1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Re: Thunderbird imap certificates

    From [email protected]@21:1/5 to Dima on Sat Dec 14 10:20:01 2024
    On Sat, Dec 14, 2024 at 02:09:30PM +0700, Dima wrote:
    Hello!

    My system:
    Debain: Debian GNU/Linux 12 (bookworm) x86_64
    Thunderbird: Thunderbird 128.4.3esr
    Using VPN via SOCK5

    Got a message notification pop-up "Certificate for imap.google.com does not come from the trusted source." with a button "activate".

    Hm. I can't even resolve a host "imap.google.com". Perhaps the host name should be different?

    Cheers
    --
    t

    -----BEGIN PGP SIGNATURE-----

    iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ11NQwAKCRAFyCz1etHa RgzIAJ4k/AF2Yp//r3xo3B1IfPJg9XofvQCfcHke0eT8e89lF1g5FYnyS/W/s5s=
    =M7+o
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Roberto =?iso-8859-1?Q?C=2E_S=E1nch@21:1/5 to Dima on Sat Dec 14 15:20:01 2024
    On Sat, Dec 14, 2024 at 02:09:30PM +0700, Dima wrote:
    Hello!

    My system:
    Debain: Debian GNU/Linux 12 (bookworm) x86_64
    Thunderbird: Thunderbird 128.4.3esr
    Using VPN via SOCK5

    Got a message notification pop-up "Certificate for imap.google.com does not come from the trusted source." with a button "activate".

    I did not press the button. Turn of and turn on the Thunderbird, than found
    a certificates modal window in preferences, but that did not give me a lot information, many many certificates from different servers.

    Give me advice how to:

    - View a log. May be there is a log in Thunderbird or in systemd, and I can identify that issue, found certificate that blamed.
    - How to avoid such kind of problems?
    - How to get rid of that certificate in case of accident clicking "activate" button. What to do next, to save the security of the mail.

    Check with your VPN provider. It sounds like your VPN might be proxying
    SSL traffic, in which case you will need to trust their certificate.
    That will allow the proxy on the VPN to intercept your SSL traffic,
    perform whatever filtering the organization's policy requires, and then
    pass it on to the destination.

    Does the same sort of prompt appear when attempting to view a web page
    over HTTPS?

    If that is what is going on, most likely a self-signed certificate is
    being used and you would need to explicitly trust the certificate.

    Regards,

    -Roberto

    --
    Roberto C. S�nchez

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Duncan@21:1/5 to Max Nikulin on Sun Dec 15 09:00:01 2024
    Looks like imap.gmail.com should be the one.

    Paul.

    On Sat, 14 Dec 2024 at 15:05, Max Nikulin <[email protected]> wrote:

    On 14/12/2024 14:09, Dima wrote:
    Using VPN via SOCK5

    Got a message notification pop-up "Certificate for imap.google.com does
    not come from the trusted source." with a button "activate".

    Likely imap.googlemail.com

    For HTTP, providers sometimes use "captive portal" to request user authentication or to show some notification. For TLS it causes an error.
    I have no idea if some party (VPN provider? Proxy authentication?
    Incorrect VPN configuration?) may use it for IMAP.

    In some cases server does not send an intermediate certificate in
    signing chain (browser on administrator's computer acquired it from
    other site, so they are unaware of the issue), but I would not expect it
    from Google.

    A tool to debug issues is "openssl s_client"

    - View a log. May be there is a log in Thunderbird or in systemd, and I
    can identify that issue, found certificate that blamed.

    Thunderbird has console [Ctrl+Shift+J], but usually logs (and their persistence) should be enabled in advance.

    Maybe certificate management is better documented for Firefox.



