1

Recently, after I installed updates on my Kubuntu 14.04. system and a new version of thunderbird was installed, I could not send emails any more. It prompts:

Sending of message failed. The message could not be sent because the connection to SMTP server [..] was lost in the middle of the transaction. Try again or contact your network administrator.

Since I am the administrator of my mail server (exim) I checked the logs. Everytime I try to send an email with thunberbird it says:

TLS error on connection from [..] (gnutls_handshake): Could not negotiate a supported cipher suite.

That's odd. How could that happen out of the blue? I googled the problem, but other people with this message in the logs had something wrong with their certificate installation (too new algorithm or the like). But I did not change anything with my certificate and additionally it is still no problem to send mails with K-9 Mail from my android phone (which has the same TLS settings).

My Server runs Debian 7.6 with EXIM 4.80.

(In case it matters: My certificates are signed by CACert).

For now I downgraded thunderbird (sudo apt-get install thunderbird=1:24.4.0+build1-0ubuntu1). This worked, but is of course no permanent solution.

What is wrong and how can I fix it?

sebix
  • 4,175
  • 2
  • 25
  • 45
yankee
  • 177
  • 2
  • 6
  • 1
    What ciphers do you have enabled on server-side? It the default ones, what are these defaults in your setup? Ans which one is the "new version of Thunderbird" that does not work? – sebix Jul 27 '14 at 19:49
  • @sebix: It's the defaults. How do I figure out what the defaults are? The "new" version is 31. – yankee Jul 28 '14 at 09:49
  • Have you updated the _server_ and checked the cipher suites in your exim configuration? – Michael Hampton Jul 31 '14 at 20:24
  • @MichaelHampton: I did not configure any cipher suites in my exim config, hoping that the guys that develop exim/gnutls have a better understanding of ssl than I do and choose good default. I could not figure out how to check what the defaults actually are. I did not update the server after updating thunderbird. However I made sure that I am running the most recent version from the debian repo. – yankee Aug 01 '14 at 07:30

3 Answers3

1

Firefox and Thunderbird 31 removed support for weak cipher suites, therefore you are getting this error.

You need to update your server's SSL configuration according to this Mozilla wiki article.

A quote of the recommended backward compatible cipher suite string:

  • Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
  • Versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2
  • RSA key size: 2048
  • DH Parameter size: 1024
  • Elliptic curves: secp256r1, secp384r1, secp521r1

You should be able to specify the ciphers with tls_require_ciphers directive. It should accept the Ciphersuite string from above.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • How do I configure those with exim4 and GNU TLS? I figured that there is the `tls_require_ciphers` option in exim, but the manual says that it is just a "priority string" and that sounds like I just set which ciphers are preferred but not which are supported. – yankee Jul 28 '14 at 09:51
  • See updated answer. – Tero Kilkanen Jul 28 '14 at 12:24
  • Isn't GnuTLS prioritizing secure ciphers by default? – sebix Jul 28 '14 at 12:38
  • @TeroKilkanen: I tried that, but I get the following error (I shortend it): `tls_require_ciphers invalid: gnutls_priority_init(ECDHE-RSA-AES128-GCM-SHA256:[..]:!MD5:!PSK) failed at offset 0, "ECDHE-RS.." failed: The request is invalid.` – yankee Jul 29 '14 at 12:57
1

As you cam read here http://kb.mozillazine.org/Security.tls.version.*, Thunderbird with Security.tls.version.max set to 2 or 3 will not fallback to lower settings.

Even if you configure Exim 4.80 with the tls_require_ciphers as mentioned above, it will not offer ECDHE at first place (at least that's what I've read somewhere so believe this with care). Maybe this also is a certificate issue and renewing it with different settings could help, too.

So to have Thunderbird behave as before go the the configuration editor (Preferences -> Advanced -> Config Editor (Button) ) and search for tls then change security.tls.version.max to 1 and it should work again.

Tim Drub
  • 11
  • 1
-1

I have no idea what the problem was, but it must have to do with my certificates after all. I just regenerated the certificates, again using the CSR script from CACert. To my knowledge I did not do anything different than the last time I generated my certificates. But with my fresh certificates everything works like a charm again.

yankee
  • 177
  • 2
  • 6