL/TLS" both for SMTP and IMAP:

Finally, I sent an email to a random recipient, and I got this alert:

I just clicked on the "Confirm security exception" button and it added the certificate correctly. What I was previously doing is to click on "Get Certificate" and it lost the certificate so I couldn't add it.

Related questions

How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert.csr openssl rsa -in privkey.pem -out key.pem openssl x509 -in cert.csr -out …

Read More
curl: (60) SSL certificate problem: unable to get local issuer certificate

root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt * About to connect() to {abc} port 21 (#0) * Trying {abc}... * Connected to {abc} ({abc}) port 21 (#0) < 220-Cerberus FTP Server - Home Edition &…

Read More
SSL Error: unable to get local issuer certificate

I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can. Note: The true domain name has been changed to protect the identity …

Read More