    --


    *Paul Duncan*

    Marine Technician, RV Falkor(too)

    SCHMIDT OCEAN INSTITUTE

    mobile +1 650 387 4151

    VOIP +1 954 672 4943

    www.schmidtocean.org

    Follow us on Twitter, Facebook and Google+

    *This email message is for the sole use of the intended recipient(s) and
    may contain confidential and privileged*

    *information. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received it in*

    *error, please advise the sender by reply email and delete the message and
    any attachments. Thank you.*

    <div dir="ltr">Looks like <a href="http://imap.gmail.com">imap.gmail.com</a> should be the one.<div><br></div><div>Paul.</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sat, 14 Dec 2024 at 15:05, Max
    Nikulin &lt;<a href="mailto:[email protected]">[email protected]</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 14/12/2024 14:09, Dima wrote:<br>
    &gt; Using VPN via SOCK5<br>
    &gt; <br>
    &gt; Got a message notification pop-up &quot;Certificate for <a href="http://imap.google.com" rel="noreferrer" target="_blank">imap.google.com</a> does <br>
    &gt; not come from the trusted source.&quot; with a button &quot;activate&quot;.<br>

    Likely <a href="http://imap.googlemail.com" rel="noreferrer" target="_blank">imap.googlemail.com</a><br>

    For HTTP, providers sometimes use &quot;captive portal&quot; to request user <br>
    authentication or to show some notification. For TLS it causes an error. <br>
    I have no idea if some party (VPN provider? Proxy authentication? <br> Incorrect VPN configuration?) may use it for IMAP.<br>

    In some cases server does not send an intermediate certificate in <br>
    signing chain (browser on administrator&#39;s computer acquired it from <br> other site, so they are unaware of the issue), but I would not expect it <br> from Google.<br>

    A tool to debug issues is &quot;openssl s_client&quot;<br>

    &gt; - View a log. May be there is a log in Thunderbird or in systemd, and I <br>
    &gt; can identify that issue, found certificate that blamed.<br>

    Thunderbird has console [Ctrl+Shift+J], but usually logs (and their <br> persistence) should be enabled in advance.<br>

    Maybe certificate management is better documented for Firefox.<br>

    </blockquote></div><div><br clear="all"></div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">








    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Bold, serif"><font style="font-size:10pt" size="2"><b>Paul Duncan<br></b></font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Roman, serif"><font style="font-size:10pt" size="2">Marine Technician,
    RV Falkor(too)</font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#1b75bd"><font face="HelveticaNeue-Roman, serif"><font style="font-size:10pt" size="2">SCHMIDT
    OCEAN INSTITUTE</font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Roman, serif"><font style="font-size:10pt" size="2">mobile
    +1 650 387 4151<br></font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Roman, serif"><font style="font-size:10pt" size="2">VOIP
    +1 954 672 4943<br></font></font></font></p>

    <p style="margin-bottom:0in;line-height:100%"><font color="#1b75bd"><font face="HelveticaNeue-Roman, serif"><font style="font-size:10pt" size="2"><a href="http://www.schmidtocean.org" target="_blank">www.schmidtocean.org</a></font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Roman, serif"><font style="font-size:8pt" size="1">Follow
    us on </font></font></font><font color="#1b75bd"><font face="HelveticaNeue-Roman, serif"><font style="font-size:8pt" size="1">Twitter,
    Facebook </font></font></font><font color="#231f20"><font face="HelveticaNeue-Roman, serif"><font style="font-size:8pt" size="1">and
    </font></font></font><font color="#1b75bd"><font face="HelveticaNeue-Roman, serif"><font style="font-size:8pt" size="1">Google+</font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Italic, serif"><font style="font-size:8pt" size="1"><i>This
    email message is for the sole use of the intended recipient(s) and
    may contain confidential and privileged</i></font></font></font></p>
    <p style="margin-bottom:0in;line-height:100%"><font color="#231f20"><font face="HelveticaNeue-Italic, serif"><font style="font-size:8pt" size="1"><i>information.
    Any unauthorized review, use, disclosure or distribution is
    prohibited. If you have received it in</i></font></font></font></p>
    <p style="margin-bottom:0.11in;line-height:108%"><font color="#231f20"><font face="HelveticaNeue-Italic, serif"><font style="font-size:8pt" size="1"><i>error,
    please advise the sender by reply email and delete the message and
    any attachments. Thank you.</i></font></font></font></p>

    </div></div></div></div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)